Search results

Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

Please note that requirements in the main section of the standard (sections 4 to 10) related to roles and responsibilities do not require these to be documented.

On the other hand, to fulfill controls A.7.1.2, A.13.2.4, the roles and responsibilities need to be documented.

This article will provide you further explanation documentation of roles and responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

Finding internal and external auditors

First of all, sorry for this misunderstanding.

We are not aware of specific jobs, boards or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

Plan-Do-Check-Act model stages and purpose

An Environmental Management System (EMS) is a framework that helps an organization achieve its environmental goals and improve its environmental performance.

The Plan-Do-Check-Act model or PDCA cycle is also called the improvement cycle.

The PDCA cycle is a continuous loop of planning, doing, checking, and acting. It provides an approach for solving problems and managing change. Let us use an example: An organization wants to improve the quality of the wastewater discharged into a river to comply with its permit.

Plan – the organization has to study the present situation, has to study different alternatives to improve the wastewater quality, has to decide what to do and make a plan about how to do it.

Do – the organization has to implement the plan.

Check – the organization has to verify that the plan is being implemented and that results are being met.

Act – the organization has to act based on the conclusions of the Check phase. The decision may be to review the plan or to keep its implementation.

The same PDCA cycle can be applied to the top management level:

Plan - define a general orientation, an environmental policy and translate it into environmental objectives and a plan of action.

Do – implement the action plan.

Check – verify implementation progress and results

Act – decide to keep implementing the action plans or reviewing them.

You can find more information below:

• Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 Risk Assessment

ISO 27001 does not prescribe a risk assessment approach, it only requires a risk assessment process to be defined, so you can perform risk assessment only by writing risks without writing threat and vulnerability.

This article will provide you a further explanation about alternatives to risk assessment:

• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
• ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Environmental aspects and impacts

For all the emergency situation as an environmental aspect I wrote "waste generation" and for the environmental impacts "pollution of the sol, water, pollution with waste, influence of the flora and fauna".

Answer:

Perhaps thinking visually will help you:

Please check use of the word environmental aspects in this article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/

For the fire another environmental aspects is "heat generation" 
For the fire as aspect I wrote "water consummation" and for the environmental impacts "resource consumption" and "gas emission" with impact "air pollution". Am I right? Do I miss something?

Answer:

For fire events of the main vectors for environmental aspects are runoff waters. Those waters are normally heavily contaminated. Environmental aspects in that case are soil contamination and water pollution with environmental impacts around influence on the flora and fauna, and even on communities. There are several cases of runoff waters contaminating underground water table used in important public drinking water source.

Considering the article mentioned above, about the use of terminology: water consumption, resource consumption, gas emissions, are all environmental aspects. Impacts are about the consequences, like attack on the ozone layer, or promoting greenhouse effect.

You can find more information below:

• ISO 14001 emergency preparedness and response - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-emergency-preparedness-and-response/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Implementation of ISO Standard in software

Please note that ISO 27001 prescribes "what" needs to be achieved in terms of information security, not "how" to do that.

The definition of which is important depends on the results of risk assessment and the identification of relevant requirements (e.g., customer's requirements, laws, regulations, contracts, etc.).

Considering that, for the identification of what needs to be recorded for validation and storage, you need to check:

• which risks related to changes they consider relevant?
• which laws, regulations, and contracts are related to this demand?

With these answers, you will have the bases for the requirements to be implemented in your software.

This article will provide you a further explanation about requirements and risk assessment:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Non-compliance departure

ISO 9001:2015 do not use the words compliance or departure. The wording “non-compliance and departure” is used in contract agreements and conditions for Tender

Non-compliance is something not according to the tender or agreement specifications.

Departure is about any condition of sale, quotation, offer or proposal of any nature appearing on any documents submitted with or within the Tender which constitutes any variation of, or omission from or addition to the Request for Tender.

IATF internal audit

Internal audits conducted with an automotive process approach -it is one of the most important things to be done to check the compliance of IATF 16949: 2016 standard. As you know, this issue is also one of the main conditions of the standard that should be followed.

In addition to internal audits, the following issues also play an important role in the compliance of the IATF 16949: 2016 standard:

• Quality management processes are fully defined with turtle diagrams
• Making FMEA and risk management applications complete 
• Very good implementation of customer complaint management and problem-solving culture.
• Weekly and monthly management meetings, agenda topics to be addressed in these meetings, process objectives that are important for the IATF 16949: 2016 standard should include issues such as internal and external problems, customer satisfaction, customer complaints, new product design, and project issues
• Management review meetings expected by the IATF 16949: 2016 standard.

Apart from these, although not highly recommended, a checklist in which IATF 16949: 2016 standard items are routinely reviewed can also be used.

These articles may provide you further information:

• Five Main Steps in an IATF 16949:2016 Internal Audit                             https://advisera.com/16949academy/knowledgebase/five-main-steps-in-an-iatf-169492016-internal-audit/
•  How to make an Internal Audit checklist for IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/

Monitoring and measurement and the process approach

According to the process approach an organization can be modelled as a set of interrelated processes. According to ISO 9001:2015 clause 4.4.1 c) for each process an organization should determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes.

Now, monitoring and measurement should be applied to each process performance indicators.

You can find more information about processes and measurement below:

• Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
• Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Book (where I use the process approach extensively) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 principles

The quality management principles are:

• Customer focus
  Who are your relevant customers and customers’ customers? What are their relevant needs and expectations current and in the future? Do you measure customer satisfaction? For example, construction companies can be focused on a particular kind of customer or a particular kind of construction
• Leadership
  Determine what are your competitive advantages. Determine and communicate internally priorities and objectives aligned with those priorities. Your organization doesn’t need to be perfect but it should be focused on improving what enhances customer satisfaction. For example, some construction companies know very well what kind of customers and projects are to be avoided
• Engagement of people
  Communicate how people can contribute to quality policy and objectives while doing their daily work. Invite people to participate in improvement actions. For example, some construction companies give voice and ask for suggestions about work methods, materials, and equipment
• Process approach
  Model how your company works as a set of interrelated processes working to carry out a set of projects. Establish authority, responsibility, and accountability for managing processes and projects. Determine process and project risks and constraints and work to manage the most relevant. For example, some construction companies learn how to see what is systematic and permanent, although each project is different
• Improvement
  Establish improvement objectives. Train and prepare people to become competent. Develop improvement projects. 
• Evidence-based decision making
  Determine, measure, and monitor key indicators about the organization’s performance. Make data available to the relevant people. Analyze and evaluate data and information. Make decisions and take actions based on evidence, balanced with experience, and intuition. For example, construction companies have this kind of approach at company level and at site level. For example, at site level construction companies compare actual performance versus budget.
• Relationship management.
  Establish relationships that balance short-term gains with long-term considerations. Gather and share information, expertise, and resources with relevant interested parties. For example, construction companies may develop relationships with universities and some suppliers to be aware of know-how.
• The following material will provide you more information about quality management principles:
  Seven Quality Management Principles behind ISO 9001 requirements - https://advisera.com/9001academy/blog/2014/02/04/seven-quality-management-principles-behind-iso9001-requirements/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/