Search results

IMS system

Yes, QA specialist may take overall responsibilities for IMS. So, the same rules will apply for quality, environment and health and safety.

You can find more information about documentation below:

• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO 28000 growth

Hi Rhand -  thanks for the response.  Yes, that is the article taht I was referring to.

I've been looking at the data on the ISO Survey and there is a spike in ISO28000 certifications from 2018 to 2019 from 617 certificates to 1,874 certificates.  The jump of 203% looks significant as in previous years it has been a 38% (2016-17) and 24% (2017-18). 

You do mention ISO 28000 in your first table of the article (Overview of the valid certfications worldwide), but you don't mention it in any subsequent tables.

If there's noinformation for reasons for growth, I think we can put it down to an increasing awareness of the importance of a resilient supply chain.

ISO 27001 certification

1. How long can the background preparation stage for ISO 27001 Certification take?

I’m assuming you are referring to the time for generating records before undergoing the certification audit.

Considering that, please note that ISO 27001 does not require the minimum period of records (i.e. minimum period of the ISMS operation before the certification), however, some certification bodies do have such requirements and some don't, so you should contact your certification body to confirm what criteria it applies.

This article may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

2. Can I make my own assessment in this regard without consulting the policies, regulations and expectations of the company directors?

Please note that such assessment is in fact the internal audit, a mandatory requirement for ISO 27001, so you need to perform it, and for this, you need to consult the applicable implemented policies, procedures, required regulations, and expectations of the company directors (these are essential elements to evaluate if the standard´s criteria are being fulfilled).

These articles will provide you a further explanation about internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

This material can help you organize and perform an internal audit:

• ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

These materials will also help you regarding internal audit and certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Control A.8.3

Templates which cover controls from section A.8.3 are:

• Information Classification Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management
• Disposal and Destruction Policy, located in folder 08 Annex A Security Controls >> A.11 Physical and Environmental Security
• Security Procedures for IT Department, located in folder 08 Annex A Security Controls >> A.12 Operations Security

By the way, included in your toolkit, there is a List of documents file which maps which controls and requirements of the standard are covered by each template in the toolkit.

OCP Control Method

I think OCP stands for Operational Control Procedures. So, OCP in shop floor seems to be Operational Control Procedures used in shop floor to improve environmental aspects management and control. For example, Operational Control Procedures about segregating wastes correctly, or about good practices to minimize energy or water consumption. OCP Control Method can be, I guess, about procedure control: approval, distribution, updating, obsolete removal.

You can find more information below:

• Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
• Seven elements to control documents in the EMS - https://advisera.com/14001academy/blog/2014/12/10/seven-elements-control-documents-ems/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Info su pseudonimizzazione

Grazie

Asset metrics

We are not experts in this specific industry, but for small and midsized business all over the world, this template has helped them to identify assets for their ISO 27001 ISMSs:

• Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/

This article will provide you a further explanation about managing assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding managing assets:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/

Backup policy

ISO 27001 does not prescribe responsibilities about backup, so organizations are free to define them as best fulfill their needs.

Considering that, for defining the responsibilities for the backup process, you should analyze potential risks (e.g., lack of knowledge, human error, sabotage, etc.), and applicable legal requirements (e.g., laws, regulations, and contracts), to identify how responsibilities should be defined.

For example, through risk analysis, you may find that there are no relevant risks if the DBA is responsible for taking and storing the Backup, but you may have a contract with a client that defines a different role to be responsible for the backup process (e.g., the backup should be performed and managed by a system administrator).

To see how a backup policy compliant with ISO 27001 looks like, please access the demo template at this link: https://advisera.com/27001academy/documentation/backup-policy/

These articles will provide you a further explanation about defining responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

These materials will also help you regarding the definition of responsibilities:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Function segregation matrix in a small company

Existem duas formas comuns de se formalizar a segregação de funções, dependendo da forma como a organização gerencia seus processos:

• Caso a organização não possua processos documentados (ex.: por meio de políticas e procedimentos), você pode usar um único documento identificando os processos e as etapas a serem segregadas. Por exemplo: No processo de “Gestão de documentos”, o cargo A elabora documentos e o cargo B aprova documentos, e no caso de um processo de “Compras”, o cargo C solicita materiais e o cargo D aprova as solicitações.
• Caso a organização possua processos documentados, ela pode definir a segregação de funções diretamente nas políticas e procedimentos necessários.

Para mais informações sobre segregação de funções, leia:

• Segregação de funções em seu SGSI de acordo com a ISO 27001 A.6.1.2 https://advisera.com/27001academy/pt-br/blog/2016/11/23/segregacao-de-funcoes-em-seu-sgsi-de-acordo-com-a-iso-27001-a-6-1-2/

Este material também pode ajudar a entender como implementar a segregação de funções:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/