Search results

ISMS scope change

1. If a company has been ISO27001 certified over the last couple of years and the scope is for say Datacenter facility Mgt/Infra/Network Services, Managed Security Services, Operations Support - covering server, Helpdesk, etc and now due to changes in the organization, say, one of the area MSS has been moved to a centralized function under their regional HQ, is the existing ISO27001 certification still valid?

The ISO 27001 certification would be still valid for the scope that remains under control of the company (i.e., the MSS would not be part of the ISMS scope anymore). This change in the ISMS scope needs to be need to informed to the certification body.

2. If not why? If yes, why?

A change in the ISMS scope is something expected during a certification life cycle and this situation does not make it invalid, provided that the new scope still fulfills all requirements of the standard.

3. What can be done to minimize a recertification?

Since the certificate is still valid, there is no need for recertification.

4. Can a surveillance audit still proceeds?

The surveillance audits can proceed normally. You only have to inform this situation to the certification body so they can review the surveillance audit schedule. In this situation, you have to evaluate the impacts of the change in the scope and make proper adjustments in the ISMS (e.g., risk assessment, risk treatment, SoA, etc.).

Please note that one adjustment is also to create an agreement with the new "provider" of the MSS, i.e. the regional HQ. 

Roles and responsibilities for infosec management

First of all, sorry for this confusion.

Top-level information security roles and responsibilities are defined in the Information Security Policy.

Specific roles and responsibilities for information security are defined in each template, considering activities to be performed (i.e., there is no central document specifying these ones). The parts in a template where you can find roles can be identified by a text like "[jobtitle]". For example, in the Backup policy, you have "[jobtitle] is responsible to perform backup restore."

ISO 27001 does not prescribe which roles and responsibilities must be performed, so an organization is free to define the framework that best suits it (e.g, by creating new roles, or designating information security responsibilities to already existing roles.

These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

ISO 9001 and corporate office audit

If there are processes relevant for the scope of the quality management system performed by your corporate office, they have to be audited too. Some organizations agree with their certification body and, on the day of the audit, people from headquarters come to the production site to be audited there, they bring documentation and have access to the digital information. So, in your case, your organization can evaluate what is better, and communicate that to your certification body.

The following material will provide you more information about certification audits:

- How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/- What questions to expect on the ISO 9001 certification audit - https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/- Enroll for free in the course - ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/- Book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

GDPR and security measures

You are the best, thank you! 

ISO 17025 and HLS

ISO 17025 is not required to be consistent with the ISO High Level Structure (HLS), as the standard is not classified by ISO as an ISO Management System Standard (MSS). The scope of an ISO management system standard is to specify requirements (repeatable steps) for a quality management system, whereas ISO 17025 is an ISO standard providing general requirements for the competency of laboratories; prepared by CASCO, the ISO Committee on conformity assessment. Laboratories use the guidelines and incorporate them into their overall management system.

ISO 9001, along with other ISO Management System standards, such as ISO 14001, are applicable to a wide range of businesses. They are therefore required to have a common framework, the ISO High Level Structure (HLS). This facilitates easier integration between systems of different disciplines.

This article has some information on the ISO Directive around the HLS, so may be of interest to you - “Has the PDCA Cycle been removed from the new ISO standards?” https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

ISMS implementation

1. We are initiating an implementation project of an ISMS, it was decided to work with internal staff, our question is whether with the "Premium Package of documents on ISO 27001 and ISO 22301", is it enough to implement an ISMS without having previous experience?

Our toolkits focus on customers with little to no previous knowledge of ISO 27001, so, considering the access to our knowledge base, video tutorials, and consultation through email or live meetings, you have all the support you will need to implement an ISO 27001 ISMS with your own personnel.

For further information, please see:
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

2. Are there any certifications to be an ISO 27001 auditor? which would you recommend us?

There are two types of ISO 27001 certification for Auditors:
- ISO 27001 Internal Auditor - this certification recognizes competence for a person to audit his own organization
- ISO 27001 Lead Auditor - this certification recognizes competence for a person to audit on behalf of an certification body

At this point, the Internal Auditor certification would be sufficient for your needs

These articles will provide you further explanation about internal audit:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

Regarding a course, please take a look at this suggestion:
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Certificación y objetivos de calidad

Respecto a la Política de Calidad - En este enlace tiene acceso a la vista previa de nuestra plantilla de Política de Calidad: https://advisera.com/9001academy/es/documentation/politica-de-calidad/

La política de calidad debe de cumplir con lo siguiente:
- Ser apropiada al propósito y contexto de la organización, y que esté alineada con la dirección estratégica de la organización.
- Que proporcione el marco de referencia para el establecimiento de los objetivos de calidad
- Que incluya un compromiso de cumplimiento con los requisitos que sean aplicables a su SGC 
- Que contenga el compromiso con la mejora continua del SGC

En estos artículos puede encontrar más información sobre la política de calidad:

- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How does the ISO 9001:2015 revision affect the queality policy: https://advisera.com/9001academy/blog/2018/04/10/how-does-the-iso-90012015-revision-affect-the-quality-policy/

Con respecto a los objetivos de calidad - En este enlace tiene acceso a la vista previa de nuestra plantilla de Objetivos de Calidad: https://advisera.com/9001academy/es/documentation/objetivos-de-calidad/

En general los objetivos de calidad deben de ser SMART, por sus siglas en inglés:
- Específicos:
- Medibles:
- Alcanzables:
- Realistas
- Basados en el tiempo

En este artículo puede encontrar más información de los objetivos de calidad - Cómo escribir buenos objetivos de calidad: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-escribir-buenos-objetivos-de-calidad/

Estos materiales pueden serle de ayuda para entender mejor la política de calidad y los objetivos de calidad:
- Inscríbase gratis en este curso -  Curso de Fundamentos de la nroma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

Raising a Non Conformity or Observation in Internal Audit

First, it is important to note that, considering ISO 19011, the standard used for auditing ISO management systems, audit findings can be conformity, nonconformity, opportunities for improvement, and recommendations (i.e., there is no definition for observation in the standard as an audit finding).

Considering that, an internal auditor also can raise a non-conformity for your ISMS even if you have passed a certification.

The difference between an NC and an observation is that for the second one you do not have enough evidence to support a non-conformity statement. In this situation, the internal auditor can make an observation to the organization so its staff can decide to work on an evaluation to identify if further work has to be done. It also can be used by another auditor in another audit to verify if the situation has evolved to a well-based non-conformity or not.

This course can give you further information about internal audit:
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

Integrating IATF 16949 with ISO 9001

IATF 16949 has higher requirements than ISO 9001. We can consider ISO 9001 as a standard with basic requirements and IATF 16949 would be the standard with advanced requirements.

Certification for ISO 9001 is good as a starting point for the development of the IATF 16949 system.

For more details please read the article: “ISO 9001 vs ISO/TS 16949” https://advisera.com/9001academy/blog/2014/10/01/iso-9001-vs-isots-16949/

Upgrading the Project Quality Plan to ISO 9001:2015?

First, is your organization certified or wanting to be certified? If yes, certification body auditors may raise a nonconformity in the next surveillance audit or certification audit. If no, is there any particular request from your customer? Can your organization negotiate with the customer the maintenance of the status-quo or small changes?

If you have to update the documentation, I recommend starting with a Gap Analysis to determine what is different, what is missing, in the transition from 2008 version into the 2015 version. I believe that there are not so many differences in terms of operations. Consider clause 6.3 of ISO 9001:2015, about how to make changes in your quality management system without introducing disruption and chaos.

The following material will provide you more information about the transition:

- Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- Free webinar on demand – ISO 9001:2015 - How to make the transition from ISO 9001:2008 - https://advisera.com/9001academy/webinar/iso-90012015-how-to-make-the-transition-from-iso-90012008-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/