Search results

Document Control Procedure content

1. Is this something that is needed for ISO?

For ISO management systems, like ISO 27001, the management of external documents is mandatory.

2. How do I know which external documents are necessary for ISMS  compliance?

External documents are any documents not owned or controlled by an organization that are required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

This material will also help you regarding control of documents:

• Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

3. Also is there an incoming mail register document as part of the templates?

Incoming mail register is not a mandatory document, you can simply have a table where you register who received some important external document, or where such a document is stored.

This material will also help you regarding document management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Please note that you can find helpful information about these and other potential doubts in the comments included in the template.

Security awareness training

Yes, you do not need to document each and every control - in such cases, you will use awareness sessions and trainings to explain to your employees how particular security activities need to be done.

In the SoA you cannot simply refer to the Training Plan - you need to explain in a sentence or two how the control is implemented - e.g. "The data recorded on media must be encrypted."

Please note that some controls, when identified as applicable, require documentation (e.g., control A.9.1.1 - Access Control Policy).

Consequence and Likelihood after Risk Treatment

Not all controls affect the consequence and likelihood at the same time. The controls you mentioned works only to prevent Unauthorized Physical Access. Once access is gained, they cannot provide any means to avoid damage to assets. Examples of controls you can consider to reduce the impact on information assets are backup and redundancy.

This article will provide you a further explanation about controls selection:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding controls selection:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Internal audit after certification

ISO 27001 requires an internal audit to be performed considering all mandatory requirements from sections 4 to 10 and all controls identified as applicable in the statement of applicability. Considering that, you have to audit section 5.1, regardless of the external auditors will audit this clause.

This article will provide you a further explanation about surveillance audit:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Power of Attorney

Transfer of data outside the EU on behalf of the controller is made through a transfer data agreement and not through a general Power of Attorney. It is because the data controller must set instructions for the data transfer the data processor must comply with. In fact, the data controller will be liable for any infringement of GDPR rules and even for choosing the wrong data processor.Consider that the EU Commission adopted a Standard contractual clause to implement contracts concerning data transfers.

If you are referring to the Power of Attorney in connection with a legal claim (i.e. transferring data outside EU for a legal claim), consider that establishing, exercising or defending legal claims is an exemption to GDPR rules. The Power of Attorney, in this case, can allow data controller or data processor to transfer data outside the EU (of course only data which are necessary for the legal claim.)

Here you can find more information about this topic: - EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

- Standard Contractual Clauses - Free download: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes

- Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

IATF 16949 vs ISO 9001 lead auditor

ISO9001:2015 is the base of IATF16949:2016. An IATF auditor, first of all, has to reach the qualification of ISO9001. It is recommended as a first step to achieve the IATF16949 lead auditor qualification.

IATF16949:2016 is a quality management system only applied to the automotive industry. Only the supplier’s part of the automotive supply chain are eligible to be IATF certified. With the knowledge of ISO9001 will be much easier to cover the IATF 16949 additional requirements. 

Advisera have available the following courses:

ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
ISO 9001 Lead auditor course: https://advisera.com/training/iso-9001-lead-auditor-course/

ISO 9001 / Quality roles for iso requirements

Anyone can implement and manage an ISO 9001 quality management system. The only requirements are based on the needs of the task: to have some knowledge about the standard, being able to promote teamwork and being able to have some influence over managers. ISO 9001:2015 no longer mentions the management representative role, because it wants to give much more importance to top management commitment with the quality management system. So, be sure that top management works together with that supervisor, particularly when he/she needs to have authority over managers.

The following material will provide you more information about the management representative:

- What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 / Procedure vs processes

Procedures are not mandatory documents in ISO 9001:2015 anymore. But even though you don´t need to write any procedure, they can be very useful for the organization, since procedures can help you to conduct processes in a sistematically way and therefore, you will be able to compare results correctly. 

Regarding the procedure for design and development you can adapt to your own situation, as you mention it can have dependencies with other processes or be based on one main process. 

Here you can find the mandatory documents and records that you need to create in order to comply with ISO 9001:2015 requirements - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

The following material will provide you more information about procedures and mandatory documents:

- Some tips to make Document Control more useful for your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation: https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free online training ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Assets detail level and segregation of duties

1. I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.

ISO 27001 does not prescribe a detail level for assets, so organizations can define the detail level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to a SaaS service.

Included in the toolkit you bought you have access to a tutorial that can help you fill in the risk assessment.

2. Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.

To implement separation of duties it is not mandatory to define strict roles (e.g., to have a developer and a tester), you only have to ensure that a single person does not perform the whole process. For example, if you have two developers, one can make the development and deployment of a system, and the other can perform test and acceptance of release candidate of this same system and you can change the places for another system.

If this arrangement is not possible, you can consider compensation controls like:
- Monitoring activities
- Audit trails
- Management supervision

This article will provide you a further explanation about segregation of duties:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Clause 4.4.1

"Does your IATF package include the format and metrics for these 16 processes?

IATF requires at 5.1.1.2 that top management shall review the effectiveness and efficiency of the Quality Management System. It is mandatory measures process effectiveness for all organizational processes, and measures the efficiency for product realization processes (see 9.3.2.1).  All documented processes according 4.4.1, with inputs and outputs should have performance indicators accordingly (per example metrics). It is acceptable for an organization to group multiple documented processes into one (or more) processes, per example “Engineering Specification” (7.5.3.2.2) could be grouped with Design and Development process and documented based on documented procedure approach. For these one, metrics is not mandatory. 

For each of the 16 "documented processes" do I have to show a metric for that process that falls under clause 4.4.1?"

You can download a free demo of the IATF 16949 Documentation Toolkit where you will be able to see templates of all documents included in the toolkit, but also a document called 'List of Documents' that displays which documents are mandatory and which are optional.