Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 update


    Answer: On December 4th ISO started the review for the next version of ISO 27001 (see more information here: https://www.iso.org/standard/54534.html). New revision of ISO 27001 will probably be published in 2020 or in 2021 - of course, we will publish many articles on this new revision once we know how it will look like.

    2. Wondering as why the Annex A controls start with numbering A.5 and not A.1.

    Answer: Annex A sections numbering start on A.5 to be aligned with the numbering on the supporting standard ISO 27002, which provides detailed guidance on implementing controls, so the cross reference makes easier to use both standards together.

    For more information, please read:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    3 . Lastly, I am looking for some organisation with which I can become a approved PECB instructor, wondering if advisera can support if you are linkedin with them?

    Answer: To become a PECB instructor, please access this link and follow PECB instructions: https://pecb.com/help/index.php/knowledgebase/becoming-a-pecb-certified-trainer/

  • Filling template


    Answer:

    The impact refers to the expected losses in case of an incident occurs. In the "impact" column you have to include the value defined on your Risk Assessment and Treatment Methodology that best represents the expected loss (e.g., High-Medium-Low, 1-2-3, etc.) for the asset you are considering.

    By the way, included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment table, using example with real data.

  • Risk register example


    Answer:

    To see how a risk register looks like I suggest you to take a look at the free demo of this Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

    This document can help you list all information resources, vulnerabilities and threats, and assess the level of risk.

  • Audit days


    Answer:

    The main criteria are number of employees and audit complexity. The document you must consider is the IAF MD 5:2015 "Determination of Audit Time of Quality and Environmental Management Systems" and you can find it at this link: https://www.iaf.nu/upFiles/IAFMD5QMSEMSAuditDurationIssue311062015.pdf

    Although it's title refers to QMS and EMS it also can be applied to estimate audit days for an ISMS certification audit.

    These articles will provide you further explanation about certification audit:
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
    - Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

    These materials will also help you regarding certification audit:
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

  • Integrating ISO 9001 and ISO 27001


    So we can be 100% certain we have completed every single document within the 9001 necessary for the auditors, can you please provide a specific list of 9001 documents that have not been covered in 27001, that we need to complete.

    Answer:

    Mandatory documents for ISO 9001 which do not exist on ISO 27001 Toolkit are:
    - Scope of the QMS (clause 4.3)
    - Quality policy (clause 5.2)
    - Quality objectives (clause 6.2)
    - Criteria for evaluation and selection of suppliers (clause 8.4.1)

    As for mandatory records:
    - Monitoring and measuring equipment calibration records* (clause 7.1.5.1)
    - Product/service requirements review records (clause 8.2.3.2)
    - Record about design and development outputs review* (clause 8.3.2)
    - Records about design and development i nputs* (clause 8.3.3)
    - Records of design and development controls* (clause 8.3.4)
    - Records of design and development outputs *(clause 8.3.5)
    - Design and development changes records* (clause 8.3.6)
    - Characteristics of product to be produced and service to be provided (clause 8.5.1)
    - Records about customer property (clause 8.5.3)
    - Production/service provision change control records (clause 8.5.6)
    - Record of conformity of product/service with acceptance criteria (clause 8.6)
    - Record of nonconforming outputs (clause 8.7.2)
    - Monitoring and measurement results (clause 9.1.1)

    Please note that records marked with * are only mandatory in cases when the relevant clause is not excluded.

    This article will provide you additional information:
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/

  • Project plan template content


    Answer: The project plan template was designed to consider the implementation of both ISO 22301 and ISO 27001, but you can use it for implementing a single standard. To do that you only have to exclude the parts related to the standard you won't be implementing (these parts are indicated by the comments included in the template).

    2 Do we have to do BCP as part of ISO or can we do after?

    Answer: Implementation of ISO 27001 does not require implementation of a BCP, only a disaster recovery plan related to Information Technology infrastructure if you have risks or legal requirements that demands its implementation.

    The Disaster Recovery Plan template can be found on folder 8 Annex A, subfolder A.17 Business continuity

    This article will provide you further information:
    - Business Continuity Management vs. Information Security vs . IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/

  • Policy development


    I could certainly use some guidance from you - just in the above mentioned areas. FYI - The statement of applicability is being crafted and should be done in a couple of weeks

    Answer:

    First it is important to understand that useful policies and procedures are not developed to cover specific clauses of the standard. They are developed to describe and help you better run your processes, including pertinent controls when applicable. Considering that, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    This demo contains parts of several policies and procedures to help you understand how these documents look like.

    Regarding how to develop poli ces and procedures, the first step is to identify which requirements the policy or procedure must fulfill. For example, your organization may have contracts, laws, or regulations with clauses defining a specific approach for a security solution. After identifying those requirements you should consider the context of your organization regarding size, processes complexity, and staff maturity.

    These articles will provide you further explanation about documents development:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

  • Recording interested parties


    Answer:

    You can state ‘employees’, ‘clients’, ‘suppliers’, and ‘shareholders’ as your interested parties with no problems, but if you have some specific critical stakeholders (e.g., high revenue customers, single suppliers for critical products, etc.) we recommend you to state them individually.

    This article will provide you further explanation about interested parties:
    - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

  • Stage 2 audit requirements

    What do they need at a minimum for Stage 2? Will they need to see evidence of control of the manufacture, and how do we provide that if we aren't that far along yet?

    Answer:

    In a Stage 2 audit, you need to present documented evidence to the auditor to prove that your company’s QMS is in compliance with ISO 13485 .This will include records, agreements such as Quality Agreement also termed as technical agreement signed between the product owner and the manufacturers engaged to control the quality of the product which can include specifications of the product, batch release details, responsibilities and role of parties involved. and practices.

    They definitely would need to see the evidence of control of manufacture. What I can suggest would be if you could present some form of writt en commercial agreement to each manufacturer that can also present the requirements and specifications of the product, that might help you and also try to get the draft quality agreement.

    For more information, please feel free to look at the following material:

    Checklist of ISO 13485 implementation and certification steps:

    https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    First-, Second- & Third-Party Audits for medical device manufacturers & suppliers
    https://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/

  • Corruption, bribery and risks


    Answer:
    ISO 9001:2015 does not say anything specific about corruption or bribery. However, corruption and bribery can be determined and evaluated as relevant business risks. In that case, organizations should develop action plans to handle those risks.

    The following material will provide you information about the risk-based approach:
    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 611-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +