Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Defining roles and responsibilities
Ideally we need you to guide us with the minimum team we need to implement the ISO 27001 standard 'in-house' and also what roles can be combined.
Answer:
ISO 27001 does not prescribe a "minimum team" for running an ISMS, so organizations are free to define the size of their teams according to their needs.
For very small organizations just one person with the proper competencies and authority is able to run an ISMS. For organizations up to 50 employees you may consider one person at top management level and one person to run daily activities. For bigger organizations you should consider including information security responsibilities on existing roles like IT manager, HR manager, and training them to perform relat ed activities.
These articles will provide you further explanation about roles and responsibilities:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ -
Certification importance and costs
Answer:
If that matters or not is up to you, or your customers, to decide. Do you, or your customers, think that ISO certification can be an advantage, for example, to prevent quality problems? If that is so, you should work with ISO certified manufacturers or ask them to get it in a time-frame
2. Also, what would be the cost of such a simple business getting certified be?
Answer:
What costs will be included in your organization’s certification? What options will you take? Will you be creating everything on your own by studying ISO 9001? Or will you buy and use documentation templates? Or will you hire a consultant? Then, you will have certification body costs. Organization dimension is very relevant to determine the number of audit days for the c ertification body costs.
The following material will provide you with information about certification costs and templates:
- ISO 9001 – How much does the ISO 9001 implementation cost? - https://advisera.com/9001academy/blog/2016/12/20/how-much-does-the-iso-9001-implementation-cost/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Record retaining time
Answer:
As long as there are no legal requirements, and as long as there are no customer requirements, for example on contracts, organizations are free to determine the retention time for their records.
Normally, in these cases, I advise keeping records for 3 or 4 years, to assure that records generated during a certification cycle will be available.
The following material will provide you information about retaining records:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Using templates on Conformio
Answer:
The folders are listed in the order the documents are to be implemented to make your implementation easier, so you must follow their sequence.
Regarding skipping folder 00, this happens because the Procedure for Document and Record Control is not mandatory for ISO 27001, and Conformio platform already complies with all standard's requirements for document and record control.
Included in the toolkit you bought there is a List of Documents file which shows which documents are mandatory to be compliant with ISO 27001. -
What is AS9101 Rev F?
Answer:
While AS9100 is the document which provides organizations in the aerospace industry requirements for creating a Quality Management System (QMS), the AS9101 document is used by the certification body auditors to guide them on auditing the QMS which has been created by the organization. This document gives information on how to structure the audits and also provides a checklist to score the different parts of the QMS as required by AS9100. The update to AS9101 Rev F is to bring this document inline with the updated structure of AS9100 Rev D.
For more information on this see the article, “How Does AS9101, AS9102 & AS9103 Relate to AS9100 Rev D?”, https://advisera.com/9100academy/blog/2017/10/23/how-does-as9101-as9102-as9103-relate-to-as9100-rev-d/ -
Auditor qualifications
Answer:
Persons are not ISO 14001 certifiable. So, your question can have two
meanings:
1. If a person helped an organization to get its certification, can it be
a qualified auditor?
2. If a person passed an exam about ISO 14001, can it be a qualified
auditor?
A qualified auditor is a person with knowledge both about the management
standard used as a reference, and about good auditing practices. Whatever
the meanings mentioned above, 1 or 2, there is no guarantee that the person
knows about good auditing practices.
The following material will provide you information about qualified
auditors:
- - ISO 14001 – What competences should an ISO 14001 internal auditor
have? -
https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
- - free online training ISO 14001:2015 Lead Auditor Course -
https://advisera.com/training/iso-14001-lead-auditor-course/
- - book - The ISO 14001:2015 Companion
-
Control owners
Alternatively, should the annex a controls and implementation be owned by the Head of IT/information security?
Answer:
You can assign owners to controls applicable to your organization, but for small and mid-size companies this role is normally assumed by the risk owner, the one who is accountable for managing a risk. For small and mid-size companies the number of treated risks normally allows the risk owners also to be control owners, but when the number of risks is too high, or controls are used to treat multiple risks, assigning control owners may be a better approach, since the control owner will have a comprehensive view of how controls are used against multiple risks, while the risks owners can focus on keeping the risks on acceptable levels.
Considering your alternative, since inf ormation security controls can cover much more then IT-related controls, then the best approach would be for the controls to be owned by the Head of information security. Again, if the number of controls is too high, then you can split responsibilities considering people competencies.
This article will provide you further explanation about risk owners:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Incident management
Answer:
The management understanding is correct. Having a single plan to cover multiple types of incidents or assets would be a big and unpractical document, then the best approach would be to have multiple small documents covering specific assets or incidents.
These articles will provide you further explanation about incident management:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using I TIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/
Em 02/01/2019 19:03, Vanda Pentic escreveu: -
Information Security Policy and Business Continuity Management Policy
1 - Your Information Security Policy relates to the BCMP, (red below), but can you please advise where is this template?
Answer: You do not have to keep section 4.4 of the Information Security Policy if you don't have business continuity management implemented in your company, or you do not have plans to implement it together with ISO 27001. The Business Continuity Management Policy is not mandatory for ISO 27001 certification (even if controls from section A.17 of Annex A are applicable), so to not increase unnecessarily customers effort on managing the ISMS, this template is not included in the toolkit you bought.
2 - During Certification, we are concerned the Business Recovery Plan may be too simplistic even for our small business. We have reviewed your tutorials, but still remain very unclear. We would appreciate your explana tion here to help us move forward please.
Answer: The Disaster Recovery Plan template included in your toolkit includes all requirements a certification auditor will look for during the certification audit, so if you followed all recommendations in the comments included in the template your document will be fine for the certification audit. In any case, included in your toolkit you have the possibility to send us some of your documents so one of our experts can evaluate them and provide guidance on which adjustments you have to make, if any, so your document is fully compliant with the standard. -
Mandatory documents and production steps
We are having an internal debate here regarding "Work Station Signage" requirements. That is, are assembly technicians "required" to initial & date when they complete a particular manufacturing sequence step? Currently we have not required technician signoffs in the past as it is "fairly" obvious as to whether or not the prior Sequence Step was completed correctly or not. Typically there are about 20-30 sequence steps to assemble the products we sell. At the very end, all products receive a Final Calibration report which basically indicates the product manufactured satisfies performance specifications.
There are a group of individuals here that feel ISO 9001 requires workstation signage and there is a group of individuals her e that is against it. I don't see the harm in having it the signoffs, but I'm not an ISO expert and I'm not able to determine whether this is specifically required or not by the standard. Could you shed some light on this?”
Answer:
The fast answer is: ISO 9001:2015 does not require workstation signage as long as that signage is just a confirmation of work done. If that workstation signage is used in your organization as a kind of quality control then it is required.
The following material will provide you information mandatory documents:
- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/