Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Secure email usage
Answer:
For a policy template that cover secure email usage, I suggest you to take a look at the free demo of these templates to see if they can fulfill your needs:
- Bring Your Own Device (BYOD) Policy: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
- Mobile Device and Teleworking Policy: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/
- IT Security Policy: https://advisera.com/27001academy/documentation/it-security-policy/ -
Implementing ISO 27001 information security risk management
Step 1: Identify the internal and external issues in our company
Step 2: Identify the risks and opportunities that would arise from each internal and external issue
Step 3: Bring the risk items identified during "step 2" to risk assessment
Step 4: Devise a separate plan to utilize the opportunities.
Step 5: Develop the risk treatment plan.
Answer:
To be compliant with ISO 27001 the risk management must follow these steps:
- Definition of a risk assessment and treatment methodology
- Performing of risk assessment (risk identification and risk analysis)
- Performing of risk treatment (risk evaluation and controls selection)
- Elaboration of a risk treatment report
- Elaboration of Statement of Applicability (SoA)
- Elaboration of Risk Treatment Plan and acceptance of residual risks
To see how a risk assessment and treatment process looks like, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
This article will provide you further explanation about implementing risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Internal audit planning
1. Shouldn't I review all the companies ISMS documents prior to creating the audit plan or is this not necessary for a Full System ISMS Internal Audit? The company advises me that there will be approximately 160 documents which they're expecting me to review during the scheduled audit where they've estimate d to take 5 days based on other audits they've had in the past. My understanding from the training is that I should review all their documents 1st, then develop the audit plan although it's not an ISMS mandatory document by the standard.
Answer: First it is important to note that ISO 27001 does not prescribe the steps for performing internal audit, only that it must be performed periodically, expected inputs and outputs. Considering that, the review of ISMS documents is not mandatory.
The review of ISMS documents prior to developing the internal audit plan is useful for you to identify situations specific to your organization that you should look for (e.g., the name of a record, the periodicity of a task, etc.), but not being able to review all documents should not be an impediment for you to plan your internal audit. In this case you should focus on documented information required by the main clauses from the standard (from sections 4 to 10), and on documents and methods of implementation defined for controls from Annex A stated as applicable in your Statement of Applicability (SoA), and make an observation that some specifics of your organization may not be properly audited, and that there is a risk that nonconformities related to them may be found during the certification audit (this is a risk that your management has to accept if you do not have time to review all documents).
Examples of minimal documents you must include in your review are the ISMS scope, ISMS policy, risk assessment and treatment report.
This article will provide you further explanation mandatory documents for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
One additional thing we should mention is that 160 documents for an ISMS is a very uncommon quantity for a set of documents (for small and medium sized companies the set of documents would be no more than 40 to 50), then maybe you have space for an improvement related to decrease the quantity of documents. -
SMART objectives are someone's responsibility
Answer
Both requirements can be matched without contradictions. For example, consider the following quality objective:
We want to reduce machine A defects rate by 10% in the next 45 days.
Who will be responsible for meeting this objective?
Supervisor A will be responsible for leading a team that will work to meet this objective
The following material will provide you more information about objective definition:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Check the free preview of ISO 9001 document template: Quality Objectives - https://advisera.com/9001academy/documentation/quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://traini ng.advisera.com/course/iso-90012015-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ITIL
Answer:
To get basic understanding about ITIL, I suggest you to read following text: “What is ITIL®?” https://advisera.com/20000academy/what-is-itil/
Implementation includes processes, organizational change, technology (management and e.g. IT Service Management tool), etc. These articles can help you
- “Ready, steady… go – Starting ITIL implementation” https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
- Considerations before ITIL implementation https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/?icn=free-blog-20000&ici=top-considerations-before-itil-implementation-txt -
ISO 45001 Interested parties, Scope and the OHSMS
Answer:
You have asked about some very important elements in the OHSMS. Clause 4.2 (need & expectations of workers and interested parties) requires that you identify any parties (people, organizations, agencies) that have an interest in your OHSMS and determine what their expectations are. What do your workers need? What are the expectations of the OH&S laws you need to meet? Then you need to determine which of these expectations are legal or other requirements you need to comply with. This does not need to be written down, but it is definitely helpful to do so as it needs to be reviewed regularly.
Clause 4.3 (Scope of the organization) needs to define the boundaries and applicability of the OHSMS. In other words, exactly where do the rules, polices and processes of your OHSMS apply? This does need to be written down, and will be used by you r certification body to know where they must audit. You can learn more in this article: How to determine scope of the OH&SMS, https://advisera.com/45001academy/blog/2015/12/09/how-to-determine-scope-of-the-ohsms/
Finally, Clause 4.4 does not require any specific documentation, but instead refers to everything you put in place to meet ISO 45001 and your requirements. The clause states you need to establish, implement, maintain and continually improve your OHSMS. This means you need to define what the processes will include (establish), make sure everyone using the process understands the requirements (implement), keep this up by training new people who come on board and ensure changes are understood (maintain), and finally to make the processes better over time (continually improve).
To help make sure you have all the required documentation in your filing checklist, you can see the free whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001 -
Residual risk
Answer:
First it is important to note that ISO 27001 does not define what residual risk means, nor how it is determined.
However, consulting ISO 27000, which presents the vocabulary for information security management systems, and is referred on section 3 of the standard, residual risks are the risks remaining after risk treatment.
Considering that, the auditor statement is not correct, because at the point where residual risk acceptance is required (after approval of the risk treatment plan) some controls may not have been implemented yet, so calculation or residual risk is the only way for decision makers to have a estimative if selected controls are sufficient enough.
Maybe what the auditor has tried to say is that you cannot take as real a calculated residual risk until you measure the effects of implemented controls. You can consider it at most as an expected residual risk until the first measurement and evaluation of controls ef fectiveness, which will validate or not you calculation.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/ -
Implementing an EMS?
Answer:
Implementing an environmental management system according to ISO 14001 is a voluntary decision and it’s a management decision. Your organization should evaluate the cost-benefit of that decision. To be certified, all ISO 14001 clauses should be considered.
The following material will provide you information about implementing an environmental management system:
- 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Free ISO 14001 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
- Book – The ISO 14001 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Report writing for certification
We've received additional questions:
> 1. Hi, i need more further information about ISO 13485 report writing. How many report should be given to the client for one certificate ISO 13485?
Answer:
I assume that by „how many report should be given to the client for one certificate ISO 13485“ you mean how many reports certification body provide to the clinet after the certification audit is finished. If that was your question, than this is the answer to it.
-The number of reports depends on the Certification body rules. Some certification companies have one report, while others have two: Management Summary and List of findings.
If I missunderstand the question, can you please provide some clarification. Thank you in advance.
>2. Lead auditor must be responsible to prepare the report but, how about technical expert part?
Answer:
Lead auditor is responsible for preparing and finalizing the report. Technical expert fulfills only the part that is related to the area that he audited.
>3. Does it make sense if the audit and report (summary certification report) shall be covered by only one auditor?
Answer:
Yes, the audit report can be covered only by Lead auditor. He is responsible for it. But, if there is a Technical expert in the audit team, it should be mentioned somewhere in the report.
For more details on how the certification process looks like, what are the phases of the certification audit, what auditor can and cannot do, and how to solve non-conformities from certification audit, please take a look at the following material:
What to expect at the ISO certification audit: What the auditor can and cannot do
https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit -
Electronic signature for ISO 13485 documentation
Answer:
Simple Adobe sign is enough. ISO 13485 does not dictate the form of signature used. Companies can use electronic documents even without digital signature, it is sufficient to prove that the authorized person has approved them through email or document management system.