Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Several questions about toolkit documents


    Answer: First is important to note that you have to define a list of special interests groups only if you have a requirement demanding this list (e.g., an unacceptable risk, contract, law, etc.).

    Considering that, special interests groups refer to persons or entities you must contact in specific situations (e.g., report an incident to a law enforcement authority, ask information about an equipment from a supplier, etc.), so you need to identify them. Only refer to regulations you must comply with will not be sufficient, either because they may not define which persons or entities must be contacted, or by referring only to the regulations an user looking for such contact still will have to search for it in the referred document, delaying any activity with requires this information.

    For additional information see:
    - Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/

    2. Backup procedure: Is it enough to define this in the 'Security Procedures for IT Department', I saw that there's also a section in the 'IT Security Policy'.

    Answer: Please note that these two documents have different target users. While the 'Security Procedures for IT Department' defines the backup procedure to be performed by IT personnel, considering the backup of systems information used by the organization, the 'IT Security Policy' defines the backup procedure to be performed by general users regarding the information stored on their own computers, so you have to define procedures on both documents.

    3. Confidentiality Statement: Is this document useful without a reference to the Information Classification Policy?

    Answer: To be useful without referring to the Information Classification Policy, the Confidentiality Statement must contain in its clauses the definition of which information must be protected, how it can be identified (i.e., labeling rules), and how it must be protected.

    4. IT Security Policy & Security Procedures for IT Department: Information Transfer / E-mail and other message exchange methods relevant in context of the scope? The scope is limited to the datacenter, so all the operations in the office are not included in the scope.

    Answer: Even if the scope is limited to the datacenter, the processes and services running inside it still exchange information with elements outside the datacenter, so you have to consider these exchanged information when developing the IT Security Policy & Security Procedures for IT Department.

    5. IT Security Policy: Clear desk and clear screen policy relevant in context of the scope? The scope is limited to the datacenter, so all the operations in the office are not included in the scope.

    Answer: Information processed in the datacenter is still accessed by operators through remote connections, then the clear desk and clear screen policy must be developed considering these users (e.g., "datacenter operator, even working remotely, must lock his screen if they will be absent from his workplace").
    For additional information see:
    - Clear desk and clear screen policy – What does ISO 27001 require? https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-does-iso-27001-require/

    6. Security Procedures for IT Department, [Name of change record] - in electronic form: Does the name of this record have to be the name of something specific which is part of an information system, or can I just call it "Change records" to refer to all the change records?

    Answer: There is no need to have specific names for different change records. You can refer generally to these records as "Change records", and specify on the Storage location column "The system where the change record was created". This way you create a link between the record and the system where it is used.
    For additional information see:
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

    7. Records in general: Do I have to store some of the records in the intranet, or is it also allowed to store this on the laptop of a responsible person?

    Answer: ISO 27001 does not prescribe where to store records, so you can define the storage location as best fit for your organization.

    8. Difference A.12.5.1 and A.12.6.2

    Answer: Control A.12.5.1 (Installation of software on operational systems) refers to the implementation of procedures to control software installation in general, used by IT staff and general users, while control A.12.6.2 (Restrictions on software installation) refers to rules specific for non IT personnel regarding which software they can install.

    For example, you can have a procedure for installing antivirus software (which fulfills control A.12.5.1) that may define that all employees can install antivirus software, or that only IT personnel can install it (this rule in the procedure fulfills the control A.12.6.2).

    9. Do documents have to be signed?

    Answer: Only printed documents must be signed. For electronic documents other means may be defined to evidence that a document is approved (e.g., log or status in a document management system, or an approval email sent by the document owner).

    10. Corrective Action Form: Is it a problem if this isn't filled in by the day of the audit?

    Answer: The corrective action for can be filled in after the day of the audit, but it is recommend that this does not take too long to be done, because this action may be forgotten considering daily activities, and depending of the action required, any unneeded delay may be considered a failure to fulfill a system requirement, which may bring problems in a certification or surveillance audit.

    11. If you transfer a risk to a third party, how can you justify this in the Statement of Applicability for the associated controls?

    Answer: Please note that in the SoA you need to justify only if a control is applicable or not (e.g., by stating there is an unacceptable risk, legal requirement, or top management decision requiring the implementation of the control). There is no need to justify the treatment to be applied (in this case you do not need to justify why you transferred the risk to a third party instead to mitigate it yourself).
    For additional information see:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    12. What could be a good reason to not implement control A.14.1.1 / to accept the risks associated with control A.14.1.1?

    Answer: Justifications to be considered to not implement a control are:
    - There are no unacceptable risks or legal requirements demanding the control implementation.
    - Identified risks are acceptable under risk acceptance criteria
    - The costs required to implement the control are greater than the costs involved if the risk occurs
    For additional information see:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    13. Is it really obligatory to implement the Confidentiality Statement in the toolkit? The company implements an addendum in each contract, is this suitable?

    Answer: If this addendum your company uses can fulfill the requirements for ISO 27001, or can be adjusted to be compliant with the standard, then there is no need to implement the Confidentiality Statement that comes in the toolkit.

  • Developing documents for ISO 27001


    Answer:

    To develop such documents I suggest you to consult these materials:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Quality control versus quality assurance


    Answer:
    Quality Control results allow verification of Quality Assurance effectiveness. Independently of your operation size, your company should plan the required Quality Control since raw materials reception, production and final product. What to control, by whom, with what frequency, with what specifications, and with which monitoring resources. Required means required by your company’s experience; or by clients; or by standards; or by regulation; or by competition performance.

    Quality Assurance and Quality control are interrelated. Quality Assurance is about how a process is performed or how a product is made, Quality Control is about the inspection aspect.

    The following material will provide you information about quality control and measurement:
    - ISO 9001 – How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/ 2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
    - Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Roles and competencies


    Answer: ISO 27001 does not prescribe who must be responsible for internal audit, so considering the size of the organization, the CEO can be the owner of internal audit process.

    2. Can intern perform internal audit in that case who will become owner of internal audit?

    Answer: The main criteria to perform internal audit is competence, which can be evidenced by means of knowledge (e.g., certificates), education (e.g., training) or experience (e.g., records of previous performed audits), and impartiality (an auditor cannot audit his own work). If you can demonstrate that the intern has the necessary competence, and he does not audit his own work, he can perform internal audit. Regarding the ownership of the internal audit audit process, in this case, considering the person is an intern, you should consider a full time employee to be the owner (including the CEO as stated in the first answer).

    These articles will provide you further exp lanation about roles and responsibilities and internal audit:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

  • Template content


    Answer:

    Your understanding is correct. The "deadline"column refers to the date by which your organization will have to be compliant with the identified requirement (in your example, the date by which your organization will have to be compliant with requirements related to GDPR).

  • Supporting ISO 27001 certification


    Answer:

    To support an ISO 27001 implementation you should consider these certifications:
    - ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
    - ISO 27001 Internal Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements, thus providing more confidence to an organization for being certified.
    - ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements, and want to become certification auditors (work for certification bodies)

    For ISO 27001 there is no such role as "implementer auditor".

    So, considering your customer needs, you should consider the ISO 27001 Lead Implementer course, which will provide you more information about the whole implementation process.

    These articles will provide you further explanation about ISO 27001 personnel certifications:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

    For courses related to these certifications, please see:
    - ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • File Format for ISO 45001


    Answer:
    The ISO 45001:2018 requirements do not dictate how you will file documentation; this is something that you decide for yourself to best meet the needs of your company. You are not required to match your documentation formatting or numbering to match the standard, and there is nothing saying how you will identify or format your filing system. You do not even need to change from what you are doing already. The important thing is to make sure that you file everything that is needed in a manner that is best for your company to use and improve. The OHSMS is there for your company to benefit from, so organize it in the manner that is best for you.
    For a better understanding of the transition process, see the whitepaper: Twelve-step transition process from OHSAS 18001 to ISO 45001, https://info.advisera.com/45001academy/free-download/twelve-step-transition-process-from-ohsas-18001-to-iso-45001

  • ISO 45001: SWOT for risks and opportunities


    Answer:
    A sample SWOT analysis is difficult because this tool is very specific to the organization. The strengths, weaknesses, opportunities and threats change form company to company and industry to industry. Even the format of this tool is not common since it can be a table, or even just a listing for the 4 sections. It is also important to remember that the ISO 45001 standard does not require a SWOT analysis, just an assessment of risks and opportunities. This is only one tool to identify the risks and opportunities for your OHSMS.
    So, while you need to decide the information for each section of the analysis for your organization, some examples could include:
    Strengths: You have a highly engaged workforce focused on OH&S
    Weaknesses: You have a lot of accidents/incidents which you need to work to preventing.
    Opportunities: You have a supplier that has developed a new chemical which is less hazardou s, and could be used in your process.
    Threats: A supplier is discontinuing a chemical you need, and the easy replacement is more hazardous.

    For more on the requirements for risks and opportunities, see this blog post: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

  • Validating product spec


    Answer:
    If an organization publishes a performance spec for a product it must validate its ability to comply with it. Check ISO 9001:2015 clauses 8.3.3, 8.3.5 and 8.6.

    The following material will provide you with information about a performance spec for a product:
    - The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
    - Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples -     https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Internal Audit


    Answer:

    Yes, this terminology has to match. For more about internal audit please read article:
    Five Main Steps in an IATF 16949:2016 Internal Audit
    https://advisera.com/16949academy/knowledgebase/five-main-steps-in-an-iatf-169492016-internal-audit/

    If you want to know more about how to make an internal audit checklist for IATF 16949, take a look at this article:
    How to make an Internal Audit checklist for IATF 16949:2016
    https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/
Page 583-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +