Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Main documents for certification
Answer:
The main challenge with auditors or Certification Bodies happens when organizations focus on writing the documents without taking care that the described activities are really implemented and documented. A second one is keeping the documentation updated when changes are implemented in the ISMS environment.
Regarding specific areas and documentation, you must focus on writing all the mandatory documents (included in the toolkit there is a List of Documents file that identifies these ones), and base all the controls to be written and implemented on the results of the risk assessment.
These articles will provide you further explanation about documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/ knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Implementing ISO 14001
Environmental Management and Control to be effective cannot be the task of a particular person, it takes the whole organization with its people to develop, implement and monitor Environmental Management and Control.
According to the conclusions of the environmental assessment (clause 6.1 of ISO 14001:2015) several action plans can be developed to act at several levels of the organization and with different roles and functions.
The following material will provide you information about implementing ISO 14001:
- ISO 14001 – List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Stra ightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Risk treatment implementation
Now we would like to get certified and we are communicating with the certifications companies for the audit and certification. My question is; since we have not yet implemented all the controls, is that a problem? or since we included the implementation in the treatment plan for a future date this is covered? ... In another meaning (if we decided that the Annex A controls should be implemented then is it a must to implement them before getting certified as ISO 27001?
Answer:
You can leave some of the controls for the implementation for after the certification under the following conditions:
1) That you have impleme nted before the certification the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the certification.
2) That you have specified the deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan – of course, those deadlines must be after the certification date.
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.
This means that the most important controls must have ”implemented“ status at the certification, while the less important controls can have status ”planned“ or ”partially implemented“ at the moment of the certification. Of course that for controls with status”partially implemented” you have to keep evidences of activities already performed regarding the implementation (the certification auditor won't audit the control, but he will verify if the implementation plan is being executed). -
Top management and information security
Top management usually are focused on sales and goals achievements and though they can be worried about information security, I can imagine his face when I ask them to establish the ISMS and information security policy and objectives. I am not saying they don’t want to cooperate or support the implementation of ISO 27001 but for sure he will tell me “you are the expert in information security!! You have to establish policies and objectives!!”
How can I help him/them to define policies and objectives? In fact if I were the CEO I would not be so familiar with information security as I am so I would not be surprised to receive such an answer.
Answer:
As you mentioned, top management normally are not familiar with information security, so it is you that have to help them with your knowledge to define information policies and objectives (not the other way around). You can do that by asking them what they consider most relevant to the business, and based on their answer develop the information security policies and objectives in a way that will support these issues.
For example, if they are focused on sales, one security objective may be to decrease the downtime of the website through which the organization do its sales. Other issue that may be relevant to top management is customer satisfaction, and a security objective may be to protect customer data against unauthorized access.
Based on these objectives you can develop the information security policy, and other polices as well.
These articles will provide you further explanation about gathering top management information:
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- Aligning information security with the strategic direction of a company according to ISO 27001https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/ -
Cloud security controls
Answer:
ISO 27001 controls are generic enough to cover cloud information security risks without the need to relay on ISO 27017, so it is not mandatory to look at ISO 27017 for ISO 27001 certification purposes.
Regarding external auditors, they will only look for ISO 27017 controls if your organization has identified they are requirement for your ISMS (e.g., your organization must comply with a law, regulation or contract that demands for ISO 27017 controls).
These articles will provide you more information:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- Which questions wi ll the ISO 27001 certification auditor ask? Which questions will the ISO 27001 certification auditor ask?
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/ -
DPO requirement for online company who has 1 employee
Answer:
Appointing a DPO is only compulsory if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR.
So, as you can see there is no need for you to be appointed DPO.
To learn more about the role of the DPO check out our webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/). -
Owner of the quality manual
Answer:
The Quality Manual is a document that tops the QMS documentation hierarchy. So, organizations normally make the Quality Manual a document to be approved by top management, the source of authority in the organization. BTW, I would not use the word process here.
The following material will provide you information about documentation structure:
- ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Who should access risk management documents
Answer: When you perform the risk assessment, you should also assess the risks related to these ISMS documents - if the risks are high, then you should allow only a very few people to access them; if the risks are low, then you can allow a wider circle of people to access them.
This principle is called the classification of information - you can find more information in this article: https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Defining the scope of ISO 27001
Answer: For a smaller company of up to 50 employees the best is to include your whole company into the ISO 27001 scope, because it would be too costly to try to keep a part of such small company out of the scope.
For larger companies (e.g. more than 500 employees) you should choose a department or a location to include in the scope for the beginning - after you successfully implement the standard in such smaller scope, then you can expand further.
For companies between 50 and 500 employees - you should assess which approach between the two described better fits you.
Here are some articles that will help you:
- How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the ISMS scope: https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -defining-the-scope-in-iso-27001/
This free online training will also help you with scoping: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Handling maintenance
Answer:
I list all equipment and determine which is critical and deserves/needs preventive maintenance. Those that are not critical I only record any curative maintenance done and costs incurred. ISO 9001:2015 is very general about infrastructure, what is important is its effectiveness. You don’t want nonconformities or delays, for example, because of equipment breakdown or equipment malfunction.
The following material will provide you information about maintenance:
- ISO 9001 blog - Understanding Resource Management in ISO 9001 - https://advisera.com/9001academy/blog/2014/02/11/understanding-resource-management-iso-9001/
- Plan for Preventive Maintenance of Equipment - https://advisera.com/9001academy/documentation/plan-preventive-maintenance-equipment/
- free online training ISO 9001:2015 Foundations Course - https://trainin g.advisera.com/course/iso-90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/