Search results

Home / Search

Category:
Select
Select

11288 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Filling template

    1. Hello, in which document is my question: "Method for identifying requirements“ (chapter "02" of the toolkit).
    Where inside the document is my question: "5. Management of records for this document“
    Column 4: Measure to protect the recording.
    The record will be the "list of requirements“. The defined measure to protect the recording doesn’t make sense to me (the German version): "Nurfalls [Stellenbezeichnung] zur Bearbeitung von Daten berechtigt ist“.

    Can you please explain that to me?

    First of all, sorry for this translation.

    Please note that the original text in English is "Only [job title] is authorized to edit data".

    Different from other records which must not change over time (only in exceptions conditions), this list of requirements is a kind of record that may change regularly due to business and external factors (e.g., new customer's security requirements, new laws, and regulations, etc.). And to ensure changes are controlled the recommendation is that a defined role is in charge of updating this record.

    2. My question is inside chapter 4 of the method for identifying requirements. How does the annual assessment of the ISMS compliance with the requirements take place? What proof is required for this? 

    When auditing this record, the auditor will look for the previous lists in the period defined in the "Retention time" column, and will verify which changes were made from one version to the other and which person has made the change (in this case the job title defined in the "Control for record protection" column).

  • Third-party risk assessment questionnaire

    Risk assessment for third-parties is not different from the risk assessment performed for your own organization, so you can use the same templates included in this ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    The templates included in this toolkit will help you implement risk assessment and treatment compliant with ISO 27001 & ISO 22301:

    • Risk Assessment and Risk Treatment Methodology
    • Risk Assessment Table
    • Risk Treatment Table
    • Risk Assessment and Treatment Report
    • Statement of Applicability
    • Risk Treatment Plan

    These materials will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Finance Dept documents that need to be controlled

    You should include in document and record control of your Quality Management System only those financial/accounting documents and records that are related to fulfilling customer and third parties requirements or conformity to product requirements. 

    For instance, certain procedures such as accounts receivable procedure which describes the credit check process and the sales order approval process; work instructions for those positios that are related to customer/suppliers (e.g. Sales Order Entry, Purchase Order Entry, etc); documents related to inventory control or budget allocation; etc

    You can also see these materials to help you with the document and record control of finance department:

    - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Lead Auditor and implementer consultant

    It is possible to accumulate the Lead Auditor and Lead Implementer competences.

    In fact, a consultant who knows both how to implement the standard, and the criteria and methods by which the certification auditor will perform the audit can better guide an organization on its Implementation and certification process, adapting policies, procedures, and controls in a better way.

    These articles will provide you further explanation about lead Auditor and implementer:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  • Certifying ISO 270001 & 9001

    ISO 9001 mandatory documents that are not part of ISO 27001 certification are:
    - Scope of the QMS (clause 4.3)
    - Quality policy (clause 5.2)
    - Quality objectives (clause 6.2)
    - Criteria for evaluation and selection of suppliers (clause 8.4.1)

    And these are the mandatory records for ISO 9001 that are not part of ISO 27001 certification
    - Monitoring and measuring equipment calibration records* (clause 7.1.5.1)
    - Product/service requirements review records (clause 8.2.3.2)
    - Record about design and development outputs review* (clause 8.3.2)
    - Records about design and development inputs* (clause 8.3.3)
    - Records of design and development controls* (clause 8.3.4)
    - Records of design and development outputs *(clause 8.3.5)
    - Design and development changes records* (clause 8.3.6)
    - Characteristics of product to be produced and service to be provided (clause 8.5.1)
    - Records about customer property (clause 8.5.3)
    - Production/service provision change control records (clause 8.5.6)
    - Record of conformity of product/service with acceptance criteria (clause 8.6)
    - Record of nonconforming outputs (clause 8.7.2)

    Please note that there also other documents that are not mandatory for ISO 9001, but are commonly used (again here are only those not also used for ISO 27001):
    - Procedure for addressing risks and opportunities (clause 6.1)
    - Procedure for competence, training, and awareness (clauses 7.1.2, 7.2 and 7.3)
    - Procedure for equipment maintenance and measuring equipment (clause 7.1.5)
    - Sales procedure (clause 8.2)
    - Procedure for design and development (clause 8.3)
    - Procedure for production and service provision (clause 8.5)
    - Warehousing procedure (clause 8.5.4)
    - Procedure for monitoring customer satisfaction (clause 9.1.2)

    For more information, please see:
    - List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

  • Updating documentation

    No, you do not need to update all technical file documents to new version. You just mark changed documents to v 2.1, and the rest of the documents that did not change you can leave in version 2.0. 

  • Difference between word needs and word expectations

    What you have is good, as long as it gives you enough information going forward.

    One interesting thing about this clause fo the standard is that it does not require doucmented information, so any documentation you keep on the needs and expectations of interested parties is in addition to what the standard requires, so just make sure that it has enough informaiton for you and yoru managmeent team to be able to assess that they understand the need as they review it in an ongoing basis.

  • Risk assessment and treatment and business continuity plan

    Considering the scenario where you consider your likelihood scale ok, you have these alternatives to justify not creating a BCP for flood:

    • Top management accepts the risk as it is (this is one acceptable alternative always available to the organization for any risk it identifies), based on the knowledge that treatment cost is equal or greater than the impact of the risk occurring
    • Implement some other controls (e.g., backup, protection of facilities, etc.) to minimize the impact, and then accept the residual risk (even if it is higher than your acceptance criteria)
    • Transfer the risk (e.g., by buying insurance), and then accept the residual risk (even if it is higher than your acceptance criteria)

    Please note that the easiest way still is adjusting your likelihood scale so flood likelihood is smaller than fire likelihood. For example, you could use a scale like:
    5 - likely to happen within 1 month
    4 - likely to happen within 1 year
    3 - likely to happen within 3 years
    2 - likely to happen within 5 years
    1 - likely to happen after 5 years

  • Filling template List of Legal, Regulatory, Contractual and Other Requirements

    ISO 22301 does not prescribe any format as the input source of legal, contractual and other requirements, so it is acceptable to use the transcript of questionnaires or interviews where they are mentioned. However, it is important to note that if they are related to provided products or services, instead of using the transcript as register, you should consider writing them on formal documents like contracts or service agreements, considering the potential use of legal disputes or actions.

    Finally, all such requirements (no matter in which form are they expressed) have to be listed in List of legal, regulatory and contractual requirements.

  • Templates content

    It is not clear which policy you are talking about, but the information you mention can be found on the following:
    - Document retention: Each policy and procedure has a section called "Managing records kept on the basis of this document" where you define topics for document retention, such as retention time and disposal method
    - Individual user agreement: this information can be found in these templates: Confidentiality statement (https://advisera.com/27001academy/documentation/confidentiality-statement/), and Security Clauses for Partners and Suppliers (https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/) which can also be used for employment contracts
    - Reporting InfoSec Weaknesses and Events: this information can be found in template Incident management procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/
    - Responding to InfoSec Reports: I'm assuming that by this one you are referring to response to information security incidents. In this case this information can also be found in template Incident management procedure
    - Rules for use of e-mail can be found on template IT security policy: https://advisera.com/27001academy/documentation/it-security-policy/
Page 498-vs-13485 of 1129 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +