Search results

ISO Standard for KYC

I’m assuming that by KYC you mean “Know Your Customer”, a set of processes that allow banks and other financial institutions to confirm the identity of the organizations and individuals they do business with, and ensure those entities are acting legally.

From that perspective, we do not see a need for financial institutions to use ISO 27001 (nor any other standard from the ISO27k series) for the KYC process.

For further information, see:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

• Gap analysis

  En primer lugar, es importante tener en cuenta que el kit de herramientas proporciona todos los pasos y documentos para la implementación, y la mejor manera para usted es seguir la lógica del kit de herramientas.

  Teniendo en cuenta eso, puede usar los resultados del análisis de brechas para decidir qué controles priorizar (una vez que comience a trabajar en la carpeta Plan de implementación), pero el análisis de brechas, en general, no es necesario para las organizaciones pequeñas, porque el esfuerzo para realizarlo no aporta una ventaja significativa al proceso de implementación (es mejor realizar la evaluación de riesgos durante la implementación).

  Tenga en cuenta que se utiliza un análisis de brechas para evaluar su situación actual con respecto a los requisitos de ISO 27001, por lo que puede usarlo ahora mismo. En este momento, el análisis de brechas le dará una idea del esfuerzo para implementar el estándar.

  Para obtener más información, consulte:

  • ISO 27001 gap assessment vs risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section20

• Internal Audit and Statement of Applicability

  Thanks for your response. Regarding my second question, it was more about the Statement of Applicability. Having completed the Risk Treatment process and selected which controls we want to implement, is the idea that we then go into the Statement of Applicability to ONLY justify the controls we have said yes to? Do the two documents need to correlate essentially?

  Answer: Your assumption is partially correct. The Risk Treatment Table and the Statement of Applicability (SoA) documents are indeed correlated, but in the SoA, besides the justifications for the controls you deem applicable, you also need to justify the exclusion of controls you do not apply, and if applicable controls are implemented or not.

  For example, if I find a control on the Statement of Applicability and think there's a place to implement that control in our ISMS, do I need to go back into the Risk Treatment and find which risk that would be applicable to and note it down?

  Answer: No, there is no need to go back to the Risk Treatment Table. In other words, in the Statement of Applicability you can select controls as applicable without having a reference to a particular risk.

• Documented processes

  Please note that ISO 27001 does not require all processes included in the ISMS scope to be documented. Unless a process is specifically required by the standard (e.g. Risk assessment and risk treatment process in clause 6.1.2), or the organization states that it needs to be documented, then you do not need to document it.

  For further information, see:

  • List of mandatory documents according to the ISO 27001 2022 revision https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision

• Gap analysis question

  First is important to note that the toolkit provides all the steps and documents for the implementation, and the best way for you is to follow the logic of the toolkit.

  Considering that, you can use the results of the gap analysis to decide which controls to prioritize (once you start working on the folder Implementation Plan), but gap analysis, in general, is not required for small organizations, because the effort to perform it does not bring a significant advantage to the implementation process (it is better to perform the risk assessment during the implementation).

  Please note that a gap analysis is used for you to assess your current situation regarding ISO 27001 requirements, so you can use it right now. At this time the gap analysis will give you an understanding of the effort to implement the standard.

  For further information, see:

  • ISO 27001 gap assessment vs risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section20

  • How to know if you can apply for ISO 14001 certification?

    Yes, you can.

    Your organization can apply for certification once you have an implemented environmental management system (EMS) in place. Your organization knows how it interacts with the environment, knows the compliance obligations, sets EMS objectives (results you want to achieve, undesired results you want to avoid, like accidents, and compliance with compliance obligations), and works to achieve them and to maintain what already works.

    To get more information, please check:

    • List of ISO 14001 implementation steps - https://advisera.com/14001academy/knowledgebase/list-of-iso-14001-implementation-steps/
    • 5 elements of a successful ISO 14001 project - https://advisera.com/14001academy/blog/2015/03/23/5-elements-of-a-successful-iso-14001-project/
    • ISO 14001 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/

  • Laboratory Certifications for ISO9001 and 17025

    Both ISO 9001 and ISO 17025 are quality management systems. ISO 9001 is focussed on the quality of service delivery while ISO 17025 focus is on technical competency. ISO 7025 and ISO 9001 are assessed by different bodies. An accreditation body assesses the performance and awards ISO 17025 accreditation to laboratories that show competence to produce consistent valid test or calibration results. Certification bodies audit organisations and award ISO 9001 certification if the QMS requirements are met. This typically includes non laboratory departments, for example finance, procurement and Human resources. If the laboratory is not seeking ISO 17025 accreditation, they can apply for ISO 9001 certification, however it does not provide confidence in the technical competence of the laboratory. If the customer requires the organisation as a whole to be ISO 9001 certified, with ISO 17025 accreditation for the laboratory, the management of the systems can be integrated with common approaches to for example, complaints and risk analysis; however the assessments will be separate.

    For more information on the purpose of ISO 17025 as well as Option A and B for laboratories, see https://community.advisera.com/topic/completing-implementation/  and the articles  
    ISO 17025 vs. ISO 9001 – Main differences and similarities at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities/
    What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/ and the white paper
    Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

  • Writing laboratory document and record control procedure

    Documents and records need to be designed, authored and controlled to be suitable to hold valuable data and information. When you write the procedure for this activity, understand the requirements in clauses 8.3, 8.4, 7.5 and 7.11 first. Then depending on the platform you will use, for example Microsoft Office (Word and Excel), SharePoint, commercial LIMS or other, document the specific process to be followed in the laboratory.

    For more information and the availability of toolkit documents and resources from Advisera, see a similar question and answer at https://community.advisera.com/topic/document-and-record-control-procedure-means-what-are-the-procedure-will-include/

  • The differences between actions, processes, and procedures according to ISO 14001

    Actions are what we do. For example, we monitor energy consumption. We segregate wastes. We prevent environmental emergencies.

    A process is a set of interrelated actions that work together to convert inputs into outputs. For example, we manage waste. We monitor environmental performance.

    Procedures are documents specifying the way to carry out an activity or a process. A procedure is about the what, the who, the when, and sometimes the how (most of the time the how is in a specific kind of documentation called work instruction.

  • Question for assignment

    1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.

    Please note that even if the document and record have the same name, for Conformio they are different items (one is type “policy/procedure”, and the other is type “record”), so Conformio will know how to handle them and will make the pointing the right way.

    2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”

    Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?

    Please note that this section related to antivirus software will appear in the IT Security Policy only in case you have a relevant risk treated by control A.8.7 Protection against malware.

    So, you need to review your Statement of Applicability to see if control A.8.7 is stated as applicable and reassess any related risks so they do not require to be treated by this control anymore.

    3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?

    This question is related to Section 4 in security development policy document

    Your understanding is correct. You will need to create the documents (the record name in Conformio only identifies what they exist in your environment and what they are called).

    These documents need to be created manually by the user. Since such information is very specific for each organization, it is unfeasible to provide a template that can fit the organization's needs.

    In case you are having difficulties in developing such documents, you can schedule a meeting with one of our experts, and he will help you develop them.