Search results

ISO 9001 and controlled documents

Is information in the appendix of a controlled document still considered controlled?

Answer:

Yes, an appendix is part of the whole document. If it is there someone with authority considered that information useful. It is better that it is updated.

I have a controlled document which has some examples in the appendix of the document. I would like to print these out and laminate them for use by my plant operators at point of use.

Answer:

You can print them out and use them at the point of use. Control the version and control the distribution. If the original document or any of the appendixes are updated with the distribution control you can update them. That way you will ensure that the right version is always at the point of use.

You can find more information about document control below:

• How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Continuous Improvement

Please note that ISO 27001 does not prescribe any specific documentation for clause 10.2

Examples of how you can demonstrate continual improvement are:

• decrease in the number of incidents and losses due to security incidents
• changes in the ISMS to correct problems or take advantages of opportunities identified during the management review

These articles will provide you further explanation about continual improvement:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Business Continuity Plan template

The documents' content are basically the same, the difference being in references to ISO 27001 in the template "17.4 Business continuity plan" (section 2).

Please note that there are two templates because they are used in different toolkits.

The template "07 Business continuity" is part of the ISO 22301 Documentation Toolkit, while template "17.4 Business continuity plan" was developed for the ISO 27001 & ISO 22301 Premium Documentation Toolkit.

ISO 27001 in pandemic

Well defined BYOD and Telework policies, considering controls A.6.2.1 and A.6.2.2, allow organizations to minimize risks related to WFH.

For further information, see:

• How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
• How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/

Question about policy

1. Is there any document showing how to link policies? That is which policies are dependent on which policies?

First is important to note that ISO 27001 does not require such a document, and since the standard does not prescribe which policies should be developed, it is unfeasible to develop such a list in a general way.

Now, considering the documents of our toolkits, we develop them with a "Reference documents" section, to point which documents are related to each template, so you can use the information in this reference to build such a list.

For further information, see:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

2. How to show risks of inadequate leadership in a nice way

If the risks are related to missing documents required by the standard, like the information security policy, you can simply mention that the document is missing and the action of leadership is to ensure they are developed.

In case the risks are related to leadership behavior required by the standard, like promoting continual improvement, a good way to present such risks is to state that related requirements of the standard are not being "properly" followed. This way you can imply that leadership is doing something, that is better than state that they are doing nothing, but that what is being done is not enough to comply with the standard.

For further information, see:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

ISO 13485 and finished medical device from a supplier

The Iso13485 should be mandatory

Risk treatment plan

ISO 27001 does not prescribe how to document the Risk Treatment Plan, so both approaches (single or separated plans) are acceptable for certification purposes. You can keep all tasks related to risk treatment plan in a single document. 

For further information, see:

• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment 
• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Toolkit content

First of all, sorry for this confusion.

The documents from section A.18 are not missing from the toolkit. These documents are covered in the toolkit in folder "02 Procedure for identification of requirements”

Included in the toolkit there is a List of Documents file that shows which documents cover which clauses of the standard.

A.12.6.1 Management of Technical Vulnerabilities

Since patching involves changes in the environment, you should take a look at the Change Management Policy template include in your toolkit, on folder 08 Annex A Security Controls >> A.12 Operations Security, to see if it can fulfill your needs.

Regarding control A.12.6.1, there is no template covering this specific clause.

Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

1. ISO 27001 does not require each and every control to be documented
2. If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

• All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
• Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

In case you identify you really need to apply control A.12.6.1, you can contact our support by email, or on scheduled online meeting (https://advisera.com/27001academy/consultation/), so one of our experts can help you on how to better evidence this control implementation.

For further information, see:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

Difference in clauses

Clauses 6.1.2 and 6.1.3 refers to the planning, and first application, of risk assessment and risk treatment ("The organization shall define and apply..."), while clauses 8.2 and 8.3 refers to subsequent application of the process ("(...) at planned intervals or when significant changes are proposed or occur, (...)").