Search results

ISO 27001 certification

 In fact, this is a critical issue you have to take into account when selecting a toolkit. Good toolkits not only cover the requirements to ensure your ISMS is compliant with the standard, but also leave plenty of space for you to include your own information and excellent toolkits also include examples on how to include your own data and provide support to help you when you're stuck. This second approach is used by Advisera on its toolkits, which are sold on more than 100 countries around the world.

To see how our ISO 27001 documentation toolkit looks like, please access this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

For more information about implementation approaches, please read:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

Annual Program for Internal Audits

First of all, sorry for this situation.

The original text in English for this column is "Audit implementation record", and the audit report is one way to evidence the audit was performed.

If by "Protocol to execute the audit" you are referring to a system of rules about the correct way to act in audits, then it refers to the internal audit procedure. If your organization has one, it should be listed in the "Auditing Method" column.

ISMS interfaces and dependencies

The consideration of interfaces and dependencies can be evidenced through the ISMS scope, which can be a totally separate document or a part of an Integrated Management System Manual. (Please note that ISO 27001 does not require an IMS manual to be written, nor that interfaces and dependencies are documented). 

These articles will provide you further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you further explanation about ISMS scope:
-How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

ISO 22301 and Disaster Recovery Plan

As a management system standard, ISO 22301:2019 does not prescribe how to achieve business continuity, only what needs to be achieved.

Considering that, clause 8.4.5 (recovery) requires documented processes to restore and return business activities to regular operation after a disruption. Implementation of these requirements in most cases is achieved through IT Disaster recovery program and DRP site, but this is not mandatory, because organizations may decide for a different approach (e.g., some small percentage of low-tech companies might be able to recover without using computers).

This article will provide you further explanation about Disaster Recovery Plan:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

Questions regarding EU GDPR

1. If I have multiple subsidiaries in more than one EU country, do I need to appoint a Lead Supervisory Authority?

Appointing a Lead Supervisory Authority is something that is provided for your convenience and is not mandatory. So, you can decide to appoint just one or you can choose to deal independently with all the Supervisory Authorities where your subsidiaries are located.

2. Do I need to register in all EU countries where the subsidiaries are located?

Registration is something that the GDPR left to the local Supervisory Authorities to decide. My advice is to check the website of the Supervisory Authorities and check if you need to register. Some EU countries do not require registration such as France and Romania but others do, such as the UK.

3. Can I appoint just one DPO for all of the subsidiaries or I would need one in each country?

Not necessarily, depending on your activities you can decide to appoint just one DPO to handle multiple jurisdictions. However, you need to be aware that the DPO may need to interact with the data subjects and the Supervisory Authorities in those jurisdictions which may require knowledge on the local language as well as legislation.
If you want to learn more about the tasks of a DPO check out this free webinar “ Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

4. Based on your experience how much time and resources are needed to become compliant whit the GDPR?

Time and resources to become compliant with the EU GDOR is closely linked with your activities as well as your staff. We have developed this “EU GDPR Compliance Duration Calculator” (https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/).

Root cause analysis

Let us suppose that an organization is not satisfied with the level of non-conformities on product X. So, the first step is to focus the effort of improvement, by performing a symptom diagnosis using, for example, a Pareto chart.

After this initial screening the organization needs:
a) to determine probable causes;
b) make some tests or investigations to find root-cause(s);
c) develop alternative solutions;
d) select the best one;
e) implement the solution;
f) check the effectiveness of that solution

The five whys technique is used on step a). Normally, root causes are deeply hidden in the way an organization works and decides how to act. So, when looking into the cause of a problem an organization someone asks:

- Why is this problem happening?

A answer can be:

- That happens because people have no training

That is a first why, a first cause for a problem. After that someone might ask:

- And why do people have no training?

- Because they are new employees and they did not receive any initial training

- And why did they not receive any initial training?

- Because the training department was not informed of their arrival

- And why was the training department not informed of their arrival?

- Because we did not plan their integration in the company, and they had to be integrated in a hurry to close the gap in people needed to work in the Summer season

- And why did we not plan their integration, the summer season requirements is well known in advance?

- So, if we improve our preparation of the Summer season, we can prepare new employees integration, give them training and avoid future problems.

Asking why five times can lead us to a deep systemic cause with impact on the problem and manageable by those that want to improve the organization.

The following material will provide you with information about root cause analysis:
- Aerticle - ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

List of Legal Regulatory Contractual and Other Requirements

Unfortunately, we do not have example documents we can disclose due to confidentiality agreements with our customers.

Regarding requirements for employees, an example would be to keep the confidentiality of their personal records kept by the organization.

Requirement for shareholders would be the integrity of financial and performance reports.

About clients' requirements, you should consider clauses in service agreements you have with them.

This article will provide you further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Establishing the context of an organization

When thinking about context, consider both internal and external topics. As internal topics think about weaknesses and strengths of your organization, things like experience, difficulties, successes.

As external topics think about opportunities or threats in the market, things like economic trends, technological evolution, legislation trends, social evolution. Check particularly the first link below.

The following material will provide you more information about context and interested parties:

- Article - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
- Article - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Internal audit report

Audit trail is part of the audit method. Audit method covers the definition of the audit scope, audit planning, audit execution, audit report, and audit follow up. The audit trail is created during audit execution (based on the item you mentioned, defined during audit planning). 

This article will provide you further explanation about internal audit: 
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

SOP approval signature needed or not

On company letterhead I would only add the logo of the organization to your list.

Normally, when I work with organizations, if they keep paper versions of the documentation, I just ask them to sign an original that will be kept as a record. Other paper versions aren’t signed, but they have to match version # and content with the original approved. 

I recommend that the signing, on paper or digital, should be done by the person with authority to make the content of the document an internal rule.

The following material will provide you with information about document control:
- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

- Article - Some Tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/