Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset owners
Answer:
ISO 27001 does not specify how to do this for grouped assets - theoretically you could write the names of all asset owners in one cell, but it would be more practical to write something like "all people who are using the asset".
See also this article: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Information about external providers
Answer:
I do not have enough information. Therefore, I will assume a scenario that I think adapts to the content of the finding. Perhaps your company requires that critical suppliers must have ISO 9001 certification. If that is so, the finding is requesting that you check that suppliers had made the transition to ISO 9001:2015 version. For example, last week I went to a car shop and they had their ISO 9001 certificate on the wall: it was according to ISO 9001:2008 and was outdated. I would send e-mails, or telephone critical suppliers requesting evidences of their transition to the ISO 9001:2015 version.
The following material will provide you information about external providers:
- ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Environmental aspects and risks
Answer:
There is no mandatory way about how to manage risks associated with environmental aspects. So, you can follow your suggestion if it works for you. For example, normally I have an environmental aspects and impacts register and then, for each impact I list associated risks in different columns in the same register.
The following material will provide you information about assessment of environmental risks:
- ISO 14001 – ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
- Risks and opportunities in ISO 14001:2015 – What they are and why they are important - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
- Risk Management in ISO 14001:2015 – What, why and how? - https://adv isera.com/14001academy/knowledgebase/risk-management-in-iso-140012015-what-why-and-how/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Qualification of internal auditors
Answer:
It is up to each organization to establish the competency requirements that its internal auditors must meet. Your organization can have a job description for its internal auditors where it is stated in a clear way what are the requirements. For example, I see organizations stating that internal auditors must have a 20, or 30, or 40 hours training. It is your organization that sets the bar for its internal auditors.
The following material will provide you information about internal audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course - https://training.advis era.com/course/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information Security Program
Answer:
An Information Security Program is a collection of the controls that an organization needs to have in place to protect information and keep information security risks at acceptable levels.
Considering that, to create a ISP you should use the templates related to Risk Management, to identify the risks and proper treatments, and use the Statement of Applicability to present the applicable controls and how they will be implemented.
You must note that this will be only part of the ISMS, and that you should consider implementing all other documents to ensure the controls you decided to implement will be monitored periodically and improved or adjusted as needed.
This material will provide you more information:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Documenting competencies
Is there a template which defines and documents competence for ISMS roles?
Answer:
Records of experience that can be used are references from previous employers or records of activities performed in the organization itself. Training and education records that can be used are certificates and presence lists.
You can use our Training and Awareness Plan template to determine and organize the required competencies for your ISMS. You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/training-and-awareness-plan/ -
Defining scope
A chip manufacturing organization would like to go for ISO 27001 and want to include only IT managed services in the scope. IT managed services is a support organization and helping the entire business but their labs environment is different and would like to keep it out of scope from ISO 27001. Is that possible?
Answer:
ISO 27001 does not require the ISMS scope to be all the organization, so it can be defined only as a small part if it will fulfill its needs and objectives.
What you should consider is if the defined scope will protect the information the business considers relevant. For example if you define only the IT managed services as the scope, but the information it handles also is used in the labs environment, at the labs it may not be properly protected.
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms -scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Certificar un producto o servicio con ISO 27001
Respuesta: No puedes certificar directamente un producto o servicio, o un proceso de un servicio/producto, pero puedes incluirlos en la definición de tu certificado. Por ejemplo: Los sistemas de información que dan soporte al servicio X, de acuerdo a la declaración de aplicabilidad versión x/y/z.
En cualquier caso, si la compañía es pequeña o mediana, nosotros recomendamos incluir en el alcance del SGSI toda la organización.
Para más información sobre el alcance “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Documentation in smaller companies
Answer:
In my opinion small companies should indeed, avoid too much documentation, and that is actually the aim of the new standard ISO 9001:2015. Just complying with the mandatory documents, which list you can see here - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ and deciding about some other documented procedures commonly used should be enough for an organization to success in an audit.
To learn more about documented information in ISO 9001:2015, you can see these materials:
- New approach to document an d record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book - Managing ISO Documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free on-line course- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/