Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Internal Auditor
Answer:
If you need to do activities related to internal audit (e.g. plan/prepare for/conduct) or you want to work and develop your career in this area – YES. Find out more in the article (although ISO 27001 – it's applicable on ISO 20000 too) “ISO 27001 Internal Auditor training – Is it good for my career?” https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/

2- Market value and if I complete that, would I be certified straight away after passing the exam?
Answer: Yes, you get your certificate right after the exam.

3- Would my certificate have an expiry or renewal requirement?
Answer: No, they don't. I would recommend renewing certificate once the new revision is published.

4- Do I have to look for some specific organization with some specific accreditation to take that training?
Answer: No, no specific company.

5- If a company says they don't have A PMG accreditation, instead for ISO courses they've global recognition to accredit themselves – what would that mean?
Answer: That depends also on market you cover (local vs. global)Read the article to learn more “Qualifications for an ISO 27001 Internal Auditor” https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
Performing audits

Answer: Certification audits are conducted according these stages:
- Documentation review: at this stage the auditor checks if all mandatory policies, procedures, plans and records are in place.
- Main audit: at this stage the auditor, by means of techniques such as observation, interviews and log review, checks if processes and personnel are performing according what is documented. It is at the end of this stage that any identified non compliance is raised.
- Surveillance visits: once you get certified, you have to keep the system working during the three-years certification period. To ensure that, an auditor will come periodically to check if the system is in place and ask for adjustments when needed.

These articles will provide further information:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

2. What does one take into account when planning for the audit as an auditor?

Answer: The certification auditor has to develop the audit plan to making sure that all documents are compliant with the standard's requirements and that everyone is complying with all the implemented documents. The auditor can do that by means of developing a checklist to help him to ask for the necessary documents and records, as well as to which process to observe and people to interview.

This article will provide you further information:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Inventory of assets
If these tools are used to process information you want to protect they have to be included in you inventory of assets.

This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Defining scope

Answer:

The most important criteria you have to adopt for defining the ISMS scope are:
- which information you want to protect.
- by where this information flows, and where they are processed and stored.
- the effort to keep the environment you want to protect separated from the rest of the environment.

For example, for organizations up to 50 employees normally it is easier to define the wholly organization inside the ISMS scope. In your case, if the information is contained in specific departments, may be easier to define only these departments in the scope (if not then you should define the wholly organization inside the ISMS scope).

Regarding the remote workers, normally you do not control the environment where they are, so the se are kept out of the scope, and you treat remote access as a risk in your assessment.

These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

If you believe you still need support for defining the scope, you an schedule a meeting with one of our experts at this link: https://advisera.com/27001academy/consultation/
Implementing ISMS and BCMS

Answer: The order of implementation will depend on your needs. If your priority is information protection, then you should go first for an ISMS. On the other hand, if your priority is to ensure processes and services delivery under disruptive conditions, then you should go first for a BCMS. It is important to note that if you use as basis for these systems the standards ISO 27001 (for information security) and ISO 22301(for business continuity), you can implement parts of these systems simultaneously, because the have many requirements in common.

These materials will provide further information:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- How to implement integrated management system https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/
- Free webinar – ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/webinar/iso-27001-iso-22301-better-implement-together-free-webinar-on-demand/

2 . What is Step by step guidelines if I need to implement both?

Answer: In a general manner, you have these steps:

- Obtain management support
- Develop a project plan
- Define scope (related to each standard)
- Define top level policies (related to each standard)
- Define basic management system procedures (common to both standard)
- Develop specific policies and procedures (related to each standard)
- Implement policies and procedures and train personnel
- Perform internal audit
- Perform management review
- Proceed with corrective actions

The following articles will provide you explanation of the steps to implement both standards:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/
Document management requirements

Answer:

ISO 27000 series do not have a standard providing description about the Document Management setup/workflow. ISO 27001 only defines what must be fulfilled (e.g., documents must be approved, be available to users, etc.). There are other ISO standards that can provide requirements you can use to setup and elaborate the workflow of a DMS (e.g., ISO 15489 Information and documentation – Records management)

If you want to see how a document management system looks like, I suggest you to take a look at our platform Conformio at this link: https://advisera.com/conformio/

Conformio has a set of functionalities for DMS that are fully compliant with ISO 27001, besides other features that can make easier to implement and manage an ISMS.

These articles can provide you further information about Conformio:
- What kind of Document Management System (DMS) do you need for handling ISO documents? https://advisera.com/conformio/blog/2016/11/29/what-kind-of-document-management-system-dms-do-you-need-for-handling-iso-documents/
- Top 5 features of your online ISO document management system https://advisera.com/conformio/blog/2017/06/28/top-5-features-online-iso-document-management-system/

This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Risk assessment and risk treatment

Answer: All our templates from our ISO 27001 Toolkits, including the templates for risk assessment and risk treatment, are fully compliant with requirements of ISO 27001.

At this link you can see all templates that cover the risks assessment and risk treatment process: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ :
- Risk Assessment and Risk Treatment Methodology
- Risk Assessment Table
- Risk Treatment Table
- Risk Assessment and Treatment Report
- Statement of Applicability
- Risk Treatment Plan

On the links for the individual templates you can see which requirements are covered by each document. For example, the Risk Assessment and Risk Treatment Methodology (https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/) cover the following requirements: ISO/IEC 27001 6.1.2, 6.1.3, 8.2, and 8.3; ISO 22301 8.2.1, 8.2.3.

2. What precautions should be taken to avoid getting Non Conformity on this?

Answer: Key points to pay attention when performing risk assessment and risk treatment are to consider the proper inputs (e.g., legal requirements, scope and policy, etc.), so you do not leave any relevant area of your system uncovered, to cover all the assets in the ISMS scope during the risk assessment (if you decide to use the asset-based approach), and to ensure your risk evaluation and treatment options are aligned with your risk acceptance criteria.

This article will provide you further explanation about risk assessment and risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk assessment and risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Transition from ISO 9001:2008 to ISO 9001:2015

Answer:
Let me try to give an itinerary that perhaps you can use. First check this article with a useful infographic about the differences between ISO 9001:2008 and ISO 9001:2015 - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? - https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/

Then, read this White Paper - Twelve-step transition process from ISO 9001:2008 to 2015 revision - https://cdn2.hubspot.net/hubfs/1983423/9001Academy/9001Academy_FreeDownloads/Twelve_step_transition_process_from_ISO_9001_2008_to_2015_revision_EN.pdf (perhaps this step by step approach could be useful). BTW, why not watch this webinar on demand about the subject - Free webinar – ISO 9001:2015 - How to make the transition from ISO 9001:2008 - https://advisera.com/9001academy/webinar/iso-90012015-how-to-make-the-transition-from-iso-90012008-free-webinar-on-demand/

After this I believe you can be more confident about your transition plan. Feel free to test your ideas with me.
Certifying a specific department within an organization

Answer:
Yes, it is. As long as that department specifies to what interested parties are working and what are their relevant requirements. There is no problem. In my country, several hospitals started their involvement with quality management systems by certifying individual services.

The following material will provide you more information about ISO 9001 and interested parties:
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- Fre e online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
ISO 9001 for NGOs
Or if there is specific ISO for non-governmental organization that works in the humanitarian sector specifically?”

Answer:
Yes, ISO 9001 can and is applied in non-governmental organizations. For example, in my country several non-profit organizations that provide services to senior citizens are certified. With this kind of organizations, the focus is on the network of interested parties.

The following material will provide you more information about ISO 9001 for nonprofits:
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advi sera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Internal Auditor

Performing audits

Inventory of assets

Defining scope

Implementing ISMS and BCMS

Document management requirements

Risk assessment and risk treatment

Transition from ISO 9001:2008 to ISO 9001:2015

Certifying a specific department within an organization

ISO 9001 for NGOs

Didn’t find an answer?