Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Personal certification maintenance
We received this question:
>I am reaching out to you for the clarification of maintenance again. Please refer to my certificate. It says it is valid for 3 years. I understand we don't need to renew it but the details on the certificate say otherwise. Can you please help me to understand if I am missing something?
Answer:
This period mentioned in the certification is related for how long this certificate can be used in the process to become an certification auditor. Since you have been approved in the exam by 2016, this certification is valid until 2019, to be used to fulfill one of the requirements to become a certification auditor. After 2019 you to take another exam to have a valid certification for this process.
This article will provide you additional information:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ -
Template content
Answer: You can use our Training and Awareness Plan template to determine and organize the required competencies for your ISMS.
You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/training-and-awareness-plan/
This article can provide more information:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
2. Is there a template for Information related to information security objectives at relevant functions and levels, as required in clause 6.2?
Answer: You can use our Statment of Applicability template to define the objectives for your ISMS and the Measurement Report template to summarize the measurement methods, the frequency of measurement, and the results.
You can see a free demo of these templates at these links:
- https://advisera.com/27001academy/documentation/statement-of-applicability /
- https://advisera.com/27001academy/documentation/measurement-report/
These articles can provide more information:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
3. Is there a template for plans to achieve the security objectives, as required in clause 6.2, must have been determined (at least for the majority of the security objectives defined)?
Answer: The security objectives are achieved by treating the risks that can affect them. Considering that, you can use our Risk Treatment Plan to to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.
You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/risk-treatment-plan/
This material can provide more information:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
4. Is there a template that identifies the Needs and expectations of interested parties, as mentioned in clause 4.2?
Answer: You can use our List of legal, regulatory and contractual requirements template to identify and document the requirements of interested parties.
You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
You can read more here: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/explanation-iso-270012013-clause-4-1-understanding-organization -
Return of assets control
Answer:
The return of assets control has the objective to ensure the return of all organizati onal assets in the possession of employees or contractors upon termination of their work relationship. Considering that, you must include in your list all assets of the organization that are in their possession, that can pose an unacceptable risk to information security. Regarding personal assets, it is important to record them so you can know where your information, may be stored. When personnel is leaving the organization you should check if all organizational assets were returned, and if information on personal devices were deleted.
The application of this control may be tricky in organizations where personnel often use their own equipment, due to privacy questions, or the organization has several mobile equipments, so you should consider defining clearly who and in what circumstances of personnel is responsible for assets that can easily be moved out of organization's premises.
These materials can help you regarding use of personal device:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
- Bring Your Own Device (BYOD) Policy https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/ -
Certificates of products bought
Answer:
ISO 9001:2015 does not mandate that organizations get certificates for all products they buy. Having said that, one must not forget that some legislation may require that. I as an auditor, auditing a company that manufactures a product with CE marking for example, can require to see if they have CE certificates of the raw materials.
The following material will provide you information about purchasing:
- ISO 9001 – Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Environmental conditions and operations
Answer:
Normally, I consider warehouse temperature monitoring and control under clause 7.1.4. This clause is specifically about environmental items relevant for product or service conformity. Clause 8.5.1 is more general. For example, would you have the same doubt about 8.5.1 b) versus 7.1.5 about assuring thermometers calibration?
The following material will provide you information about environmental conditions:
- ISO 9001 – Understanding Resource Management in ISO 9001 - https://advisera.com/9001academy/blog/2014/02/11/understanding-resource-management-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Use of templates
Answer:
As long as your documents comply the ISO 27001 standard requirements, you can use any format you think will fulfill your organization needs. We recommend to use our templates, adjusting them to your needs, since they are fully editable, because they are already compliant with standard requirements, saving your time an effort. Additionally, parts of each document that can be changed or must be kept as is are indicated in comments included in each template. -
Cancelled change
Answer:
I think you should not mix failed/unsuccessful changes with cancelled changes. With cancelled change - actually nothing happened (no resources used, no money/time spent, no new/changed functionality, etc.). So, if you have possibility, define "cancelled" as one of the statuses change can have. And, investigate why change was raised and cancelled, afterwards. It could be start of improvement initiative.
Read the article "How to measure Change Management efficiency according to ITIL" https://advisera.com/20000academy/blog/2016/10/11/how-to-measure-change-management-efficiency-according-to-itil/ to learn more about Change Management process efficiency. -
Subject Matter Expert (SME) and SOP
What I meant is - if you have 7 functions, and if you have SME in certain technology - use it (one or more persons) for all functions. -
Internal review
Documents in our toolkit(s) contain section with monitoring and measurements i.e. CSF's and KPI's (few examples as well). Please fill in the form and I will be glad to make a demo for you. https://advisera.com/20000academy/free-consultations/ -
IATF 16949 and ISO Compatibility
Answer:
IATF 16949 covers all requirements of ISO 9001:2015 plus additional requirements specific to the automotive industry. If you are compliant with ISO 9001:2015, you need to implement only the additional requirements of IATF 16949. Some of IATF 16949 requirements require the organization to implement changes to the existing ISO 9001 processes (e.g. document control, internal audit, management review, etc), and some require entirely new processes to be established (e.g. product safety, total productive maintenance, etc)