Search results

Controls from Annex A

1 - Is there a documentation by specific Advisera that encompasses the controls in Annex A?

Answer: In your toolkit the documents which cover controls from Annex A are located on Folder 08 Annex A Aecurity controls. To know which document covers which control, please see the List of documents file included in your toolkit.

Additionally, at Advisera site you have access to several articles and free downloadable materials covering controls from ISO 27001 Annex A (without more details about your needs we cannot point specific material, but feel free to send additional emails with specific doubts).

2 - Is a specific document necessary for each of the 114 controls?

Answer: ISO 27001 does not require you to document each and every control - in the List of documents that you received together with your toolkit you will see which documents are mandatory, and which are not.

In the toolkit you bought you have not only documents covering the mandatory requirements of the standard, but also documents covering the most common controls and practices adopted.

These articles will provide you further explanation about mandatory documents and controls from Annex A:

- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

Surveillance audit for a new facility

Is this new facility within the scope of your quality management system? If the answer is no, your organization does not need to do anything

If the answer is yes, your organization should communicate that change to the certification body, together with a plan for the integration of that new facility in the quality management system.

For example, when an organization acquires another facility, ISO 9001:2015 clause 6.3 is used, some of the things that need to done can be: training people in the new practices and procedures; introducing the new procedures; creating/changing quality control plans; integrating infrastructure in the system, calibrating monitoring resources, … 

As an auditor I would like to see an integration planning and evidences of implementation and effectiveness verification. For example, everything can start with determining risks and opportunities coming from that new facility added into the quality management system. 

You can get much more detailed information in the following links:

- Article - QMS Change Management in 7 steps – https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Article - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Enroll for free - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 audit and certification

You are mentioning our ISO 9001:2015 Premium Documentation Toolkit. With the toolkit you can speed-up the design and implementation of your quality management system. After customizing the documentation and finishing the implementation you can select one of several certification bodies operating in your country to get ISO 9001:2015 certification. Certification costs depend on the number of days needed to audit an organization (normally a function of number of employees and complexity)

The following material will provide you more information to help you:

- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Buying the documentation is not miraculous, there is still work to be done - ISO 27001 documents – Why the templates are not enough? - https://advisera.com/27001academy/blog/2012/04/24/the-documentation-myth-why-the-templates-are-not-enough/
- How should you pick an ISO 9001 certification body? - https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- Please check this free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Steps for ISO 9001 implementation

The first step that I recommend is to perform a Gap analysis, to determine the amount of work to be done.

With this information you can develop your project plan, listing what needs to be done, by whom, until when.

After implementation, perform an internal audit and the management review. There you can decide that your organization is ready for certification audit.

You can get much more detailed information in the following links:

- Article - Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- Article - Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
- Free webinar on demand – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

ISO 9001 document name requirements

Writing the name on documents is not a specific requirement in ISO 9001. However you need to make sure you control your documents and records according to the requirements of the standard and to do so you will need to identify them somehow. Usually the steps into document and record control are the following:

1. You need to identify that kind of document, assining it a name or designation, and assigning it an appropiate version.
2. You have to determine the authority that will approve that document and evidence that approval, for example by signature.
3. You need todetermine where and how will those documents be available and whom should have access to them.

The following material will provide you more information about document control:

- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free in this course -  ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Risk assessment internal and external criteria and factors

What are the internal and external criteria and factors that apply in the risk assessment?

Considering ISO 27005, the ISO standard for information security risk management, you have some of the following:

• Internal factors: business objectives, business processes, organizational structure, information assets
• External factors: geography, marketing trends, political and economical issues
• Risk evaluation criteria: strategic value of processes which handle business information, legal, regulatory and contractual requirements, business value of confidentiality, integrity, and availability
• Impact evaluation criteria: classification level of impacted information, affected operations (internal or of third-parties), breach of legal, regulatory or contractual requirements
• Risk acceptance criteria: business-related, legal and regulatory related, operational related, technological related, and financial related

This material will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

EU GDPR and Personal Data Processing

1.Who is responsible for the personal data which is processed with a third company (like a booking or a paying system)?

Booking companies and payment facilitators are acting as independent data controllers so they are responsible for all data they collect and process when providing the service to the data subjects.

2. If the Company can access the data (by e-mail, online account, etc,...) but doesn't hold those data?

If the data can be accessed it means the processing of personal data according to art 4 of the GDPR: Storing the data, is not a condition for processing.

If you want to find out more about the EU GDPR check out this free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/

Difference between Outsourcing and Contracting

While there are some variances, it is easiest to think of these two terms like this; outsourcing is when you get a supplier to perform one of your processes for you, such as heat treating, and this is generally done at the supplier’s site. On the other hand contractors generally work on your site and often do not affect the production processes, such as an electrician upgrading your building.

You can find out more about the ISO 45001 requirements in this helpful whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

Control implementation

Please note that control A.14.2.5 "Secure system engineering principles" is covered in the Secure Development Policy template, located on folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance

These articles will provide you further explanation about secure engineering principles and software development life cycle:
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

These sites can also provide further information: 

- https://www.nist.gov/news-events/news/2018/01/update-nist-special-publication-800-160-systems-security-engineering

- https://www.owasp.org/index.php/Security_by_Design_Principles

Communication plan

First is important to note that ISO 22301 nor ISO 27001 do not prescribe how a communication plan must be documented, so it is up to the organization to decide if it will be a separated document or not. 

For small and medium size organizations we understand that a separated document would increased administrative effort unnecessarily, so information related to communication plan is available in the several templates, for example:
- Disaster recovery plan, located on folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan
- Activity recovery plan, located on folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan

- Information Security Policy, located on folder 04 Information Security Policy
-  Incident management, located on folder 08 Annex A >> A.16 Incident Management 

In each document information related to communication is defined according the document purpose.