Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How to control documented information
Response:
You can create a procedure to ensure the control over the the creation, approval, distribution, usage and updates of documented information (documents and records ) used in your Quality Management System. Here is an example of a procedure, you can download a free preview of it - Procedure for Document and Record Control: https://advisera.com/9001academy/documentation/procedure-document-record-control/
To learn more about the contrl of documented information in the QMS, see:
- Article - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book – Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Physical security
Answer: First is important understand that for ISO 27001 a "need" is based on results of risk assessment. Considering that, you only have to physically separate your scope if there are unacceptable risks related to keeping a single environment.
2. Our staff always have meetings and they always need to sit and discuss and collaborate on certain tasks and projects that happen between different departments. Shutting down the entrances and closing all the doors between the departments and limiting access will hinder the workflow and coherence of the company. Is there another way about that? Or is the policy very clear and very strict in terms of physical isolation of the departments that are in the scope from the rest of the company? In case it was very strict and isolation measures need to be implemented, would magnetic see throug h doors with swipe cards to isolate the departments who are in scope from the external of scope be sufficient enough? I found this article on your website:
https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
Answer: The same previous answer applies here, you only need to limit access to the scope if there are unacceptable risks that must be treated. In case you indeed have to limit access, you can use the alternative you mentioned (i.e., swipe cards) if it does lead to unacceptable risks.
3. But I would greatly appreciate it if there are more detailed articles about physical security that you might be able to share with me, especially for organizations that are only certifying part of their services.
Answer: First of all thanks for this feedback. In fact this answer may be a good idea for an article. If you kindly provide additional examples of what you would like to see we can verify this possibility. For other articles about physical security, please see:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/ -
Internal Auditor
Answer:
If you need to do activities related to internal audit (e.g. plan/prepare for/conduct) or you want to work and develop your career in this area – YES. Find out more in the article (although ISO 27001 – it's applicable on ISO 20000 too) “ISO 27001 Internal Auditor training – Is it good for my career?” https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
2- Market value and if I complete that, would I be certified straight away after passing the exam?
Answer: Yes, you get your certificate right after the exam.
3- Would my certificate have an expiry or renewal requirement?
Answer: No, they don't. I would recommend renewing certificate once the new revision is published.
4- Do I have to look for some specific organization with some specific accreditation to take that training?
Answer: No, no specific company.
5- If a company says they don't have A PMG accreditation, instead for ISO courses they've global recognition to accredit themselves – what would that mean?
Answer: That depends also on market you cover (local vs. global)Read the article to learn more “Qualifications for an ISO 27001 Internal Auditor” https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/ -
Performing audits
Answer: Certification audits are conducted according these stages:
- Documentation review: at this stage the auditor checks if all mandatory policies, procedures, plans and records are in place.
- Main audit: at this stage the auditor, by means of techniques such as observation, interviews and log review, checks if processes and personnel are performing according what is documented. It is at the end of this stage that any identified non compliance is raised.
- Surveillance visits: once you get certified, you have to keep the system working during the three-years certification period. To ensure that, an auditor will come periodically to check if the system is in place and ask for adjustments when needed.
These articles will provide further information:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
2. What does one take into account when planning for the audit as an auditor?
Answer: The certification auditor has to develop the audit plan to making sure that all documents are compliant with the standard's requirements and that everyone is complying with all the implemented documents. The auditor can do that by means of developing a checklist to help him to ask for the necessary documents and records, as well as to which process to observe and people to interview.
This article will provide you further information:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Inventory of assets
If these tools are used to process information you want to protect they have to be included in you inventory of assets.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Defining scope
Answer:
The most important criteria you have to adopt for defining the ISMS scope are:
- which information you want to protect.
- by where this information flows, and where they are processed and stored.
- the effort to keep the environment you want to protect separated from the rest of the environment.
For example, for organizations up to 50 employees normally it is easier to define the wholly organization inside the ISMS scope. In your case, if the information is contained in specific departments, may be easier to define only these departments in the scope (if not then you should define the wholly organization inside the ISMS scope).
Regarding the remote workers, normally you do not control the environment where they are, so the se are kept out of the scope, and you treat remote access as a risk in your assessment.
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
If you believe you still need support for defining the scope, you an schedule a meeting with one of our experts at this link: https://advisera.com/27001academy/consultation/ -
Implementing ISMS and BCMS
Answer: The order of implementation will depend on your needs. If your priority is information protection, then you should go first for an ISMS. On the other hand, if your priority is to ensure processes and services delivery under disruptive conditions, then you should go first for a BCMS. It is important to note that if you use as basis for these systems the standards ISO 27001 (for information security) and ISO 22301(for business continuity), you can implement parts of these systems simultaneously, because the have many requirements in common.
These materials will provide further information:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- How to implement integrated management system https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
- Free webinar – ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/
2 . What is Step by step guidelines if I need to implement both?
Answer: In a general manner, you have these steps:
- Obtain management support
- Develop a project plan
- Define scope (related to each standard)
- Define top level policies (related to each standard)
- Define basic management system procedures (common to both standard)
- Develop specific policies and procedures (related to each standard)
- Implement policies and procedures and train personnel
- Perform internal audit
- Perform management review
- Proceed with corrective actions
The following articles will provide you explanation of the steps to implement both standards:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/ -
Document management requirements
Answer:
ISO 27000 series do not have a standard providing description about the Document Management setup/workflow. ISO 27001 only defines what must be fulfilled (e.g., documents must be approved, be available to users, etc.). There are other ISO standards that can provide requirements you can use to setup and elaborate the workflow of a DMS (e.g., ISO 15489 Information and documentation – Records management)
If you want to see how a document management system looks like, I suggest you to take a look at our platform Conformio at this link: https://advisera.com/conformio/
Conformio has a set of functionalities for DMS that are fully compliant with ISO 27001, besides other features that can make easier to implement and manage an ISMS.
These articles can provide you further information about Conformio:
- What kind of Document Management System (DMS) do you need for handling ISO documents? https://advisera.com/conformio/blog/2016/11/29/what-kind-of-document-management-system-dms-do-you-need-for-handling-iso-documents/
- Top 5 features of your online ISO document management system https://advisera.com/conformio/blog/2017/06/28/top-5-features-online-iso-document-management-system/
This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Risk assessment and risk treatment
Answer: All our templates from our ISO 27001 Toolkits, including the templates for risk assessment and risk treatment, are fully compliant with requirements of ISO 27001.
At this link you can see all templates that cover the risks assessment and risk treatment process: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ :
- Risk Assessment and Risk Treatment Methodology
- Risk Assessment Table
- Risk Treatment Table
- Risk Assessment and Treatment Report
- Statement of Applicability
- Risk Treatment Plan
On the links for the individual templates you can see which requirements are covered by each document. For example, the Risk Assessment and Risk Treatment Methodology (https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/) cover the following requirements: ISO/IEC 27001 6.1.2, 6.1.3, 8.2, and 8.3; ISO 22301 8.2.1, 8.2.3.
2. What precautions should be taken to avoid getting Non Conformity on this?
Answer: Key points to pay attention when performing risk assessment and risk treatment are to consider the proper inputs (e.g., legal requirements, scope and policy, etc.), so you do not leave any relevant area of your system uncovered, to cover all the assets in the ISMS scope during the risk assessment (if you decide to use the asset-based approach), and to ensure your risk evaluation and treatment options are aligned with your risk acceptance criteria.
This article will provide you further explanation about risk assessment and risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk assessment and risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Transition from ISO 9001:2008 to ISO 9001:2015
Answer:
Let me try to give an itinerary that perhaps you can use. First check this article with a useful infographic about the differences between ISO 9001:2008 and ISO 9001:2015 - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
Then, read this White Paper - Twelve-step transition process from ISO 9001:2008 to 2015 revision - https://cdn2.hubspot.net/hubfs/1983423/9001Academy/9001Academy_FreeDownloads/Twelve_step_transition_process_from_ISO_9001_2008_to_2015_revision_EN.pdf (perhaps this step by step approach could be useful). BTW, why not watch this webinar on demand about the subject - Free webinar – ISO 9001:2015 - How to make the transition from ISO 9001:2008 - https://advisera.com/9001academy/webinar/iso-90012015-how-to-make-the-transition-from-iso-90012008-free-webinar-on-demand/
After this I believe you can be more confident about your transition plan. Feel free to test your ideas with me.