Usually internal auditors are consultants, professionals with experience and enough knowledge implementing and maintaning management systems. You can work for a company as a consultant where usually part of job is conducting internal audits, or if you have enough experience, work as a freelancer providing consulting services such as internal audits. In this latest case you will need to develop a contact network in order to gain new clients and advertise your services in specialized websites.
The best approach is to develop a checklist of which items you need to verify, and which results you have to find to define if there is a gap or not. Based on that approach it is easier to develop action plans to eliminate the gaps.
It was developed as a simple question-and-answer questionnaire so you can visualize which specific elements of an information security management system are already implemented, and what is still needed to do.
Ambas cláusulas, la cláusula 4.2 que versa sobre entender las necesidades y expectativas de las partes interesadas y la cláusula 6.1, sobre acciones para abordar los riesgos y las oportunidades son realmente cruciales en la implementación de la norma ISO 9001:2015. Informar a la alta dirección de forma clara ambas cláusulas, su importancia para que la implementación se realice con éxito, así como la relevancia de sus responsabilidades en estos dos procesos ayudará a la gerencia a concienciarse sobre estos puntos.
Para concienciar a la gerencia sobre el proceso de implementación de la norma pueden emplearse una serie de indicadores para demostrar que el SGC también es cuantificable, eligiendo aquellos indicadores que más importan a la dirección como son los gastos o las incidencias. Esto es especialmente evidente en actividades dentro de una organización como mantenimiento de equipos, seguimiento de procesos de fabricación, análisis de caus as de no conformidades, etc.
Que la alta dirección sea plenamente consciente de los beneficios de un sistema de gestión es fundamental pata que se traslade a los empleados, que lo verán de la misma forma.
The main points here are to focus on business benefits, low costs and quick wins.
To resume a poorly implemented ISMS, or convince management to implement security practices without external enforcement, you should focus on solving problems your areas are currently undergoing (e.g., low performance on KPIs, unplanned downtime, rework, non compliance fines, missed deadlines, etc.), by means of quick implementation of controls based on solid risk assessments (and less focus on the other elements of the management system).
It may seem odd to start like this, but the point is to try to gain/regain top management commitment and people's trust in information security (few but effective controls will help you with that), and only after achieving that you should try to demonstrate that in the long run the gains can only be maintained with the help of the other elements of the management system (e.g., in internal audit, management review).
Risk assessment should be monitored against recorded events, incidents and non-compliances, processes performance results, and changes on the context of the organization.
All these inputs can show trends on risks that may require risks on the risk assessment to be adjusted to fix it, either by means of including/excluding risks, changing probability and/or impact values of existent risks, or by changing the treatment or controls for those risks.
These inputs are often considered during periodic process performance evaluation or during management review.
That will depend upon your ISO 9001 QMS scope.
A certified ISO 9001 QMS is not necessarily applied to all activities of an organization. An organization can tailor the scope of the QMS in order to only be applicable to part of a business. For example, I worked with a shoe manufacturing company with two businesses: uniform shoes and fashion shoes. They decided to certify only the uniform shoes part of the business. Once your organization decides about the scope, all projects within that scope must follow the ISO 9001 QMS rule, to avoid misleading customers. Remember, scope definition is not a technical issue, it is a management decision.
1 - I agree with you that the performance evaluation should provide input to the risk monitoring. But what if a there is a high risk which is related to a critical asset and it is not related to performance evaluation? I mean risk register has many risk which are not related to performance evaluation neither to the management review, what can be done in that case.?
Answer: You can define specific reviews only for the risks with high value that fits the conditions you stated. This way you won't have to review all the risks on the risk assessment table. It is important to note that these situations you stated are not common, because in general high risks are treated by application of controls, that are part of a process that can be monitored and evaluated. The situations you described very often are associated with accepted risks (where the cost to decrease the risk is considered to high and no action is performed).
2 - Also can u please elaborate on performance evaluation and how to do it ? For my understanding I am conducting internal audits , management review by ISGC meetings wherein I present to ISGC what is the status if IS program with the number of reduced incidents and risk.
Answer: For performance evaluation you can understand as the periodic review performed by the process owner or by the head of the department where the process is realized. It is the control activity performed by the people who perform and are responsible for the process, and because of this it can be performed on a much shorter cycle. Internal audit is the second level of control, where people outside the process evaluate it.
3 - How can management review help me monitor risk?
Answer: Top management has a systemic view of the business, and normally access to external or sensible information not available to lower levels of the organization that can help identify situations that can affect risk. For example, the decision to enter a new market with new regulations to be compliant with, or reports about trends of competitors.
Implementation costs
Answer:
There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding ISMS maintenance costs, the above mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.