Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documentation content
I am working through the Statement of Applicability and have found that the Control Objectives listed in the Statement of Applicability do NOT align with those found in the PDF ISO 27001 Controls and Objectives. In the Statement of Applicability it shows the control for A.6.1.2 as Segregation of duties, but then when I go to the PDF for the 270001 Control and Objectives it shows A.6.1.2 Information security coordination.
Control A.6.1.2 Information security coordination is listed in the old 2005 revision of ISO 27001, which was superseded by a new 2013 revision, which is the current one. In 2013 version of ISO 27001, control A.6.1.2 refers to Segregation of duties. Considering that, you have to follow the Statement of Applicability document.
Based on the response , can you please provide the 2013 Annex A List of Controls and Objectives, as the one I have is 2005 and does not align with the Statement of Applicability in the toolkit.
I'm sorry, but ISO 27001 standard is an intellectual property of ISO, and we do not have the license to sell it, as a whole or only some parts. You can buy this standard at this link: www.iso.org/standard/54534.html
-
Asset inventory and Organizational context
Answer: Examples of assets related to people are managers, experts, external persons, etc. Treatment for such assets deals with how to replace missing employees, how to prevent external people entering sensitive areas, etc.
This article will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
2. Internal issues/ External issues and Interested parties examples in Risk Assessment report - Is there a standard template?
Answer: Examples of external issues are: geographical location, public infrastructure available, political, economic, social and technological trends, etc.
Examples of interested parties: clients, suppliers, top management, and employees, etc.
Examples of internal issues are: organizational culture, processes and procedures, equipment, financial r esources, etc.
This article will provide you further explanation about organizational context:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
As for Risk assessment report, I suggest you to take a look at the free demo of our Risk Assessment and Treatment Report at this link: https://advisera.com/27001academy/documentation/risk-assessment-and-treatment-report/ -
Acting on OFIs
Answer:
An opportunity for improvement (OFI) is not a nonconformance. And since an OFI is not a nonconformance there is no need for any correction and corrective action. Your organization should look for each OFI and decide if the improvement is worth doing. If the organization decides to act showing the evidence is enough.
The following material will provide you information about dealing with nonconformances:
• - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
• - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Secure development KPIs
Answer:
The most used KPIs to measure compliance with a policy are the result of audits (internal and external), regarding the number of non conformities identified, and the number of incidents which can be related to that policy.
It is important to note that measuring compliance means to do what is written, but you should also be concerned with the achieved results of what is done. For example, if your secure development police defines you have to perform periodic tests, if you perform the tests then your are compliant with the policy, but if the tests results frequently show a high number of failures, then your development process may have a problem that must be handled. Most often KPIs related to secure development process are the numbers or relevant risks treated by security controls imple mented in the software, and number of failures or vulnerabilities identified per test.
This article will provide you further explanation about KPIs:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/ -
ISO 27005 study material
Answer:
Auditor and Implementer courses do not require previous knowledge about ISO 27005, although this knowledge may allow you to take greater advantage of the course, so if you can afford to study this standard previously it may be a good idea, but again, you will be capable to achieve the course objectives without this previous knowledge.
Regarding practice, although useful, 27005 is not required for auditing.
The standard itself you can buy at this link: https://www.iso.org/standard/75281.html
As for ISO 27005 courses we currently do not offer this one, but you may check these ones:
- https://www.bsigroup.com/en-AE/ISOIEC-27001-Information-Security/Training-courses-for-ISO-27001/ISOIEC-270052011-Information-Security-Management-System-ISMS-Risk-Management-Course-/
- https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005
This webinar can provide you the basics of 27005: The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Mapping the threats against relevant Annex A controls
Unfortunately such generic document is not available. Organizations concerned with information security avoid to publish such documents because they may mislead organizations while implementing their own practices, because they may understand that these are the solution for their risk, without considering their own organizational context. -
Planning ISO 9001 Implementation
1. Warehousing and Logistics
2. Manufacturing of Automotive Workshop Tools and Equipment ,
3. Servicing and Repair of Automobiles
How do you think we should plan our ISO 9001 : 2015 implementation .
Answer:
First thing you need to do is make sure the top management will be involved in the project, so you assure the necessary resources will be provided for the implementation process.
After that, you can perform a GAP analysis to learn which requirements you need to comply with and which ones you already are compliant. You can access here our free GAP analysis tool: https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
The next step is learning the standard clauses so you can create a project plan, where you will define the milestones, documents to be developed, responsibilities and so on.
Here you can find a white paper to learn more about each ISO 90001:2015 clause - Clause by clause explanation of ISO 9001:2015: https://info.adv isera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
Here you can download the Project Plan for ISO 9001:2015 implementation: https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-powerpoint
It is important that you define correctly your scope, so you make sure you don´t go too far with some analysis. To do so, I recommend you to develop a map of processes and also to conduct a SWOT analysis to better understand the internal and external issues of your organization.
Here you can find an articleto learn more about the scope - How to define the scope of the QMS according to ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
These materials can also help you with ISO 9001:2015 implementation planning:
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
ISO 9001/14001 and training requirements
Answer:
ISO 9001 and ISO 14001 require that organizations determine competency requirements for their employees. Then, organizations should evaluate if there are competency gaps among their employees and determine any actions to close those gaps. Normally, those actions turn to be training actions. ISO 9001 and ISO 14001 do not require that training should be paid out by employees.
The following material will provide you information about competency:
- How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- ISO 14001 Competence, Training & Awareness: Why are they important for your EMS? - https://advisera.com/14001academy/blog/2014/11/26/iso-14001-competence-training-awareness-important-ems/ s/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Determining the scope
Company XXX located in Anytown, Anystate, USA produces and supplies stainless steel and aluminum for commercial and industrial markets located in the United States, Canada, and Mexico. Our product line includes sheets, blanks, slit coil and master coil with precise tolerances which are available with various finishes and PVC coatings.
10. QMS Requirements
Company XXX receives detailed requirements which are already established by our customers, via specifications and drawings; therefore,
Clause 8.3, Design and Development does not apply and is not within the scope of our QMS.
Answer:
The scope is correct. The scope needs to identify the physical locations of the QMS, products or services that are created within the QMS processes, and the industries that are applicable, incase this is relevant. Also, it should be clear enough to define what your business does, and if not all parts of the business are applicable, it should be easily identified which parts are.
These materials can help you to better understand the scope:
- Article - How to define the scope of the QMS according to ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Article - Certifying different legal entities under one certification scope: https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Minimal documentation for certification
1. 00 Procedure for Document and Record Control
2. 01 Project Plan
3. 02 Procedure for Identification of Requirements
4. 03 ISMS Scope Document
5. 04 Information Security Policy
6. 05 Risk Assessment and Risk Treatment Methodology
After editing the above documents and looking at the total number of documents, we are wondering if we need to complete all the documents for a company of our profile or we could limit them to a fewer documents. Maybe, we could consider the relevant and mandatory ones for us to pass the ISO 27001/ ISO 22301 certifications.
Please advise us on how we could make the document preparation and certification processes faster and easier.
Answer:
In fact you do not need to complete all documents to be compliant with ISO 27001 and ISO 22301. Besides the mandatory documents, the toolkit includes most common used documents, based on results or risk assessments and/or best practices.
Included i n the toolkit there is a List of document files that identifies the mandatory documents and the ones you have to implement only in case you have unacceptable risks to justify their implementation.