Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
1. What Template in our Toolkit contains this Clause?
Please note that leadership and commitment requirements are systemic, not limited to a single document, so they are embedded in several documents in the toolkit such as:
For further information see:
2. Can we be compliant with this clause maintaining our Information Security Policy? If yes, what shall we give emphasis on apart from company Policies and guidelines?
As mentioned in the previous answer, the Information Security Policy is only one of the documents you need to implement to be compliant with ISO 27001 leadership and commitment requirements.
Other issues you have to consider are:
First is important to note that "ISMS documents" do not refer only to documents required by the standard (such as the Information security policy), but also to any other documents and records your organization sees as relevant to the ISMS defined purpose and objectives, like project specifications, contracts, etc.
Considering that, in case you identify relevant risks or legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of control A.18.1.3 for these other documents, then you must apply the control to them also.
In case the documents and records are not related to the ISMS, you still can apply the control, as a good practice, but they will not have an impact on any certification process.
As for ways of protection of such documentation, some examples are:
The choice of protection will depend on the risks identified during the risk assessment.
Hello Rhand Leal
Thank you for your reply. I just wrote one policy. But thanks for your advise and further comments on the subject. Our problem is that the auditor already raised the nonconformity and I don't want to argue with him about this particular policy.
Yes, you can say so.
For example, risk-based thinking is seen as replacing preventive action in ISO 9001:2015. How does the risk-based approach work? Bearing in mind the objectives to be achieved, we ask: What can go wrong? What can prevent us from meeting them? So, we are not answering to a specific problem, we are answering to a potential non-conformity.
You can get much more information in the following links:
To do costing as a project you need to have as much information about the business processes as possible, to avoid an undetailed project that may cause you to underprice your service. The main problem here is not the tasks to be performed and documents to be created, but the effort required to perform them, since as greater the number of processes involved, the greater the effort and the number of documents.
My suggestion is for you to make a mixed approach:
This way, if your assumptions are right, your project is well priced. In case you do not have all the needed information, the higher hourly rate will compensate for your additional effort, and as a bonus, your customers will have more incentive to help you detail the project because additional hours will cost them more than if they are executed as part of the project.
To help you in your consulting career, I suggest you take a look at our ISO 27001 & ISO 22301 Consultant Toolkit at this link: https://advisera.com/27001academy/consultants/
These materials will provide you a further explanation about elaborating a project:
I am implementing this as we required by our customer, who are Banks. They advise we must adhere to the policies they do as we process their data. Yes we are a small business, only doing small home insurance repairs, however if fulfilling all their requirements means we become one of their preferred suppliers we will do it.
ISO 27001 has a control specific for Information backup (control A.12.3.1 ), but it does not provide details about its implementation. For that, you should consider ISO 27002, a supporting standard that defines guidelines for information backup, such as definitions o backup periodicity, backup test, etc.
To see how a backup policy compliant with ISO 27001 looks like, I suggest you see the free demo of our Backup Policy at this link: https://advisera.com/27001academy/documentation/backup-policy/
This article will provide you a further explanation about backup:
1. Most incoming documents, contracts, etc would be online. However, if they were to be paper only, how do we handle these? Can we just scan?
If you do not have any relevant risk or legal requirement preventing you to have this documentation only in electronic format, then you can scan them and use only an online version.
For further information about handling paper documents, see:
2. Also, what if an employee were to print a document? Should we note that they are responsible for ensuring they are always referring to the latest version and that they must shred when a new one is available?
Considering that your main document environment is electronic when there is a need to print a document, common practices are:
This material will also help you regarding document management:
ISO 14001:2015 requires compliance with compliance obligations (clauses 6.1.3 and 9.1.2). Different organizations belonging to different economic sectors in a same country have to comply with different compliance obligations. Different organizations belonging to the same economic sectors in different countries have to comply with different compliance obligations. The most common compliance obligations are legislation and regulation.
You can find more information about ISO 14001 below:
I will give you some examples, but you must be aware that Key Performance Indicators (KPIs) should be aligned with the strategic orientation of an organization. A fast fashion retail organization may have some KPIs very different from those applicable to a luxury retail organization. And even about those that are common, they may be followed with a different set of priorities and mindset.
You can find more information below: