Search results

Documenting policies

ISO 27001 does not prescribe how documents should be grouped, so organizations are free to use the approach that better suits them. Our general recommendation is to put policies together only up to the size the document is manageable. People tend not to read large documents, and they also are difficult to handle in case they are in physical format.

This article will provide you further explanation about documenting policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

This material will also help you regarding documenting policies:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISMS documents

If I understood correctly, it seems to you that some documents are missing.

Considering that, Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

    1) ISO 27001 does not require each and every control to be documented
    2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our targets are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

    All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
    Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

You can see a full list of documents included in the toolkit in the list of documents file in your toolkit.

In case your organization needs a document not included in the toolkit, you can use the blank template included in the toolkit to write the document yourself, send us an email asking the specific questions about this new document, or schedule a meeting with one of our experts, so he can help you to write the document. You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/

ISO 9001 / Cost of Quality

No, neither ISO 9001:2015 neither ISO 9000:2015 define “Cost of Quality”.

For example, the term “cost of quality” is used in this article - How to measure the cost of quality in line with ISO 9001 principles - https://advisera.com/9001academy/blog/2019/10/28/cost-of-quality-how-to-measure-it-in-line-with-iso-9001/ Before ISO 9001 I used the term “cost of quality” as a designation to the sum of cost of quality prevention (like training), quality control (like controller’s wages) and quality failure (like cost of defects and rework).

Cost of quality can be a quality objective.

Below, you can find more information about quality objectives:

- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Quality objective

Good quality objectives derive from the quality policy. A good template should test this condition: which commitment of the quality policy is executed through this quality objective?

Good objectives should comply with the S.M.A.R.T (specific, measurable, achievable, realistic and time-based) test. A good template should test these conditions.

In my work with organizations I also include a time chart to answer to three important questions: what to do, by whom and until when.

A good template should also clarify upfront what resources are available to meet the objective.

Below, you can find more information about quality objectives:

- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- What has changed with quality objectives in ISO 9001:2015? - https://advisera.com/9001academy/blog/2018/05/08/what-has-changed-with-quality-objectives-in-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

BRM roles

Business Relationship Manager has following respoinsibilities:

• It coordinates activities with other Service Management roles and processes
• Identifies customer needs and ensures that company is able to meet those needs
• Ensures high level of customer satisfaction
• Establishes and maintains communication and constructive relationships with customers
• Understands customers and their business needs, recognizes new opportunities 
• Serves as a mediator for conflicts
• takes care about Customer satisfaction survey and Customer complaints

Following article can help you further: "ITIL Business Relationship Management – Know your customer" https://advisera.com/20000academy/blog/2014/05/14/itil-business-relationship-management-know-customer/

Risk assessment and treatment

The Risk Assessment and Risk Treatment template is fully compliant with ISO 27001 requirements and is accepted by all certification bodies that have performed the audits on companies that use our toolkits.

However, please note that ISO 27001 does not prescribe how risk must be scored (only that consequence and likelihood must be assessed to determine risk), so if the approach used by your consultant fulfills the standards requirements it will also be acceptable by certification bodies. Please be aware that we offer the simplest method available, while consultants typically prefer more complex risk assessment methods.

This article will provide you a further explanation:

• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Change management

Included in your toolkit there is a Change Management Policy which can help you define how changes to the information systems are controlled, fulfilling requirements of control A.12.1.2 Change management from ISO 27001 Annex A. This template covers the minimum requirements for managing changes, so it can be adapted to include any specificity regarding CI/CD

You can find this template in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security

This article will provide you a further explanation about the change management:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

Access control

ISO 27001 does not prescribe which roles must define access rights, only that such accesses must be defined, so organizations are free to designate roles as best fit them.

Common practice is that the person with the most knowledge of the value of the information to be accessed should define the access rights, taking into account the access need to perform business activities, and applicable legal requirements. IT staff normally assumes the role to implement defined accesses.

For example, access rights to financial information should be defined by Financial Manager, while access to salary information should be defined by the HR manager.

This article will provide you a further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

DPO role

According to article 27 GDPR company has to appoint an EU representative when the company:

• is offering of goods or services to persons in the EU (whether a payment is requested or not); or

• is monitoring persons’ behavior which takes place inside the EU

• occasional

• does not include large-scale processing of special categories of data (health, political opinion, sex orientation, etc.) or data relating to criminal convictions and offenses

• processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing;

• processing is by a public body

You can find more information here:

• Article 27 GDPR: https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/• Agreement for the Appointment of an EU Representative: https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/

Implementing 17025 from 9001

ISO 17025:2017 has incorporated the relevant clauses of ISO 9001 in clause 8, the Management Requirements for laboratories. A laboratory is therefore allowed to formally implement ISO 17025:2017 according to Option B, if they have an effective ISO 9001 management system that meets the requirements specified in 8.2 to 8.9 of ISO 17025:2017. This means that ISO 9001 is used to cover the clauses 8.2 to 8.9 of ISO 17025:2017. What remains is to implement is Clauses 4 to 7, to supporting the competency of the laboratory to consistently produce valid results. 

The following will assist you confirm that the laboratory has the necessary procedures: ISO 17025 vs. ISO 9001 – Main differences and similarities https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//

List of mandatory documents required by ISO 17025:2017 https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/

You can also download for free, the useful Diagram of ISO 17025 Implementation Process https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process