Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Access control policy and password policy
I guess the Password Policy will be: A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
And the Access Control Policy?
Answer: First is important to note that ISO 27001 allows flexibility for each company to decide how many documents they want to have, and what to include in those documents. Of course, you still need to have all mandatory documents, but you are free on how to create them. For further information, see: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Additionally, controls must be kept in the documentation only if they are stated as applicable in the Statement of Applicability. The one that are not applicable on SoA must be deleted.
Considering that, if Access Control Policy and Password Policy are separated documents for your organization, the section 2 (reference documents) of each policy, regarding ISO 27001 requirements will be like this:
Section 2 of the Access Control Policy:
- ISO/IEC 27001 standard, clauses A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1. (you need to delete controls A.9.2.4, A.9.3.1, and A.9.4.3)
- All other references must be kept.
Section 2 of the Password Policy:
- ISO/IEC 27001 standard, clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3
- All other references must be kept.
As you noted, controls A.9.2.1, A.9.2.2 must be kept on both documents. -
SOP's and mandatory documents
Answer:
Yes. ISO 9001:2015 has no mandatory documented procedures. Please check ISO 9001:2015 clause 4.4.2. It is up to each organization to evaluate “To the extent necessary” any need for SOP’s. Normally, that depends on people’s turnaround and tasks complexity.
The following materials will provide you more information about documenting a quality management system:
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
A formal documented QMS
Answer:
ISO 9001 is an international standard for a quality management system. ISO 9001:2015 has some mandatory documents like maintaining a quality policy. ISO 9001:2015 gives a lot of autonomy to organizations to determine which documents are needed (please see clause 4.4.2).
The following materials will provide you more information about documenting a quality management system:
- Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- ISO 9001 Implementation diagram - Download a complimentary checklist (PDF) - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
- Clause-by-clause explanation of ISO 9001:2015 - Download a complimentary white paper (PDF) - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- If you need help or want to develop documentation faster, check - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cyber attack security controls
Answer:
I'm assuming that your doubt is which standard can provide better guidance in the identification of cyber attack security controls and precaution measures.
Considering that, the standard of choice is the ISO 27001, which provides general recommendations for information security that can be adapted for cyber security.
Regarding definition of responsibilities, business continuity related to ISO 27001 is focused on disaster recovery of IT infrastructur e, so if your organization's needs for business continuity go beyond that (i.e., the potential impacts go beyond information-related issues), probably the responsibility should remain with BCM.
For further information, please see:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/ -
Templates content for risk assessment and treatment
Answer:
Please note that while risk analysis results are recorded in the Risk Assessment Table template, the defined controls and residual risks are recorded in the Risk Treatment Table template, which can be found at this link: https://advisera.com/27001academy/documentation/risk-treatment-table/
So, you will need both templates to record the results of the risk assessment and treatment.
To see how to completely cover the risk assessment and treatment process I suggest you to take a look at our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
For further information, please see:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment accord ing to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
SoA classification level
Answer:
Because SoA has many information about how the organization approaches information security, it is a sensitive document and access to it should be restricted to personnel that requires it to perform their activities (e.g., top and middle management, and the security officer) and in most cases this does not cover all employees. Considering that, in most classification frameworks the lowest level which has this kind of restriction is the "Restricted" level, but you have to check your own framework to confirm that. You should avoid to use the highest classification level you have because in most scenarios the highest classification level will demand controls that will be too much to protect in the SoA.
For further information see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Anti-spam regulations
We have received an additional question:
>The GDPR does not directly regulate spam but it places consent as a condition for direct marketing in certain situations?
Answer:
The GDPR establishes the rules around consent and those rules need to be respected whenever using consent as your lawful grounds for sending the advertisement. The GDPR also allows for direct marketing based on legitimate interest.
However the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances. Some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws I mentioned previously and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest. -
AS9100: Audit questions
This is a question best asked of your certification body as they will have some better insight into what they can and cannot accept for their own internal rules, however, generally these clauses are not possible to exclude from the QMS. Unless your QMS scope is design only, and you never will build anything, the certification body will need to have something to audit if build and test is part of your scope.
I do understand that you are not yet using these processes as you are still in the design phase, but I believe the certification body will expect you to at least have the plans in place on what will be done for these clauses for your initial build, including having the procedures (clause 8.7 procedure is mandatory) and have identified the format of the required records for these processes. You may not have used them yet, so you will not have records created yet, but having them in their initial stages will be needed.
Of course, it will be understood that these processes are expected to be updated and improved as you begin to use them, but having them in place will be necessary to include build and test in your QMS scope.
You can learn a bit more from this related ISO 9001 article: Understanding product & service provision in ISO 9001, http://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
-
ISO 45001: Worker involvement in improvement
Answer:
Clause 5.4 d, 9 requires that you consult non-managerial workers on continual improvement of the OHSMS. This entire clause is based on the fact that workers are the most immediate interested parties within your OHSMS as they are directly affected by your efforts to improve OH&S within the workplace. Additionally, continual improvement and involvement of people are two of the main principles behind all of the ISO management system standards, and the best way to identify improvement within the processes is through the use of the people involved.
This requirement is pointing to the need to have workers involved in making the OHSMS better within your company to improve the processes and reduce the incidences of injury or ill health.
For a better understanding of the worker participation and consultation requirements, see the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/ -
ISo 45001 Clause 4.1 & 4.2
Answer:
Clause 4 of Iso 45001:2018 is all about understanding the context of your organization, or in other words what affects your company so that you can determine where and how the rules and polices will be applied. Clause 4.1 asks you to determine internal and external issues that affect your OHSMS, so what issues affect your you ensure a safe workplace. Internal issues could include the level of safety culture within your company and industry. External issues could include a push in your industry to eliminate a certain hazardous chemical, or the issue that a supplier will stop making a product that you use which is the safest product available and needs to be replaced with a more hazardous one.
Clause 4.2 asks you to understand who is interested in your OHSMS and what their needs and expectations are. While workers are identified as interested parties and have the expectation that they will not suffer injury or ill health at work, there are other interested parties who will have needs to be fulfilled. This could include government agencies that have laws in place related to your workplace OH&S,
For a better understanding of interested parties in ISO 45001, see the article: Determining interested parties according to ISO 45001, https://advisera.com/45001academy/blog/2018/03/14/determining-interested-parties-according-to-iso-45001/