Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Using risk assessment and treatment templates
Answer: Besides being one of the documents required for the certification audit, the Risk Assessment and Treatment Report is a summarized version of what is defined in the Risk Assessment and Treatment Methodology, as well as of the results of the risk assessment and treatment processes, to be presented to Top Management. With this report you can present only the relevant information for top management (for example, you do not need to include in the report all risks that were accepted according your risk acceptance criteria) and make the information easier to understand. -
Cloud security concerns
The questions I have are as follows:
1) I already conducted the gap assessment before purchasing your book. At this point, do I still need to include the 27017 cloud controls to the gap assessment? i.e. the additional 7 controls?
Answer: ISO 27001 controls already provide a good general protection for information security, so you have to check if your client has some specific requirements demanding cloud security. If so, then you must include the additional 7 controls in your gap assessment.
2) Do you think I should write a separate cloud security policy or should I add it to the ISMS policy?
Answer: Unless you have a specific legal or business requirement demanding a separated cloud security policy, it would be best to have a single policy covering these two issues (you can consider the cloud security policy as a section of your ISMS policy).
3) Also what is the best way to ensure the client is implementing the appropriate controls as I am not well versed with the AWS environment?
Answer: The best way is to perform a risk assessment, to identify the most relevant risks to your client business. From the risks considered unacceptable you can identify which controls are needed. Since you mentioned your client is using AWS, then it is important to ensure that the controls the provider must implement are defined as contractual clauses on its service agreement with AWS.
These articles will provide you further explanation about cloud security in your context:
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Data protection and leaseholders
Answer: The EU GDPR does not impede personal data to be shared with third parties. In this case, both the Council Estate and you would be acting as independent data controllers. The Council Estate will need to inform that the data of the leaseholders would be shared with your company and other third parties that would be acting as data controllers. After receiving the data, the leaseholders association will also need to provide an adequate privacy notice to the leaseholders informing them about what data they have received, from where, the lawful grounds for processing, retention period, etc. If you want to find out more about pri vacy notices and how to deliver them, check out our webinar: Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).
If so, how can we get this data?
Answer: If the Council Estate still refuses to provide you with the data, then you can also get the data from the leaseholders themselves. Same as explained above, when you are collecting the personal data you would need to provide an adequate privacy notice.
If not, what evidence can we use to show we are entitled to the data?
Answer: In the UK in order to be able to process personal data you may need to register with the Information Commissioner Office (ICO). You can find some details on how to register as well as some of the exemptions on the ICO website here: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/ -
ISO 9001: documents, records and competency
My understanding in this area and efforts to understand so far have not been very successful. ISO 9001 is huge whereas I am only interested and trying to focus in one particular area. I am not responsible for everything and the person that is, is not well versed in technology. The information and material I have found so far has not explained or communicated this well – or let’s say it’s not focused on the “technology” that supports the systems being used to meet ISO requirements. The information is more in relation to the people and processes that surround it. Any other information or suggestions you could provide me with would be very greatly appreciated."
Answer:
As far as I understood your concerns my answer is:
Independently of the media used there are some ISO 9001 requirements to consider:
a) Who has the authority to approve Education Course Material?
b) Who has the responsibility to keep Education Course Material updated?
c) Who must attend the course where that Education Course Material is used?
d) Can you show evidences that people attended the course?
e) Was the course effective, did people become competent after the course? Can you prove it?
About a) it is related with ISO 9001:2015 clause 7.5
Education Course Material must be a controlled document. Someone with authority must approve the document after ensuring that it is complete, updated and according to requirements (laws, regulations, standards, internal practices and know-how, …)
About b)
Laws, regulations and standards are relevant documents of external origin that can affect the content of Education Course Material. Periodically, someone should be responsible for checking if there are revisions and/or new documents that can affect the content of Education Course Material. Retaining records that show evidence of that “checking” is a good practice although not mandatory.
If revisions and/or new documents are found the organization needs to get them, study them and incorporate changes in the Education Course Material and update it with a new version that requires a new approval, removal of obsoletes and retaining a copy for historic purposes.
After approval of the updated version of the Education Course Material it must be distributed to users. A good practice is having a register that summarizes for each document: what is the current version; where it is used or who must have access to it
Internal changes must be handled in the same way.
About c) it is related with ISO 9001:2015 requirements 7.1.6 and 7.2
7.1.6 is about the competency profile for each position in the organization
7.2 is about the competency level of each employee
If the actual competency level of someone is bellow the required by the organization and/or law/regulation that person must take the course where the Education Course Material is used
About d) and e) it is related with ISO 9001:2015 clause 7.2
Retaining records of the course realization, of who participated, and about any documentation distributed is a good practice
Retaining evidence that the course was effective and people became competent is mandatory
You can find more information about documented information at New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Man-days needed for ISMS implementation
Answer:
For a company of up to 200 employees you could expect ca 20% of the total work time for the person who is running such a project (usually CISO) - i.e. one day per week for coordinating ISO 27001 implementation.
Other people that will need to be involved:
- Sponsor of the project (e.g. the CEO) - ca 4 hours per month - for approving main documents and resolving conflicts
- Head of IT department - ca 2 man/days per month - for reviewing the documents and coordinating the IT side of the implementation
- Heads of the departments - ca 5 man/days during the whole implementation - for participating in the risk assessment, reviewing the documents and coordinating the implementation in their departments
For the duration of the implementation, use this Calculator: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These mat erials will also help you regarding ISO 27001 project:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
SMART objectives for processes
Answer:
SMART objectives is not an ISO 9001:2015 mandatory requirement, it is a good practice.
S – specific. Both are specific objectives, as long as “critical spares” are defined.
M – measurable. Both are measurable objectives, one can count how many times critical spares were not in stock, and how many times purchased materials had quality problems during reception or found during transformation.
A – attainable. Personally, I start wondering if 100% is a reasonable target, perhaps too demanding, perhaps too expensive. I would like to see past performance before setting the bar so high. So, without further data, I would recommend care about the targets. Some people use the A for agreed (objectives should be negotiated and accepted by both parts, top management and the person responsible for meeting the objective).
R – responsible. You should add who is going to be responsible for each objective. Who is going to lead the transformation needed to get that target performance. Some people use the R for realistic (same as achievable or attainable).
T – time framed. You should add a time frame for each objective. How long it will take to meet the target.
The following material will provide you more information about smart objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- Enroll for free in the ISO 9001:2015 Foundations Course –https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Gage R&R
Answer:
Gage R&R stands for Gage Repeatability and reproducibility and it is mandatory when you perform Measurement System Analysis (MSA).
When Gage R&R study fails that means you don’t have the process under control as per Control plan. So, MSA is not valid if Gage R&R fails. It means people who are doing measurement had a lot of variation and process is not stable.
So, based on your case it is non-conformance for clause 7.1.5.1.1 Measurement System Analysis.
A supplier needs to show that Gage R&R has pass ed. There is no opportunity for reusing of any old Gage R&R study because it refers only to measurement done at the specific time.
Please see further explanation at How to establish Measurement System Analysis (MSA) - https://advisera.com/16949academy/blog/2017/11/08/how-to-establish-measurement-system-analysis-according-to-iatf-16949/
Also, you may use our Procedure for Control of Gauges - https://advisera.com/16949academy/documentation/procedure-for-control-of-gauges/ -
Supplier survey's responsibility
Answer:
Supplier surveys can be done by any department in any organization. ISO 9001:2015 does not mandate that it should be done by a particular department. Each organization should appoint responsibility according to its own particular case.
The following material will provide you with information about supplier surveys:
- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Enroll for free in the ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documented information control
Answer:
ISO 27001 does not prescribe in which format information must be, only that formats must be defined, so you can use your procedures as video recording, provided that you manage them fulfilling the requirements for documented information from clauses 7.5.2 and 7.5.3 (e.g., approval flow, records, preservation, etc.)
This material will also help you regarding documented information:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Filling template
Answer:
Here is a practical example of how to fill this template:
Consider that, a customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC are restricted to customer personnel only. In this case the person responsible for system ABC is the responsible to ensure compliance of the system to this requirement. Then your document would be like this:
Interested party: Customer Jon
Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: when system ABC is made available for customer use