Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 9001:2015 Risk-based Thinking (A.4)

    First, ISO 9001:2015 has no mandatory requirements concerning risks and opportunities – please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . So, whatever the method used by your organization to document your risk assessment is valid if it suits your needs. Having said that, beware that a risk is not necessarily a nonconformity. Following ISO 9001:2015, I recommend organization to determine risks and opportunities around three areas:

    • Around the business, when considering clauses 4.1 and 4.2 according to clause 6.1 – please check slide about “Intended results” in our free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
    • Around products and services, when considering clause 5.1.2 b) - please check slide about “Products and services” in the same free webinar on demand
    • Around processes, when considering clause 4.4.1 f) - - please check slide about “Processes” in the same free webinar on demand 

    A common way to document the risk assessment is to use a Risk Register – please check the sample from our Documentation Toolkit - ISO 9001 document template - Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/

    I take the liberty of recommending my book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - with a strong focus on the risk-based thinking.

  • Is registrar remote audit for surveillance or recertification audits allowed?

    I have a question regarding the registrar remote audits for the surveillance or recertification audits. IATF does not allow remote audits but I believe the ISO community does. is this correct?

    Yes, correct. IATF does not allow any remote audit. 

    Also, my question points out to the risk of companies to lose the certification due to Covid 19 - impossibility to be audited and certified. Is any rule as in IATF for extended the current certificate?

    ‘’IATF Global Waivers and Measures in Response to the Coronavirus’’ the document was published by IATF as revision 03 on 08.06.2020. You can find this document on the website https://www.iatfglobaloversight.org/

    Pandemic Faced with this situation, IATF has defined a document called "Global Measures of the IATF in response to the COVID-19". The objective of this document is to define the guidelines so that all the stakeholders of this Certification Scheme must be know how to act to mitigate the impact on the continuity of the audits and certification processes. IATF has granted a 6-month extension to each certificate issued and currently valid. This will be reflected in the IATF Database and will be visible later on in the validity of the certificate.

  • Scope of ISMS

    Your understanding is correct. By defining physical limitations in your scope it will be easier to identify how to properly protect the information. Please note that the scope statement is not wrong, it only can be improved by specifying locations.

    Please note that the provided template for ISMS scope included in the toolkit cover all important elements for the scope definition. The comments included on it will guide you where to include the information about locations.

     This article will provide you a further explanation about the scope definition:

  • Understanding the organization and its context

    1. Can you provide any guidance or clarity on defining Clause 4.1 of ISO 27001, determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?

    Examples of external issues are: geographical location, public infrastructure available, political, economic, social and technological trends, etc.
    Examples of interested parties: clients, suppliers, top management, and employees, etc.
    Examples of internal issues are: organizational culture, processes, and procedures, equipment, financial resources, etc.

    This article can help you:

    2. Also, where is this typically documented?

    ISO 27001 does not require documenting the context of the organization, and this is especially not recommended for smaller organizations - you only need to take into the context of the organization when defining the scope and doing the risk assessment.

  • Organizational Chart

    It is acceptable for ISO 27001 to reference to Organizational Chart in the elaborated documents, instead of using employee's names. In fact, this is a good practice, because, as you mentioned, by using roles instead of people's names, you do not need to update the documents every time the staff changes.

    This article will provide you a further explanation about defining scope:

    These materials will also help you regarding defining scope:

  • Implementation of the controls before audit

    If you go for the certification audit, you should have most of your controls implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

    In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

    This article will provide you a further explanation about certification:

    This material will also help you regarding certification:

  • Policy author

    ISO 27001 does not prescribe that documents' author must be part of the organization, so by the standard the fact that the author is an external consultant is not a problem.

    The auditor's concern may be related to the fact that an external consultant generally does not have deep knowledge of an organization to properly develop the documents.

    In this case, you need to ensure that documents are evaluated and approved by personnel with the proper competencies to do that, so they can validate that the documents fulfill the needs of the organization. For example, the Information security policy must be evaluated and approved by the CISO and Top manager of the ISMS scope (e.g., the CEO if the scope is all the organization or the department head if the scope is limited to a single department), and IT-related policies (e.g., backup policy; IT procedures, etc.) need to involve the IT manager.

    Provided that personnel from the organization with proper competencies are involved in the review and approval of documents, it should not be a problem who is writing them.

    This article will provide you a further explanation about creating documents:

    This material will also help you regarding creating documents:

  • ISMS controls refer to Finance

    Many thanks Rhand for your quick response - very helpful 

     

  • Risk assessment review

    1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.

    When you perform a risk assessment review, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.

    2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?

    It is acceptable to have no update in the current Risk Treatment Plan in case all risks are acceptable, but please note that the Risk Treatment Plan can also be used to improve controls efficiency (i.e., you can achieve the same results using fewer resources), or in case you need to change technology, but this change will not have an effect on the risk value.

    This article will provide you a further explanation about continual improvement:

  • Risk Assessment Methodology

    It is expected that under an ISO 27001 certified ISMS an organization has only one risk assessment and risk treatment methodology approach, so it can produce comparable results all across the ISMS scope, but there are rare cases where parts of the scope may be under different legal requirements (e.g., laws, regulations or contracts) demanding each one of them to use a different approach, or the performed processes defined by the organization require different approaches (e.g., risk management process for project development and for financial risk assessment).

    In such cases, the ISMS must provide a way for the risks from different approaches to be compared (e.g., by using a conversion table, so the results from one approach can be translated to the other and vice versa)

    This material will also help you regarding risk management for ISO 27001:
Page 365-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +