Search results

ISO/IEC ISMS 27001 Annex A

Please note that ISO 27001 does not require an organizational chart to present how the organization supports information security. The most common way to document responsibilities related to information security is by writing them in the implemented policies and procedures.

To see how documented responsibilities look like, I suggest you take a look at the free demo of our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about documenting responsibilities:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

This material will also help you regarding documentation:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Query on Annex A Controls - IS027001

Software maintenance is basically covered by controls from section A.14 System acquisition, development, and maintenance (there is no single control specific for this purpose).

Control A.14.1.1ensures that maintenance is done in order to reach some requirements set to protect information.

The other controls you mentioned are more related to the security of information systems implementation and daily operations.

These articles will provide you a further explanation about the software development life cycle:

• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
• How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

Performing Security Risk Analysis

I'm assuming that by VAPT you mean "Vulnerability Assessment & Penetration Test".

Considering that, first is important to note that the purpose of risk analysis is to evaluate the risk, quantitatively or qualitatively, and that security audit is used to find out if security is being performed as planned, or results achieved are those expected, and that VAPT is used to find out if there are vulnerabilities in your environment that could be exploited.

All of this considered, security audit and VAPT cannot be used for risk analysis, but they can be used for risk identification because their results can point situations where information can be compromised (i.e., risks).

These articles will provide you a further explanation about the risk assessment process:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Processes and assurance in ISO 20000 and ITIL

You can use ISO 20000 as a management system (or a framework) towards excellence in service delivery. However, use ITIL as well, to manage daily activities and as an improvement model. 
ITIL4 guidelines can help you evolve your organization in a way to converge technology and business.
Here is an introduction article in ITIL4 "ITIL 3 vs. ITIL 4 – What has changed and what is new?“ https://advisera.com/20000academy/blog/2019/07/04/itil-3-vs-itil-4-what-has-changed-and-what-is-new/

SLA in ISO

According to ISO 20000, SLA is "documented agreement between the organization and the customer that identifies services and their agreed performance."

Here are a few articles where you can find more details:

"What’s the content of an ITIL/ISO 20000 SLA?" https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/

"SLAs, OLAs and UCs in ITIL and ISO 20000" https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/

Internal audit report review

I will not comment your auditor’s comment about doing the follow-up.

Please consider this flowchart:

When you receive the audit report a first step is to separate minor from major nonconformities.

About the minor nonconformities

The auditor found one nonconformity. As a good practice your organization should check if there are other situations not audited with the same nonconformity. A minor nonconformity requires a correction. An action to eliminate the nonconformity. Define the correction, implement that correction and shortly after check that the nonconformity was removed. For example, the auditor found an outdated form at the warehouse. Your organization check all forms in use and finds another outdated form at the sales department. Remove outdated forms and distribute the updated ones. One-week later check that the right forms are being used at the warehouse and the sales department. All these steps should be recorded in a form for treating audit minor nonconformities.

About the major nonconformities

The auditor found one nonconformity. As a good practice your organization should check if there are other situations not audited with the same nonconformity. A major nonconformity requires both a correction to eliminate the nonconformity and a corrective action to eliminate the cause of the nonconformity. Define the correction, implement that correction and shortly after check that the nonconformity was removed. At the same time, investigate what are the possible causes of the major nonconformity and determine the root cause(s) of that major nonconformity. Then determine a corrective action to eliminate that/those root cause(s). Implement that corrective action and shortly after check that the corrective action was implemented. After some agreed time, check that the implemented corrective action was effective. For example, an organization took to much time to answer to complaints. Their internal procedure mentioned less than 24 hours for a first answer while they had on average more that 60 hours. 3 months after implementing the corrective action they concluded that the average time for the first answer was 12 hours. The corrective action was effective.

Please ensure that implementation and effectiveness is verified by someone not working on the department or area where the nonconformity took place.

You can find more information below:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ 
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

Archived document control policy

What do you mean by archived documents?

If you mean records – the answer is yes. Records are the memory of an organization. If an organization lose or cannot access the records in time, it has no memory. An organization without memory is an organization that learns slowly. An organization must define rules to archive records in order to be clear and easy how to retrieve them and how to protect them.

Please check in this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ the list of mandatory records required by ISO 9001:2015

You can find more information about records below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Becoming an ISO 9001 expert

You must know the standard as a whole and the interpretation and purpose of its clauses. You must have experience of working with ISO 9001 in several contexts, for example, as quality manager, as a consultant, as trainer, as auditor. You must like what you do because knowing about ISO 9001 is like a journey, you must be always in the “search mode” there is always a better interpretation, a better example, each organization is different and you should have an open mind to avoid imposing rigid or “imported” models. So, you must be aware of what others are writing and publishing. You must also develop your own brand by evidencing your knowledge. You evidence your knowledge when you write. You should write. Share what you know, share your experience and results, share testimonies of your customers about the outcomes of working with you. Use blogs, professional networks, trade magazines, use your LinkedIn profile, make presentations at conferences. And don’t forget to develop a network of contacts.

If you need an initial aid to start working in the implementation of a quality management system perhaps this course could be useful, you can enroll for free - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/

If you want to become a lead auditor of quality management systems perhaps this course could be useful, you can enroll for free - ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/

If you need some ideas about starting a consulting work, perhaps this webinar can give you some ideas - Free webinar on demand – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/

Benefit of ISO procedures

ISO 9001:2015 does not impose extra work on organizations. ISO 9001:2015 sets requirements and it is up to each organization to decide how to apply those requirements. For example, ISO 9001:2015 requires that organizations perform quality control of its products and services - as long as legislation or regulation not prescribe what to control, how to control and when to control, it is up to each organization to decide the scope and depth of that quality control.

Benefits to company employees with the implementation of a quality management system according to ISO 9001:2015 can be about:

• More planning, more rational rules with meaning and less arbitrary decisions - More decisions based on facts and less on opinions
• More competence, better preparation of people entering the organization in terms of training
• Greater involvement of employees in the definition of actions to improve the processes in which they intervene

You can find more information about ISO 9001 below:

• What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
• Quality Management System: What is it? - https://advisera.com/9001academy/knowledgebase/quality-management-system-what-is-it/
• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/