Search results

How to create item 4 of ISO 27001

I understand that you are referring to the list of legal requirements for ISO 27001.

Considering that, although the type of information to be gathered to fulfill requirements of section 4 (Organization Context) are basically the same for ISO 9001 to ISO 27001 (e.g., the requirement, responsible, due date, etc.), and by this, if the spreadsheet provided by your consultancy is compliant with ISO 9001, then it also complies with ISO 27001, the requirements for quality are very different from requirements for information security.

For example, for ISO 27001 the requirement would be to comply with LGPD, whereas for ISO 9001 the requirement would be to comply with some manufacturing-related regulation. So it would be better to list the legal, regulatory, and contractual requirements in separated documents for ISO 27001 and for ISO 9001.

To see how a document that lists the legal requirements for ISO 27001 looks like, I suggest you take a look at the free demo of  our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Como Criar o item 4 da ISO 27001

Estou entendendo que você está se referindo ao levantamento de requisitos legais para a ISO 27001.

Considerando isto, embora o tipo de informação a ser coletada para atender aos requisitos da seção 4 (Contexto da organização) seja basicamente o mesmo para a ISO 9001 a ISO 27001 (por exemplo, o requisito legal, o responsável por ele, data em que o requisito deve ser atendido, etc.), e com isso, se a planilha fornecida por sua consultoria está em conformidade com a ISO 9001 ela também cestá em conformidade com a ISO 27001, os requisitos de qualidade são muito diferentes dos requisitos de segurança da informação.

Por exemplo, para a ISO 27001, o requisito seria cumprir a LGPD, enquanto que para a ISO 9001, o requisito seria o cumprimento de alguma regulamentação relacionada à fabricação. Portanto, seria melhor listar os requisitos legais, regulamentares e contratuais em documentos separados para a ISO 27001 e para a ISO 9001.

Para ver como um documento que lista os requisitos legais para a ISO 27001 se parece, sugiro que dê uma olhada no demo do modelo Lista de obrigações legais, regulamentares, contratuais e outras neste link: https://advisera.com/27001academy/pt-br/documentation/anexo-lista-de-obrigacoes-estatutarias-regulamentares-contratuais-e-outras/

Para mais informações, veja:

• Como identificar os requisitos de partes interessadas do SGSI na ISO 27001 https://advisera.com/27001academy/pt-br/blog/2017/02/13/como-identificar-os-requisitos-de-partes-interessadas-do-sgsi-na-iso-27001/

Requirement for DR site

Most regulations and industry practices do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion about the distance of the DR site suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).

This article will provide you a further explanation about the distance of recovery site:

• Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

This material will also help you regarding the distance of the recovery site:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Understanding ISO 14001

Below I list a set of articles about what ISO 14001 is, what its benefits are for several interested parties, and how to implement it. ISO 14001 is about improving the organization's relationship with the environment through a systematic approach with its environmental aspects and impacts. That is why I added an article on aspects and its evaluation. Perhaps you can enroll in our free ISO 14001:2015 Foundations Course. During that course, you will be provided with suggestions for articles, templates, and other materials that can introduce you to ISO 14001.

Please check this information below with more detailed answer:

• What is ISO 14001? - https://advisera.com/14001academy/what-is-iso-14001/
• 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/knowledgebase/6-key-benefits-of-iso-14001/
• ISO 14001: The benefits for customers - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Can we change the scope of ISO 27001

In fact, change in the ISMS scope is quite a common business and your organization can perform this change in the ISMS scope. The ISMS scope can be defined as the whole organization, or as part of it (in terms of locations, departments or processes), and the scope can increase or decrease in size according to the organization's needs.

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you a further explanation about the scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Needs and Expectations of Interested parties

Although the ISO 27001:2013 standard does not define the terms ‘needs’ and ‘expectations’ when it talks about the needs and expectations of interested parties, it is helpful to think of them in this way. Needs are those things that interested parties have clearly stated or written down, such as a law that you need to meet (e.g., GDPR), or an information security requirement in a contract. Expectations are the unwritten things that the interested parties reasonably assume you will do, such as accurate tracking of information to meet those laws or timely addressing information security incidents when they occur.

You can learn more about the requirement in this article: 

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Information security policy in contracts

ISO 27001 does not prescribe how to document your information security policies, so organizations are free to document them as they see fit.

The general practice is to have information security policies as internal operational documents, and including only references to them in contracts, as contractual clauses.

This article will provide you a further explanation about documenting policies and developing employment contracts:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Managing warranty claim department as an automobile dealership

After the warranty complaints are received by the dealer if the problem is part of the warranty scope and is not related to end-user (driver/passenger) error; the subject and the faulty part should be forwarded to the relevant automotive OEM company. Especially if it is an issue related to faulty part driver and vehicle safety than much faster reaction must be shown.

Depending on the situation, either a part replacement or temporary vehicle supply is provided. According to the investigation result of the OEM company, the customer must be answered in writing. 

Generally, this process is carried out by departments such as after-sales services, etc

Prepare the IATF 16949 certification

IATF 16949 rules have no defined time frame for the transition from ISO 9001:2015 to IATF 16949:2016. When the organization is ready according to IATF 16949:2016, it must take the stage 1 audit and, if the result is ‘’ready’’ then to start stage 2 audit, which is the main audit within 90 days after stage 1 audit. In my experience, a firm that effectively implements ISO 9001: 2015 says it will be ready for the IATF 16949: 2016 audit, with 6 months of work.

For more information, this article might be useful:

• What are the main differences between IATF 16949 and ISO 9001? https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/

• Control of documents

  According to the IATF 16949: 2016 standard, any documented information should be under control. As you know, the documented information, all kinds of records such as procedure, instruction, control plan, processes, training records, job descriptions, etc.

  My advice is, create a form number, revision number for the to-do list so that everyone in the organization can use the same to-do list.

  Thus, the to-do list becomes a controlled document.