Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling out the Treatment Table
First of all thanks for the clarification about your doubt.
In fact for the purpose you described, the Risk Treatment Plan is not the proper document. As you said, it describes the general solution for risk. For recording more detailed information you can use the Statement of Applicability template. In this template you have a column called "Implementation method ", where you can describe the solution for a control (covering all risks and legal requirements related to that control), or make reference to documents (e.g., policy, procedure, or work instruction) describing the adopted solution.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Controls measurement
The concept of measurement is also best explained through this PDCA cycle:
In the Plan phase you need to set the objectives (ISO 27001 4.2.1 b 1) and 4.2.1 g),
In the Do phase you must figure out how to measure up to which point your objectives are achieved (ISO 27001 4.2.2 d),
In the Check phase you need to start actual measurement (ISO 27001 4.2.3 c), and finally
In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements (ISO 27001 4.2.4 d)
However, I was unable to get the section in actual ISO 27001 standard which you mentioned as
4.2.1 b 1) and 4.2.1 g)
ISO 27001 4.2.2 d
(ISO 27001 4.2.3 c),
(ISO 27001 4.2.4 d)
Answer:
First of all, sorry for this inconvenience. This article was written considering version 2005 of ISO 27001. For version 2013 you must consider these clauses:
ISO 27001:2005 4.2.1 b 1) is now ISO 27001: 2013 5.2 Policy
ISO 27001:2005 4.2.1 g) is now ISO 27001: 2013 6.1.3 Information security risk treatment
ISO 27001:2005 4.2.2 d is now ISO 27001: 2013 9.1 Monitoring, measurement, analysis and evaluation
ISO 27001:2005 4.2.3 c is now ISO 27001: 2013 9.1 Monitoring, measurement, analysis and evaluation
ISO 27001:2005 4.2.4 d is now ISO 27001: 2013 10.1 Nonconformity and corrective action and 10.2 Continual improvement -
List of assets
So, the question is how deep should we go into assets that contain other similar assets, and if we should take a building as an asset when we can detail it into smaller parts that could somehow be put together as a whole… I´m probably not explaining myself so well, I hope you will understand as probably this one is a recurring question.
To what extent is up to us to choose the level of detail? How much this will depend on external audit?
Answer:
The quantity of assets and their level of details is totally up to the organization. The external auditor will only verify if your arrangement can provide enough confidence that all relevant risks are being properly assessed and treated.
As tips for handling the asset inventory, you only have to increase the level of details if you identify that by this way you can improve security, or have more efficient operation with acceptable risks. For example, you can have a building as a single asset, but if you identify that a room need extra security in that building, you can have two different assets (i.e., the building and the specific room). On the other hand, if you have similar assets that can share the same control, you can group them in a single asset. For example, laptops, tablets and smartphones can be grouped as an asset name "Mobile devices".
Other examples are network (that can be divided on cabling, switches, firewalls, etc.), and roles in the organization (the different roles can be grouped like users, technical staff, and managers).
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
OHS Objectives in ISO 45001
Answer:
For OHS objectives this is just the sort of measurable, targeted improvement that is expected for the ISO 45001 standard. The idea is to set a target for improvement, and then make plans to achieve this target and flow these plans down so that everyone knows what they need to do to achieve the target in the planned timeline. You seem to have a good objective for improvement.
For more information on OHS objectives see this article, “How to define ISO 45001 objectives and plans”; https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/ -
Waste audit
Answer:
You don´t need any qualification in ISO 14001 to conduct a waste audit, although it can help you to better understand how to handle waste in an organization. The objective of a waste audit is to determine the types of waste and the locations that will be audited while the aim of ISO 14001 is to manage all the environmental aspects related to an organization, so it covers a broader scope.
These materials can help you to understand waste management in ISO 14001:
- Article - 7 steps in handling waste according to ISO 14001: https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/ -
Changes in documents
Answer:
There are not specific requirements in ISO 9001:2015 about this issue, however I recommend you to keep track of changes mentioning the review date and the edition number. Regading the edition number without changes, this is totally up to you, I usually don´t change the edition number unless there are some changes in the document. You can develop a procedure stating all these things so everybody in the company can follow and understand the system.
These materials can help you to better understand document control in ISO 9001:2015:
- Article - Some tips to make document control more useful for your QMS: https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ xamples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Gap analysis
thank you so much. i found it very helpful.
best regard
monike -
Off-site audit
Answer:
Your organization has to answer to those major findings and send your proposals to the auditor. By “off-site” he means that he does not need to go back to your company to accept your answers. Your organization write the answers, send them to him or her, and he or she will accept it or not without going back again to your organization.
The following material will provide you information about answering to findings:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-14001-internal-auditor-course/ 5-internal-auditor-course/ - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
MOC documentation required
Answer:
Regarding the mandatory documentation related to MOC, you need to retain the following documented information:
- Design and development changes records (clause 8.3.6)
- Production/service provision change control records (clause 8.5.6)
These materials can help you to understand better MOC documentation:
- Article: QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Article - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Book Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -9001-2015-through-practical-examples/
- Free on line ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Video and template content
In this tutorial - ISO 27001 standard clauses refers to 4.3.2 and 4.3.3 and in the template the reference document is listed as 7.5. Can you please advise why these are different, and which clauses I should reference, so I can make sure this matches up correctly moving forwards? Can you please advise which one should I rely on?
1. Reference documents
· ISO/IEC 27001 standard, clause 7.5
· ISO 22301 standard, clause 7.5
· BS 25999-2 standard,clauses 3.4.2 and 3.4.3
· Information Security Policy
· Business Continuity Policy
· Policy for handling classified information
· [other documents and regulations specifying document control]
Answer:
First of all, sorry for this inconvenience. Every time you find such discrepancies between the tutorials and documentation, please use the information in the templates, because they are the most updated version.
2 - Also there is mention throughout of ISO/IEC 27001. Can you please confirm what the IEC relates to as I ha ve not come across this before.
Do I keep this referenced within our documentation as the Standard name or should I have this removed? As I work through the video / documentations, I am noticing several discrepancies between the video and the template.
Answer:
The International Electrotechnical Commission (IEC) is an international standards and conformity assessment body for all fields of electrotechnology, and has joined with ISO for the development of ISO 27001, since many controls to protect information are related to electrotechnology. The official name of the standard is ISO/IEC 27001, but you can only refer to the standard as ISO 27001 without problems.