Search results

The differences between actions, processes, and procedures according to ISO 14001

Actions are what we do. For example, we monitor energy consumption. We segregate wastes. We prevent environmental emergencies.

A process is a set of interrelated actions that work together to convert inputs into outputs. For example, we manage waste. We monitor environmental performance.

Procedures are documents specifying the way to carry out an activity or a process. A procedure is about the what, the who, the when, and sometimes the how (most of the time the how is in a specific kind of documentation called work instruction.

Question for assignment

1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.

Please note that even if the document and record have the same name, for Conformio they are different items (one is type “policy/procedure”, and the other is type “record”), so Conformio will know how to handle them and will make the pointing the right way.

2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”

Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?

Please note that this section related to antivirus software will appear in the IT Security Policy only in case you have a relevant risk treated by control A.8.7 Protection against malware.

So, you need to review your Statement of Applicability to see if control A.8.7 is stated as applicable and reassess any related risks so they do not require to be treated by this control anymore.

3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?

This question is related to Section 4 in security development policy document

Your understanding is correct. You will need to create the documents (the record name in Conformio only identifies what they exist in your environment and what they are called).

These documents need to be created manually by the user. Since such information is very specific for each organization, it is unfeasible to provide a template that can fit the organization's needs.

In case you are having difficulties in developing such documents, you can schedule a meeting with one of our experts, and he will help you develop them.

Performing work outside scope

Excellent response, very well written, clear and concise.  Thank you for your support!  

KPI project management / engineering IATF

As a requirement of ISO 9001:2015 and IATF 16949:2016, you must put at least one or two KPIs in each process. It would be better if there are KPIs that are important for you and related to the process in these KPIs.

The IATF 16949:2016 standard does not specifically specify that there will be KPIs. Customer satisfaction, it requires the monitoring of features such as quality, shipment, and premium freight.

It is also desirable to follow the cost of poor quality trend.

But especially organizations usually follow the below KPIs.
In the production process; Targets such as OEE, internal scrap, failure rate, compliance with the production plan, and efficiency are followed.

In the logistics process, points such as on-time shipment, premium freight, and shipping complaints should be followed.

During the production process, KPIs such as customer ppm, internal ppm, scrap, rework, repair rates, compliance with the calibration plan, compliance with the inspection plan, and cost of poor quality are generally monitored. 

Change Management Document

 For more detailed documentation for change management, I suggest you take a look at the templates in this toolkit that are compliant with ISO 20000 (the ISO standard for the management of IT services): https://advisera.com/20000academy/itsm-change-management-toolkit/

• Change Management Process
• Request for Change and Change Record
• Minutes of Meeting CAB
• Change Schedule

They can be used in an ISMS, but they are not mandatory for ISO 27001 compliance.

Statement of Applicability

You need to go through all controls listed in Annex A and explain why we have (or haven't) decided to implement them.

Please note that according to ISO 27001, the following information must be included in the SOA:

• All applied controls
• Justification for inclusions
• Implementation status
• Justification for exclusions of controls from Annex A

You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Independent Contractor Contact

1: How do I as an individual convince companies to take up my services as an ISMS expert individual contractor

 Basically, you need to demonstrate to them how you can add value to their business:

•  How your experience and skills can help them improve information security
• How well you are recognized in the market from previously delivered services (i.e., reference customers) and support to the community (through presentations, publications, training, etc.),
• How well do you know customers’ industries

For more information, see:

• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
• How To Sell ISO Consulting Services [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/

2: if I'm ISMS expert working on my own how do I convince companies to take me on as an Independent contractor

The same answer from the previous answer applies to this question also.

Risk Treatment - Selection Of Controls

In case you want to implement additional controls to treat risk, then you need to duplicate the risk line so you can assign a new control. You need to do that for each additional control you want to use to treat the same risk.

By the way, included in your toolkit you have access to a video tutorial that can guide you on how to perform the Risk Treatment.

For further information, see:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Scope of work

You can define the scope in terms of only part of the organization (i.e., IT department), but in general, for small and mid-sized businesses, the best approach is to include the entire organization in the ISMS scope, because the effort to separate the scope for such organizations may not be worthy.

These articles will provide you with further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding the scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

Regarding implementation time, it may take a couple of months for smaller companies and up to more than a year for larger organizations. You can use these values as an initial reference:

• Companies of up to 20 employees – up to 3 months
• 20 to 50 employees – 3 to 5 months
• 50 to 200 employees – 5 to 8 months
• More than 200 employees – 8 to 20 months

For further information, see:

• Time, effort, and roles for the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#effort

Updating to ISO 27001:2022

It is possible to make the transition from an initial ISO 27001:2013 implementation project to the 2022 version of the standard to be certified against ISO 27001:2022.

For that you will need to:

• Review your mandatory documentation according to the mandatory clauses of the standard (this will require less effort because changes in the main section of the standard were minimal)
• Review your Risk Treatment results to adjust controls IDs to the new ID settings, and evaluate if new controls from the 2022 version are applicable to your organization
• Review your documents related to the treatment of risks

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
• Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation/

This material can help you:

• ISO 27001 2022 Transition Toolkit https://advisera.com/27001academy/iso-27001-transition-toolkit