Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Several questions about documents
Answer: ISO 27001 does not prescribe any record to be in both; electronic form and paper form, so the only justification for keeping a record in both formats is if you have business or legal requirements demanding this specific situation. If such requirements do not exist, then you can keep a record only in electronic form.
For further information see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
2. Is it allowed to have all records in electronic form?
Answer: Considering answer 1, if you do not have business or legal requirements demanding records in paper form, you can keep all records in electronic form.
3. Security Procedures for IT Department, Erasure and destruction records; commission for the destruction of data: Is it okay to write "Records of erasure/destruction must be kep t for all data that is stored on the server" (as an example) if I'm not implementing the Information Classification Policy?
Answer: In theory this is acceptable, but without information classification levels to decrease the need for such erasure and destruction records you may end up with an effort greater to keep such records than the effort to administrate classification levels and adopting an Information Classification Policy.
4. Are there any specific requirements we must fulfill in order to have an adequate Training and Awareness Plan? Since the datacenter is the only location in the scope and it has adequate protection and security, I don't see a specific subject which the employees could gain knowledge about. All of them know the basic security principles, aside of that they have a good understanding of how to assign and revoke access rights and such. A presentation concerning Security Awareness Training could be attended, but this would also include specific elements which are not relevant in the context of the scope.
Answer: Training and Awareness Plan objective is to help ensure persons are competent on the basis of appropriate education and training, by mapping gaps to be eliminated, so if your organization identifies that employees in the ISMS scope already have an acceptable level of competence, you can minimize the content of the plan (e.g., consider only awareness communication and recycling training).
For further information see:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
5. Training and Awareness Plan: "the following awareness-raising methods must be applied: information day, intranet articles, newsletter, joint meetings, e-learning, internal e-mail messages, video recordings.". Is it possible to adjust this list? We don't 'need' all of these in order to ensure that everyone has the adequate knowledge and skills.
Answer: The list provided in the template is only a suggestion, so you can adjust it according to your needs, including or excluding activities.
6. Confidentiality Statement: Is it mandatory to implement this document? We do have our own NDA, but this does not cover labeling.
Answer: The confidentiality statement template included in the toolkit is not required if your organization already makes use of an NDA document, but if control A.8.2.2 Labeling of information is applicable, then you may have to adjust it so it is clear in the NDA how people can identify information classification levels, and thus handle information properly.
7. If the unacceptable risks for a particular control are being transferred to a third party, what do we write for this control in the Statement of Applicability? Technically there are unacceptable risks for the control (so I don't think we can state that there are no unacceptable risks), but they are being transferred.
Answer: In the scenario you stated, you must write that the control is applicable because there are unacceptable risks demanding its implementation, and in the implementation method column you can write that the defined treatment for related risks is "risk transfer" and that this control is being implemented by a third-party. -
Gathering information from suppliers
What are the mandatory resources need to collect for review/risk assessment purposes from application supplier/vendor?
Answer:
In a general manner you have these options to consider:
- Propose to sign a Non Disclosure Agreement to have access to their policies
- Ask for a general view only of these policies to see if they can fulfill your needs
- Ask them about how they handle your specific risks related to this critical application
If none of these alternatives are possible, you should consider if the risk of taking over the application without these information is acceptable, or if you should consider another supplier for this application.
Regarding mandatory resources to collect, ISO 27001 is not prescriptive. The information you will need will depend on the results of risk assessment and legal requirements your organization has to fulfill.
Based on risk assessment and legal requirements you can sign a service agreement with this supplier including security clauses that specify if the access to documentation is needed or not.
These article will provide you further explanation about managing suppliers:
- 6-step process for handling supplier security according to ISO 27001https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Developing policies and procedures
Answer:
The first step to develop polices and procedures is to identify which requirements the policy or procedure must fulfill. For example, your organization may have contracts, laws, or regulations with clauses defining a specific approach for a governance solution. After identifying those requirements you should consider the context of your organization regarding size, processes complexity, and staff maturity.
These articles will provide you further explanation about developing policies and procedures:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/ -
ISO 27001 naming scheme
Answer:
A ISO 27001 não prescreve nenhum conjunto específico de nomes para uma organização usar, então elas são livres para adotar o esquema que melhor lhes convier.
Como sugestão para organização de arquivos, eu sugiro que você dê uma olhada no demo do nosso Kit de Documentação da ISO 27001 neste link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/
Os documentos do kit estão organizados em pastas com nomes e em uma sequência didática de implementação que você adotar para a sua estrutura de arquivos.
Para entender os termos usados pela ISO 27001, sugerimos que você dê uma olhada na ISO 27000, que fornece visão geral e vocabulário para segurança da informação, neste lin k: https://www.iso.org/standard/73906.html
A partir desta norma, você pode encontrar termos que você pode aplicar em seu esquema de nomenclatura. -
People and clause 7.1.2
Answer:
The standard requires that an organization has the persons considered necessary to effectively operate and control the quality management system.
For example, a hotel may establish that breakfasts must be serviced by different number of employees as a function of number of guests, a hospital may establish that a certain service must has a certain composition in terms of number of persons and professional categories, a long distance bus company may establish a crew composition as function ok kilometers of the service. In other cases, legislation or regulation may establish a number of persons performing a role and their qualification.
The following material will provide you information about resources:
- ISO 9001 – How to create an ISO 9001:2015 human resources audit Checklist - https://advisera.com/9001academy/blog/2019/02/28/how-to-create-an-iso-90012015-human-resources-audit-checklist/
- Free webinar – The Process Approach - What it i s, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (deeply based on the process approach) -
Risk management and the process approach
Answer:
When I work with organizations in determining their risks, I use three perspectives:
I consider ISO 9001:2015 clause 4.4.1 – what can go wrong in each process
I consider ISO 9001:2015 clause 5.1.2b) – what can go wrong with products and/or services
I consider ISO 9001:2015 clause 6.1a) – what can go wrong with our intended QMS results, QMS objectives.
“Some managers even ask if quality objectives are the same as the performance objectives.”
Answer:
Yes, one can say that quality objectives are performance objectives.
“Can one process be used to meet several objectives.”
Answer:
Yes, one process can be instrumental to meet more than one objective. I like to make the relationship between objectives and processes very clear. That is why I recommend using a matrix like this one:
This way one can find that currently there is no process in place that can help the organization to meet Objective A, and that Processes 1 and 3 do not contribute to any quality objective.
“What is the main difference between process approach and risk management many people ask me.”
Answer:
The matrix above is a representation of the process approach. The intended results of an organization will be met through processes. There are no random results. If we don’t like current performance, we should act upon what we do, one or more of our processes. That is why in Quality there is the saying: Don’t blame the product (the result), blame the process (behind it). Risk management is about determining risks, evaluating them, deciding if some of them are significant, and act to reduce, control or eliminate those significant risks.
The following material will provide you information about risks and the process approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Free webinar – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (deeply based on the process approach) -
ISO 9001 and documentation for a Construction Company
Answer:
I recommend you start describing how the company works as a set of processes. Then, relate those processes with ISO 9001:2015 clauses
When implementing a QMS I see it as a project with two work fronts: A and B.
A is about modeling how the organization works based on what is called the process approach. Describing an organization as a set of interacting processes.
See this generic example:
Then, for each process look for what can go wrong and should be improved, look for opportunities to take advantage, and see if ISO 9001:2015 requirements are already being met. Describe those processes in order to standardize your work.
B is about where is the organization going to. It is about strategic orientation, objectives and plans to meet them. It is about overall risks and opportunities and what to do to manage them.
“(2) How to define SOPs, KPIs and necessary documents?”
Answer:
ISO 9001:2015 clause 4.4.2a ) gives a lot of freedom to organizations about which documents to create. That will be a function of the complexity of your organization, of the experience and turnover of your employees, of the requirements of customers, and current performance challenges.
The following material will provide you information about implementing ISO 9001:2015 in a Construction company:
- ISO 9001 – Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- Free webinar – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/ -
Organization of folder using Advisera template
As we now move towards an ISO 13485 QMS additional to our existing ISO 17025 and maybe more QMS will follow we face the problem that we are doing so far everything manually, print, sign scan etc. The more documents we have the more probable is that we will miss something. Any suggestions from your experience how to simplify this work or how companies with several QMS system deal with this problem? I have seen that you speak about Conformio, would this be a solution or other suggestions?
Answer:
The structure of the folder is meant to give you a base to organize the QMS and to pr ovide you with an ease of accessibility and retrieval during the actual audit. So you can build the structure both ways depending on which suits you better in terms of organization and as long as you have the appropriate documentation in place to comply with ISO 13485.
Notified body does not usually meddle with how the company organizes the structure of the folders so it is only important that you can provide the documentation when being asked for it by the auditors.
Advisera has a platform known as Conformio which is a compliance implementation and maintenance platform that has a document management component that was purpose-built to support the certification process. It has a simple and user-friendly Document management system incorporated. You are able to upload, download, edit and delete your files, create new ones and sort them in folders which you can also add and manage. We will be happy to give you a tour if you are interested, please just let us know. -
Identifying controls for internal audit
1. e.g. I need to audit an E-Health software name X for instance, which controls do I need to use? let's say that I need to audit the authentication, fail over, vulnerability patch, data leaking, Privacy, compliance for GDPR etc....or even physical security. Every questionnaire contains a checklist of "27k2" questions. However, which questions from Chapter 5-18 do I need to use? all? or only the ones that are applicable but how do I know which ones or which controls are applicable or aren't applicable?..I m really lost.
Answer:
The main guidance to identify which controls to audit is the Statement of Applicability document. This document will inform you which controls were identified as applicable to this software and a general overview of the implementation approach and the implementation status. From the controls identification you can identify on the internal audit checklist which questions you should ask in your audit of this software.
This article will provide you further explanation about performing internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Exclude design?
Answer:
Did your organization introduce new services in the last 5 years? For example, if a new epidemic appears, will your organization supply a new prevention and control service? If a new legislation requires changing the service specifications how will your organization plan and introduce those changes? If your answer is yes to one of these questions ISO 9001:2015 clause 8.3 is applicable.
The following material will provide you information about the exclusions:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- - free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/ course/iso-90012015-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/