Search results

ISO 27001 vs COBIT

COBIT is certifiable only for people, although it can be used by organizations to help fulfill requirements from some ISO management standards, like ISO 20000 and ISO 27001.

For further information, see:

• ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/

Regarding ISO, it does not certify organizations. Its purpose is to develop standards, and some of these are management systems standards, against which organizations can be certified by entities known as certification bodies. 

For further information, see:

• Accreditation vs. certification vs. registration in the ISO world https://advisera.com/blog/2016/02/29/accreditation-vs-certification-vs-registration-in-the-iso-world/

• Method validation/verification

  It is through method verification of a standard method the laboratory proves with objective evidence that they can perform the method and achieve the expected performance

  How this can be achieved depends on the method technique. For example for microscopic examinations, if you are the only technician (hance know the makeup of retained sample) get an independent person to issue the samples to you blind. If you don’t have samples across the range, try and identify another laboratory that does have samples, to do a bilateral study with. I can’t comment specifically on the method you describe as “random”. I suggest you engage with your accreditation body to see if they can assess it as part of their scope. If it is a method that involves certain activities, for example weighing or a complex calculation determination, then do what you can by breaking the method up into these activities and verify the activities you can. For example competency to weigh accurately using certified calibration weights and by validating complex calculations for determination of a parameter.

   

• How to become good assessor for ISO 17025:2017?

  As the principle of Auditing the management component of all Quality management systems, including ISO 17025 involves the same approach and techniques, you could benefit form the Internal Auditor training offered by the ISO 9001 Academy. Have a look her for further information https://advisera.com/training/iso-9001-internal-auditor-course. To strengthen your skills with ISO 17025 technical assessments, I suggest refresher self-learning on the purpose of ISO 17025 and its risk-based approach.

  The following will provide more information for you on Auditing and ISO 17025:

  How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

  ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

  The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

  The Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

   

• ISO 27001 single templates

  I’m assuming that by SABS you mean the South African Bureau of Standards, and you are referring to SANS 27001:2015, which requirements are exactly the same as ISO 27001:2013.  

  Considering that, the standard clause 4.1 does not require external and internal issues to be documented, so a template regarding this clause is not necessary.

  For further information about context and external and internal issues, see:

  • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

  Regarding clause 4.3, you can use the ISMS Scope Document template: https://advisera.com/27001academy/documentation/isms-scope-document/

  For further information about ISMS scope definition, see:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
  • Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
  • How To Set ISMS Scope According to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

  • Documentation request

    Please note that only some of these documents are mandatory for an ISO 27001 certified organization (e.g., ISMS scope, and the Information Security Policy), while others will depend if you have implemented some specific controls (e.g., control A.9.1.1 – Access Control Policy requires an Access Control Policy to be documented), and others are not needed at all (e.g., Context of organization, ISMG Governance and Training Matrix).

    For a list of mandatory documents for ISO 27001-certified companies, please see:

    • List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Considering that, unless this request from the customer is based on a contract or service agreement you have with that company, you do not need to have the documents not required by the main clauses of the standard, or by specific controls you implemented.

    You have to consider how important this customer is to you and based on this, decide if you will write these documents.

    Regarding the mandatory documents, you should sign an NDA with the customer before providing the documents.

  • Clause 4.1 in Conformio

    Please note that external and internal issues relevant to the ISMS can be evidenced in Conformio through:

  • The 'Register of legal, contractual and other requirements' module, which generates a document called "List of Legal, Regulatory and Contractual Requirements".
  • The 'Risk register' modules which cover the processes of risk assessment, treatment, and management and generate a document: "Risk Assessment and Risk Treatment Report".

  Both modules take into account external and internal issues for the definition of the mentioned documents.

  For further information, see:

  • 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
  • How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

  • How to implement ISO 45001 in developing countries and small medium scale industries?

    Hi, Implementing ISO 45001 can be both rewarding and challenging due to limited resources, practical approach.. 

  • Question on risk assessment

    Please note that the purpose of the Risk Treatment Plan is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc., so you do not need to present any risks in the Risk Treatment Plan

    For further information, see:

    • Risk Treatment Plan vs. risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section19

  • ISO 45001 Future Changes

    Although I am not on the technical committee, and cannot say for certain what will happen, I can predict a bit from what I know. In general, the Iso technical committees will look at the standards about every 5 years to see what changes are needed. If we look at the oldest management system standard (ISO 9001), this followed the cycle of a major release (1987), minor changes (1994), a major change (2000), minor changes (2008), and then a major change in 2015 to align with other management system standards. So, following this I would expect minor changes in the net revision of ISO 45001, but nothing major. This will also be delayed a bit due to the delayed transition from OHSAS 18001 for the pandemic, and future major changes will likely be harder to do where they affect the alignment with other ISO management system standards or to change how any management system utilizes the management principles (such as the process approach).

    In short, I don’t see any revolutionary changes to being ISO compliant in the next 5 years.

    For a bit more on the crucial management principle of the process approach, see the article:

    • Process approach application in ISO 45001 implementation of health & safety https://advisera.com/45001academy/blog/2017/03/15/process-approach-application-in-iso-45001-implementation-of-health-safety/