Search results

Como Criar o item 4 da ISO 27001

Estou entendendo que você está se referindo ao levantamento de requisitos legais para a ISO 27001.

Considerando isto, embora o tipo de informação a ser coletada para atender aos requisitos da seção 4 (Contexto da organização) seja basicamente o mesmo para a ISO 9001 a ISO 27001 (por exemplo, o requisito legal, o responsável por ele, data em que o requisito deve ser atendido, etc.), e com isso, se a planilha fornecida por sua consultoria está em conformidade com a ISO 9001 ela também cestá em conformidade com a ISO 27001, os requisitos de qualidade são muito diferentes dos requisitos de segurança da informação.

Por exemplo, para a ISO 27001, o requisito seria cumprir a LGPD, enquanto que para a ISO 9001, o requisito seria o cumprimento de alguma regulamentação relacionada à fabricação. Portanto, seria melhor listar os requisitos legais, regulamentares e contratuais em documentos separados para a ISO 27001 e para a ISO 9001.

Para ver como um documento que lista os requisitos legais para a ISO 27001 se parece, sugiro que dê uma olhada no demo do modelo Lista de obrigações legais, regulamentares, contratuais e outras neste link: https://advisera.com/27001academy/pt-br/documentation/anexo-lista-de-obrigacoes-estatutarias-regulamentares-contratuais-e-outras/

Para mais informações, veja:

• Como identificar os requisitos de partes interessadas do SGSI na ISO 27001 https://advisera.com/27001academy/pt-br/blog/2017/02/13/como-identificar-os-requisitos-de-partes-interessadas-do-sgsi-na-iso-27001/

Requirement for DR site

Most regulations and industry practices do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion about the distance of the DR site suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).

This article will provide you a further explanation about the distance of recovery site:

• Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of the recovery site:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Understanding ISO 14001

Below I list a set of articles about what ISO 14001 is, what its benefits are for several interested parties, and how to implement it. ISO 14001 is about improving the organization's relationship with the environment through a systematic approach with its environmental aspects and impacts. That is why I added an article on aspects and its evaluation. Perhaps you can enroll in our free ISO 14001:2015 Foundations Course. During that course, you will be provided with suggestions for articles, templates, and other materials that can introduce you to ISO 14001.

Please check this information below with more detailed answer:

• What is ISO 14001? - https://advisera.com/14001academy/what-is-iso-14001/
• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
• ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Can we change the scope of ISO 27001

In fact, change in the ISMS scope is quite a common business and your organization can perform this change in the ISMS scope. The ISMS scope can be defined as the whole organization, or as part of it (in terms of locations, departments or processes), and the scope can increase or decrease in size according to the organization's needs.

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you a further explanation about the scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Needs and Expectations of Interested parties

Although the ISO 27001:2013 standard does not define the terms ‘needs’ and ‘expectations’ when it talks about the needs and expectations of interested parties, it is helpful to think of them in this way. Needs are those things that interested parties have clearly stated or written down, such as a law that you need to meet (e.g., GDPR), or an information security requirement in a contract. Expectations are the unwritten things that the interested parties reasonably assume you will do, such as accurate tracking of information to meet those laws or timely addressing information security incidents when they occur.

You can learn more about the requirement in this article: 

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Information security policy in contracts

ISO 27001 does not prescribe how to document your information security policies, so organizations are free to document them as they see fit.

The general practice is to have information security policies as internal operational documents, and including only references to them in contracts, as contractual clauses.

This article will provide you a further explanation about documenting policies and developing employment contracts:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Managing warranty claim department as an automobile dealership

After the warranty complaints are received by the dealer if the problem is part of the warranty scope and is not related to end-user (driver/passenger) error; the subject and the faulty part should be forwarded to the relevant automotive OEM company. Especially if it is an issue related to faulty part driver and vehicle safety than much faster reaction must be shown.

Depending on the situation, either a part replacement or temporary vehicle supply is provided. According to the investigation result of the OEM company, the customer must be answered in writing. 

Generally, this process is carried out by departments such as after-sales services, etc

Prepare the IATF 16949 certification

IATF 16949 rules have no defined time frame for the transition from ISO 9001:2015 to IATF 16949:2016. When the organization is ready according to IATF 16949:2016, it must take the stage 1 audit and, if the result is ‘’ready’’ then to start stage 2 audit, which is the main audit within 90 days after stage 1 audit. In my experience, a firm that effectively implements ISO 9001: 2015 says it will be ready for the IATF 16949: 2016 audit, with 6 months of work.

For more information, this article might be useful:

• What are the main differences between IATF 16949 and ISO 9001? https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/

• Control of documents

  According to the IATF 16949: 2016 standard, any documented information should be under control. As you know, the documented information, all kinds of records such as procedure, instruction, control plan, processes, training records, job descriptions, etc.

  My advice is, create a form number, revision number for the to-do list so that everyone in the organization can use the same to-do list.

  Thus, the to-do list becomes a controlled document.

• Feedback on Cloud Computing

  SO 27001 does not provide specific controls for cloud computing, but you can adopt and adapt some of its controls for cloud computing.

  For example, you can use control A.8.3.2 Disposal of media (which states that media must be disposed in a secure and formal way when no longer required), considering that virtual machine as a "media".

  For specific recommendations about cloud computing, you can consult ISO 27017 and ISO 27018, which provides specifics applicable to cloud computing regarding controls from ISO 27001 Annex A.

  These articles can provide you more details on data disposal in ISO 27001:

  • 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/
  • Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/

  These articles will provide you a further explanation about ISO 27017 and ISO 27018:

  • ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
  • ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/