Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Planning internal audit
Answer:
You do not have to audit you certified ISMS against all clauses each year. For certification purposes you only have to ensure that all ISO 27001 requirements had been audited at least once before the next certification audit. Considering that, you can audit only part of the requirements on each annual internal audit, provided that at the next certification audit all requirements had been audited at least once. It will be acceptable for surveillance audits.
The best approach would be for you to check the surveillance audits schedule to verify which requirements will be covered by the next surveillance audit, so you can focus on them.
These articles will provide you further explanation about internal and surveillance audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Describing ISO clauses
Answer
Normally, the paragraph is not mentioned. So, an auditor would refer to clause 4.4.1, item b).
The following material will provide you information about non writing audit nonconformities:
- Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal audit scope
When performing an audit the auditor compares what is done in reality with the audit criteria:
Auditors go into reality. Collect audit evidences and compare them with audit criteria. From that comparison they develop audit findings. Audit findings indicate conformity or nonconformity.
So, the internal auditor uses the procedure as audit criteria to set the reference and to develop its checklist. Then, using the checklist the auditor verifies if practices are according to the reference. -
GDPR Data Controller or Data Processor
Thanks a lot Andrei -
Process, procedures and documentation
Answer
Let us start by the second question about the difference between processes and procedures. A process is a set of activities taken in order to achieve a particular end. A documented procedure is a written description about how to perform certain activity or activities. So, process and procedure are two different things. About the first question the answer is yes. One can document a 9001 process in a procedure but remember a process is much more than a procedure.
The following material will provide you information the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Free course - ISO 90 01:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 45001 Objectives and interested parties
Answer:
SMART is an acronym for the 5 things to consider when writing good goals or improvement objectives. S stands for specific so that you know exactly what you are trying to achieve. M stands for measurable, so that you can know if you have actually achieved the goal. A can stand for different things like achievable or agreed, but I like to use agreed because it is different from the next letter and it highlights that objectives need to be agreed in the organization. R is for realistic, so you are not trying for a target that cannot be reached in the time. T stands for time-based, so your objective needs to have a set timeline for achievement in order to make sure you can stay on track.
For more information on writing good OH&S objectives see the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/
2) There is no good explanation for Determining the interested parties (external) can you pro vide some explanation.
Answer:
The reason for identifying the interested parties is to determine what their needs and expectations are. These needs and expectations will become the requirements you need to comply with in order to have a good OHSMS, so you need to identify who the interested parties are in order to not miss any requirements. For instance, if there is a government agency who has OH&S laws you need to meet, they are an interested party and the requirements of the laws are the expectations. This can be done in many ways, but the result is to make sure you know all the expectations that will apply to your OHSMS before you implement, and then keep up to date on changing needs.
For more information on interested parties, see the article: Determining interested parties according to ISO 45001, https://advisera.com/45001academy/blog/2018/03/14/determining-interested-parties-according-to-iso-45001/ -
Positive risks and opportunities
An opportunity is something entirely different. An opportunity is something that you can CHOOSE to pursue, which may have associated risks. You may be subject to positive and/or negative risks if you choose to pursue the opportunity. Alternatively, you may be subject to positive and/or negative risks if you choose not to pursue the opportunity.
For example the sale of a lottery ticket is an opportunity. If you choose to pursue the opportunity and buy the lottery ticket, you are subject to a negative and a positive risk. The negative risk is that you will not win and lose the money you paid for the ticket. This has a high likelihood. The positive risk is that you will win the lottery. This has an extremely low likelihood."
Answer:
First, let's consider some definitions:
ISO Guide 73, which defines a vocabulary for risk management, defines risk as "effect of uncertainty on objectives". This guide also notes that risk can be positive or negative, characterized by referring to potential events and its consequences, and the likelihood of their occurrence.
For Merrian-Webster dictionary, an opportunity is "a favorable juncture of circumstances" or "a good chance for advancement or progress". In short, an opportunity is a situation with a possible positive outcome.
When we compare the above definitions, a "favorable juncture" refers to a positive effect and "circumstances" are events. Considering the other Merrian-Webster definition, "good chance" is a likelihood and "advancement or progress" refer to positive effects. Then, considering these definitions, opportunities can be a synonym for positive risks.
Second, it is important to note that if you are exposed to a risk, negative or positive, once you are aware of it, you do have choices. You can choose to do nothing (alternatively called "accept the risk"), or you can work on elements of the risk to increase/decrease the chances of its occurrence and/or the impact it may have on you. Pursuing is one way to treat a positive risk/opportunity (also called "risk exploiting"). A joint venture is another way to treat a positive risk opportunity when you look for a partner that can help the positive risk to happen and share the reward.
Considering your lottery example, if you do not buy a ticket you are not exposed to the risk (you do not have the opportunity to win). If you buy one ticket, now you have the opportunity to win (you are exposed to a positive risk). You can decide to do nothing more (not buying other tickets), or buy more tickets, and then you are pursuing the risk/opportunity, by increasing your chances (likelihood). -
Inventory of assets
My question is about the inventory of assets. We use ConnectWise Automate to keep an inventory of all our IT equipment, so can I just write in the Inventory of Assets document that “An inventory of all our IT hardware can be found in ConnectWise Automate”? -
Legal requirements for ISO 22301
Answer:
Examples of legal and regulatory requirements for ISO 22301 are:
- Service agreements with customers or suppliers
- NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC – Commodity Futures Trading Commission) (regulation)
- IDA By-Law 17.19 – Business Continuity Plan Requirement (OSC (Ontario Securities Commission))
Regarding details to be considered, you have to identify items like: requirements for the recovery time to be achieved (e.g., minimal business activities must return after no more then 3 hours after a disruption), technologies or infrastructure to be used, etc.
To see how a list of requirements looks like I suggest you to take a look at the free demo of this List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
These articles will provide you further explanation about identification of legal requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ (although this article is about ISO 27001, the concept also applies to ISO 22301)
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ -
List of ISO standards users
Answer:
Unfortunately there is no central list of certified organizations (you must consult each certification body to track which companies are certified by them).
However, the ISO site provides an ISO survey where you can find general information about certifications, like total quantity, quantity per country, quantity industry, etc. It does not nominate organizations.
You can find this survey at this link: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1