Search results

SOA Documentation

Here are the answers:

Do we have to prepare the Documentation for each and every Control mentioned in SOA or prepare only mandatory Documents (the Ones mentioned in the List of Docs attached)? Since ISO does not says to document each and every Control.

Answer: As you mentioned, ISO 27001 does not require you to create a document for each control. You should prepare only the documents that are mandatory (e.g. Access control policy) + the documents that you think will be useful for you (for example, you might decide that BYOD Policy will be useful because lots of your employees are bringing their own devices). Bear in mind that if you declared a control as not applicable in your Statement of Applicability, then you do not have to write any document for it (even if it is marked as mandatory). 

See also this article: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

If need to prepare only mandatory Docs, then will other docs also be checked during the Stage 1 Audit of ISO 27001.

Answer: The certification auditor will check all the ISMS documents you have written, it does not matter if they are mandatory or not. 

See also: What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit 

While preparing SOA, can we only prepare the Docs which are relevant to the Organization and exclude the ones which are not organization relevant?

Answer: As mentioned in the first answer, you need to write the documents that are mandatory + those that you consider useful for your company. You should exclude the documents that you did not find useful, but also the documents that are related to controls that you declared as not applicable in your Statement of Applicability. 

Backup continuous policy

You can find a more detailed explanation here: Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Here you can find a template for the Backup Policy, you can also see a free preview: https://advisera.com/27001academy/documentation/backup-policy/ 

These materials will also help you regarding backup:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

15.2.2 managing changes to supplier services

It is difficult to provide an advice without knowing what exactly was your nonconformity - in general, when you make changes to the existing contracts with your suppliers you need to take into account the results of risk assessment, and how critical is the data they have access to. 

See also these articles:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ 
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

If you can provide more details on your nonconformity, I can give you a more precise guideline. 

QMS benefit

Let me first recommend two articles about the benefits for organizations: 

• Benefits of ISO 9001 implementation for small businesses - https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/ 
• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

A well designed and implemented QMS reduces firefighting and promotes a culture of making decisions based on facts. Organizing the different processes of an organization reduces variability by defining internal best practices to be followed by each employee/function.

The following material will provide you information about implementing a QMS:

• - Free webinar on demand - Overview of ISO 9001 implementation steps  - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/ 
• - Free course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ 
• - Free online training ISO 9001:2015 Internal Auditor Course –https://advisera.com/training/iso-9001-internal-auditor-course/  
• - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Inventory management process

I'm sorry, but in order to answer your question, could you please explain what do you mean by "opportunity audit", and "inventory management model"? Such phrases are not used in ISO standards. 

Mandatory financial & HR documents

Let us focus our attention on the mandatory documents required by ISO 9001:2015. Please check this article, “List of mandatory documents required by ISO 9001:2015” - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ - there are no requirements about financial documents and the only mandatory documents about Human Resources are about “Records of training, skills, experience and qualifications (clause 7.2)”
 

The following material will provide you information about implementing a quality management system:

- Free webinar on demand – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- ISO 9001 Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Subsequent provision of products and services

Clause 8.3.2 is about design and development planning. It includes both the project phase and the after the project phase, the after the successful verification and validation. 

After the project comes the provision of products and services: What raw materials to use? What drawings to follow? What equipment to use? What process control plan? What specifications to use? What acceptance criteria to use? What quality control plan to use? What packaging to use? What post delivery service to provide?

Clause 8.3.2 h) is about preparing 8.5.1 – including both downstream processes and post-delivery services.

The following material will provide you information about Design and development:

- ISO 9001 – The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- ISO 9001 - Understanding Product & Service Provision in ISO 9001 - https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
Book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- free online training ISO 9001:2015 Internal Auditor Course - –https://advisera.com/training/iso-9001-internal-auditor-course/  

Supplier Policy for Suppliers and Partners

First is important to note that, for a more productive audit, besides the Supplier Security Policy, you also should use an audit checklist, and for that, you have an audit checklist included in your toolkit (on folder 10 Internal Audit).

Considering that, if you do not have any legal obligation (e.g., laws or contracts), or risks, demanding specific cloud controls to be implemented by your cloud suppliers, then the internal audit checklist included in your toolkit will be sufficient.

Combination of ISMS and BCMS

Considering ISO 27001 and ISO 22301, which have a lot of requirements in common, it is perfectly possible to go for the simultaneous implementation of the ISMS and BCMA. In fact, this can bring many benefits, like decreased costs in implementation and internal audits, but first, you have to consider the organization's situation in terms of available resources, knowledge, and personnel.

This article will provide you further explanation about integrated implementation:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will provide further information:
- Free webinar – ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Regarding step by step guidelines to implement both systems, in a general manner, you have these steps:
- Obtain management support
- Develop a project plan
- Define scope (related to each standard)
- Define top-level policies (related to each standard)
- Define basic management system procedures (common to both standard)
- Develop specific policies and procedures (related to each standard)
- Implement policies and procedures and train personnel
- Perform internal audit
- Perform management review
- Proceed with corrective actions

The following articles will provide you explanation of the steps to implement both standards:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

Context document

ISO 22301 and ISO 27001 do not require you to write a document for context of the organization, this is why we didn't include such document in the toolkit - most of our clients are smaller companies, and they appreciate if they can avoid an overhead. 

However, you will collect all the crucial information for the context of your organization by filling out the following documents that are included in the toolkit:

• "List of legal, regulatory, contractual and other requirements" (you'll find it in the folder "Identification of requirements") -you will get all external issues important for the context of your organization. 
• "Risk assessment table" (you'll find it in the folder "Risk assessment and treatment" - you'll get all internal issues important for the context of your organization

This article can also help you (it is also relevant for ISO 22301): How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/