Answer: First it is important to note that the number of applied controls does not have a direct correlation with the number of treated risks. You can have scenarios with many risks treated by few controls, as well as scenarios with few risks treated by a large number of controls. This all depends of organization context, legal requirements to be fulfilled and business objectives.
Considering that, to justify that a control is not applicable you should verify first if there are no unacceptable risks that justify the implementation of the control, or that there are no legal requirements demanding the implementation of the control. If both situa tions occur you can state that a control is not applicable on SoA.
2. Controls of A.16 and A.17: These controls can be applicable to each risk more or less, since you should document each disaster and aside of that it's important that your business still runs after a disaster. Is it okay to write at each control of A.16 that there is a legal requirement (GDPR) that enforces us to do so? As for the controls of A.17 is it okay to write that this is a management decision? (In this case we would basically not link them to any specific risk.)
Answer: Both justifications you presented for applying the controls you mentioned are valid (demanded by a legal requirement or by a top management decision).
Auditing a production area
Answer:
When I audit a production area, I want to see evidence of:
Operation parameters are defined, are monitored and the process is being controlled;
SOPs if defined, are available and are being followed;
Production and quality control records are being made;
Non-conforming products are removed, identified, corrected or destroyed;
Traceability is in place and working for machines, people and raw materials;
Machines and other equipment have preventive maintenance according to plan;
Operators are competent;
Cleaning processes are in place and validated
Answer:
When organizations want to include 5S as part of the QMS I include it as a way of complying with clause 7.1.4 of ISO 9001:2015, and is included in the initial training for new employees.
Broadly speaking, to implement ISO 27001 an organization has to:
- Obtain top management support
- Define and document a scope based on the needs and expectations of interested parties relevant to information security
- Define, document and communicate an information security policy
- Define roles and responsibilities relevant to operation and management of information security
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the opera tion and management of information security
- Implement risk assessment and risk treatment
- Operate the security controls and generate the necessary records
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements
To increase chances of success, it is important that persons involved have experience in project management and know edge of the standard.
With this demo you can see how the mandatory, and most commonly used, documents to implement ISO 27001 looks like and they may give you insights to help with you implementation.
Template content - awareness and training
„Job title or name“ - which department or employee is meant? The one who trains or the one which is being trained?
The comment beside doesn’t really help in that case.
Answer:
First of all thanks for this feedback. The column "Job title or name" refers to personnel who must be trained.
Risks and ISO 22301
Answer:
First it is important to note that ISO 22301 does not focus on risk management, but on business continuity. The objective of this standard is to ensure continuity of processes and delivery of services after a disruptive event, and risk management is one approach to achieve this objective, by the identification and treatment of risks that can lead to a disruptive event, but the standard itself does not define which risks to be treated or how to identify and treat them, only that this activity must be performed.
For detailed information about risk management you should consider the ISO 31000 standard
Although the last article mentions ISO 27001, the concepts of ISO 31000 included in the article are also applicable to ISO 22301.
BCM policy and a DR policy
Answer:
First it is important to note that both Business Continuity Management (BCM) policy and Disaster Recovery (DR) policy are top-level documents, covering management intentions. For operational purposes, i.e., detailed step-by-step activities and responsibilities, you also have to consider Business Continuity (BC) plans and Disaster Recover (DR) plans.
Considering that, the Business Continuity Management (BCM) policy is a more comprehensive document, covering management intentions regarding keeping processes and services running at minimum agreed levels after a disruptive event, and returning them to normal operation as quick as possible, while the Disaster Recovery (DR) policy focuses on management intentions regarding only the recovery of infrastructure (e.g., physical and IT infrastructure).
Reg arding documentation, you can have a single document to cover both issues, being the DR policy a section of the BCM policy.
First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a Top Management decision to implement the control, by considering it as good practice.
If no one of the above conditions happen, there is no need to implement a control.
Considering that, by our experience a certified ISMS generally implements up to 80 from the 114 controls listed on ISO 27001 Annex A.