Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • 5.1 Leadership and commitment

    1. What Template in our Toolkit contains this Clause?

    Please note that leadership and commitment requirements are systemic, not limited to a single document, so they are embedded in several documents in the toolkit such as:

    • Information security policy
    • Training and awareness plan
    • Management review

    For further information see:

    2. Can we be compliant with this clause maintaining our Information Security Policy? If yes, what shall we give emphasis on apart from company Policies and guidelines?

    As mentioned in the previous answer, the Information Security Policy is only one of the documents you need to implement to be compliant with ISO 27001 leadership and commitment requirements.

    Other issues you have to consider are:

    • Determine information security objectives
    • Determine the main responsibilities related to ISMS
    • Communicate the ISMS importance
    • Provide all the necessary resources
    • Perform management review
  • A.18.1.3 Protection of Records

    First is important to note that "ISMS documents" do not refer only to documents required by the standard (such as the Information security policy), but also to any other documents and records your organization sees as relevant to the ISMS defined purpose and objectives, like project specifications, contracts, etc.

    Considering that, in case you identify relevant risks or legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of control A.18.1.3 for these other documents, then you must apply the control to them also.

    In case the documents and records are not related to the ISMS, you still can apply the control, as a good practice, but they will not have an impact on any certification process.

    As for ways of protection of such documentation, some examples are:

    • physical cabinets
    • backup copies
    • digital signatures

    The choice of protection will depend on the risks identified during the risk assessment.

  • Implementation of ISO 27001

    Hello Rhand Leal

    Thank you for your reply. I just wrote one policy. But thanks for your advise and further comments on the subject. Our problem is that the auditor already raised the nonconformity and I don't want to argue with him about this particular policy.

  • Preventive action

    Yes, you can say so.

    For example, risk-based thinking is seen as replacing preventive action in ISO 9001:2015. How does the risk-based approach work? Bearing in mind the objectives to be achieved, we ask: What can go wrong? What can prevent us from meeting them? So, we are not answering to a specific problem, we are answering to a potential non-conformity.

    You can get much more information in the following links:

  • Pricing a consultancy

    To do costing as a project you need to have as much information about the business processes as possible, to avoid an undetailed project that may cause you to underprice your service. The main problem here is not the tasks to be performed and documents to be created, but the effort required to perform them, since as greater the number of processes involved, the greater the effort and the number of documents.

    My suggestion is for you to make a mixed approach:

    • Elaborate a project with the information you have
    • In the tasks you are not sure about the total effort, state an assumption about the effort you expect to have (e.g., elaborate BC plans for 3 business process, interview 2 employees, etc.)
    • Define an hourly rate for additional hours considering all the hours you have for the planned project (normally this will be greater than the project's hourly rate)

    This way, if your assumptions are right, your project is well priced. In case you do not have all the needed information, the higher hourly rate will compensate for your additional effort, and as a bonus, your customers will have more incentive to help you detail the project because additional hours will cost them more than if they are executed as part of the project.

    To help you in your consulting career, I suggest you take a look at our ISO 27001 & ISO 22301 Consultant Toolkit at this link: https://advisera.com/27001academy/consultants/

    These materials will provide you a further explanation about elaborating a project:

  • Equipment Sitting and Protection A.11.2.1

    I am implementing this as we required by our customer, who are Banks. They advise we must adhere to the policies they do as we process their data. Yes we are a small business, only doing small home insurance repairs, however if fulfilling all their requirements means we become one of their preferred suppliers we will do it.

  • Backup policies

    ISO 27001 has a control specific for Information backup (control A.12.3.1 ), but it does not provide details about its implementation. For that, you should consider ISO 27002, a supporting standard that defines guidelines for information backup, such as definitions o backup periodicity, backup test, etc.

    To see how a backup policy compliant with ISO 27001 looks like, I suggest you see the free demo of our Backup Policy at this link: https://advisera.com/27001academy/documentation/backup-policy/

    This article will provide you a further explanation about backup:

  • Question about documents

    1. Most incoming documents, contracts, etc would be online. However, if they were to be paper only, how do we handle these?  Can we just scan?

     If you do not have any relevant risk or legal requirement preventing you to have this documentation only in electronic format, then you can scan them and use only an online version.

    For further information about handling paper documents, see:

    2. Also, what if an employee were to print a document?  Should we note that they are responsible for ensuring they are always referring to the latest version and that they must shred when a new one is available?

    Considering that your main document environment is electronic when there is a need to print a document, common practices are:

    • if this document is for temporary use only (e.g., for a couple of days, to be sent to external parties, etc.), it should be identified as a non controlled copy
    • if the document must be available for use in the workplace, it must have a responsible person identified for it, that has the responsibility to ensure the printed document is always in the current version and that obsolete versions are properly disposed of, or identified as obsolete if there is a need to keep such versions.

    This material will also help you regarding document management:

  • Directive legislation and rules in EMS

    ISO 14001:2015 requires compliance with compliance obligations (clauses 6.1.3 and 9.1.2). Different organizations belonging to different economic sectors in a same country have to comply with different compliance obligations. Different organizations belonging to the same economic sectors in different countries have to comply with different compliance obligations. The most common compliance obligations are legislation and regulation.

    You can find more information about ISO 14001 below:

  • Key Performance Indicators for a QMS

    I will give you some examples, but you must be aware that Key Performance Indicators (KPIs) should be aligned with the strategic orientation of an organization. A fast fashion retail organization may have some KPIs very different from those applicable to a luxury retail organization. And even about those that are common, they may be followed with a different set of priorities and mindset.

    • Gross profit, sales and cost of goods sold are the basic three
    • You can have average sales per purchase, sales per square foot, sales per visitors
    • You can have inventory to sales, return rate, backorder rate
    • You can have employee satisfaction.

    You can find more information below:

Page 406-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +