Search results

Gantt chart as a project plan for the ISO 27001 project

Since most of our customers are small businesses, they found the steps defined in the toolkit folders as enough for running a project, and in most cases doing these steps in sequence (without overlapping them) has proved to be satisfactory.

Unfortunately, we do not have a template for the Gantt chart, but here are some free materials that can help you develop such a document: 

• Diagram of EU GDPR & ISO 27001 integrated implementation  https://info.advisera.com/eugdpracademy/free-download/diagram-of-eu-gdpr-and-iso-27001-integrated-implementation  
• Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
• Project checklist for EU GDPR implementation https://info.advisera.com/eugdpracademy/free-download/project-checklist-for-eu-gdpr-implementation

Annex SL 27001 or annex A 27001

Please note that there is no ISO document called "Annex SL 27001". ISO 27001 standard has only one annex, called Annex A.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how the ISO Management System Standard (MSS) standards should be written.

Considering that, for network security, you need to use annex A from ISO 27001.

These  articles will provide you a further explanation about ISO 27001 Annex A and network security controls:

• A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
• How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/

These materials will also help you regarding ISO 27001 Annex A:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO27001& ISO22301, GDPR and PCI-DSS

Thank you for your rely. If I understand the best is to teach them the new rocedures and policies then later on prepare for certify the company. 

Defining the Scope

You can define the scope of your ISMS as the data in the data center, but you need to state in the scope that this data is accessed by third-party, so this information can be used in the risk assessment and risk treatment process (from there you can define how to treat risks related to third-party accessing the data, normally by means of security clauses in contracts, agreements or terms of service).

These articles will provide you a further explanation about the scope definition supplier security:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

ISO 9001 and response time to customer complaints

ISO 9001:2015 does not define a response time to resolve customer complaints. What is expected is that complaints are resolved without undue delay. 
For example, I’m working as a consultant with a manufacturing company that was finally able to close a complaint after more than 3 months last month. They had to wait for lab test results that took a lot of time to be received.

The following material will provide you more information:

• ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ may be useful
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Organization structure chart

If by organization structure chart you mean a drawing representing authority relationship in an organization, you must be aware that ISO 9001:2015 has no requirement for the existence of an organization chart. Also, ISO 9001:2015 has no mandatory requirements for procedures. ISO 9001:2015 has no mandatory procedures. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

Auditing an organization requires checking evidences from reality against audit criteria. As audit criteria you will have ISO 9001:2015 requirements and any internal rules and procedures, written or not written according to clause 4.4.2.

You can start your audit preparation by asking the organization its mandatory documents and a list of internal rules or procedures. If the organization has nothing, perhaps it is best to perform a Gap Analysis instead of an internal audit.

You can find more information below:

• Gap analysis vs. internal audit in ISO 9001 - https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001//
• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
• How to create a checklist for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/ 
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Workplace hazards

The current pandemic illness that is affecting people world wide is certainly a hazard that needs to be taken into account in the hazard assessment for the processes in a company. As such it can be considered an OH&S hazard, and should be included in updated process controls for working processes.

You can learn more about the hierarchy of controls in the article: 5 levels of hazard controls in ISO 45001 and how they should be applied, https://advisera.com/45001academy/blog/2015/09/02/5-levels-of-hazard-controls-in-iso-45001-and-how-they-should-be-applied/

Linking ISO 45001 to data management

Since ISO 45001 aligns with all the other ISO management system documents you will find the same requirements for controlling documented information in clause 7.5. The requirements here give requirements for controlling procedures and records as well as archiving, and are the same as other standards such as ISO 9001 and ISO 14001. As such you can have one process for documentation control for all management system standards.

You can read more about the documentation requirements changes in the article: New approach to ISO 145001 documentation, https://advisera.com/45001academy/blog/2018/03/13/new-approach-to-iso-45001-documentation/

Confidentiality, Integrity, and Availability

Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. Considering that, when using asset-based Risk Assessment, you need to consider the CIA on the asset-threat-vulnerability set, and to consequences related to it.

When you talk about a risk-based Risk Assessment approach, I'm assuming you are referring to the description of a risk scenario (scenario-based). In this case, the CIA must refer to the described scenario and related consequences, while that in a process-based Risk Assessment approach the CIA must refer to the defined process and related consequences.

For example:

• For asset-based:  paper document - fire - the document is not stored in a fire-proof cabinet (affects availability)
• For scenario-based: Data leak with impact on regulatory compliance occurring once every five years (affects confidentiality)
• For process-based: Payment process failure, resulting in people receiving wrong values (affects integrity)

For further information, see:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Data to information

Some examples of data being converted to information can be:

Product quality control results after comparing them with specifications become conforming or non-conforming products.
Design and development verification results after comparing with specifications become conforming or non-conforming designs.

So, data is about facts related with something. Facts are neutral. Then, after comparing facts with some rules, they acquire meaning. They become data.

You can find more information below:

• Analysis of data obtained from Monitoring and Measurement - https://advisera.com/9001academy/blog/2014/04/22/analysis-data-obtained-monitoring-measurement/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/