Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Document control template
Does the Retention time mean that all entries related to the ISMS that are in the mail register (in our case our CRM) have to be deleted after X (three) years or ALL registrations which are older than three years. Moreover why should you want to delete entries of documents that may still be relevant? I find this document retention situation where mail is concerned very very confusing.
Answer: The retention time refers to entries related to the ISMS only, and it must be defined considering precisely the time frame you consider that information will be relevant to the organization. For example, if you consider that the information in your incoming mail register only will be irrelevant after 5 years, then you must define the retention time as 5 years. Issues you should consider for defining the retention time are business objectives, contractual or legal clauses.
This article will provide you further explanation about document control:
- Records management in ISO 27001 and ISO 22301 https://advise ra.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding document control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Awareness in IMS
1. How should top management promote the use of process approach and risk based thinking?
2. How should the organization’s communication process enable people doing work under the organization’s control to contribute to the IMS and its continual improvement?
Answer:
1. Showing the importance of their involvement in the implementation project and using of process approach and risk based thinking, as well as ensuring that all employees at a lower level have a channel where they can feed their opinions upwards for consideration by the management team.
To learn more about risk-based thinking you can see this article - Risk- based thinking replacing preventive action in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
For more information about process approach in IMS, see these articles:
- ISO 9001: the importance of the process approach: https://advis era.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Application of the process aproach in ISO 14001 implementation: https://advisera.com/14001academy/blog/2017/01/30/application-of-the-process-approach-in-iso-14001-implementation/
2. You can organize an awareness session with the employees of your organization explaining the benefits and myths of implementing IMS and the importance of their involvement in the project.
You can download these presentations to help you with preparing the awareness sessions:
- Why ISO 9001:2015: Awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation
- Why ISO 14001:2015: Awareness presentation: https://info.advisera.com/14001academy/free-download/why-iso-14001-awareness-presentation
To learn more about awareness in IMS, see these articles:
- How to ensure competence and awareness in ISO 9001: 2015: https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- ISO 14001 competence, training and awareness: Why are they important for your EMS? https://advisera.com/14001academy/blog/2014/11/26/iso-14001-competence-training-awareness-important-ems/ -
Risk register and incident register
Answer: An incident should be recorded separately, because this has really happened (risk has materialized) , while a risk is a potential occurrence (register them together may cause confusion). Information to be recorded shold not be limited to the event identified, but also contain information about how it was treated, so this record can be used as reference in the future.
These articles will provide you further explanation about risk management and incident management:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk man agement and incident management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and GDPR Implementation
1. ISO 27001 foundation course;
2. ISO 27001 internal auditor course;
3. EU GDPR foundations course; and
4. EU GDPR Data Protection Officer course.
Therefore, I appreciate to have a response on the following questions:
1. How many months or years does it take to implement both standard as an integration?
2. Could a small-mid size company as a Data Center meet compliance in 5 months with 1 person doing the project?
Answer: For both questions, the time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available (including people doing the project), etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 3 to 12 months. When considering an integrated implementation with GPDR, you should consider 10% to 20% more time, specificity of the GDPR.
To have an estimate based on your organization context, I s uggest you to take a look at our free ISO 27001/ISO 22301 Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These articles will provide you further explanation about ISO 27001 and GDPR implementation:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Procedures documentation
My question is like four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action. Should the Risk Assessment and treatment be a documented procedure?is it mandatory?
Answer: These 4 procedures you mentioned were mandatory according to the previous revision of the standard, but they are not mandatory according to the latest revision of ISO 27001.However the organization can document these procedures if it considers they will help fulfil the ISMS objectives.
ISO 27001 says it is mandatory to document risk treatment process, and this is usually done through the Risk assessment & treatment methodology.
This article will provide you further explanation about mandatory documents and records for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 rev ision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Annex A related non-compliances
Do the inspectors write the findings in the relevant Annex A as evidence, indicating the nonconformities they have identified from Annex A? For example, does the auditor specify "A.9.4.4 by using the number 9.9.4, or by associating it with one of the first 10 items of the standard" in relation to the use of privileged support programs?
Answer: We are unaware about IAF such related recommendations about ISO 27001 audits, but what I can tell you is that non-conformities statements must be as precise as possible, and if an auditor can state directly a control from ISO 27001 Annex A, then he should do it to make the understanding and resolution of the non-conformity easier.
What is common is that, when applic able, the auditor states both controls from Annex A and requirements from the main sections of the standard. For example, non conformities related to control A.7.2.2 (Information security awareness, education and training) may also be associated to non compliance with requirement 7.2 Competence. -
Password complexity
Answer: ISO 27001 does not specify requirements for password complexity, so organizations are free to adopt criteria that better suits them. ISO 27002, a supporting standard which provides recommendations and guidance for implementation of ISO 27001 Annex A controls suggests passwords:
- easy to remember;
- not based on anything somebody else could easily guess or obtain using information like names, telephone numbers and dates of birth etc.;
- not based on words included in dictionaries;
- free of consecutive identical characters;
- made of numeric and alphabetic characters.
These materials will also help you regarding defining passwords:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment approaches
1- Which is the best approach to be used during risk assessment between Asset based and Processed approach?
Answer: First it is important to understand that ISO 27001 does not prescribe an approach to perform risk assessment, so you can choose the approach that better suits your needs.
Asset-based risk assessment is easier to perform, while the process-based risk assessment can provide you a more understandable context to identify and evaluate risks.
These materials will provide you further explanation about risk assessment approaches:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2 - At what Stage do you determine residual risk and how best can it be done?
Answer: You determine residual risk after the definition of the risk treatment option and controls to be implemented (definition of the risk treatment plan).
These materials will provide you further explanation about residual risk:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Becoming an ISO consultant
Answer:
If you are interested in working as a consultant implementing ISO 9001:2015 or ISO 17025 you can attend a Lead Implementer Course, since that course can help you to understand and implement the standards and then get the Lead Implementer certificate in order to prove your competence. Also, a Project Manager Certificate can be helpful because you will learn how to run projects.
We have aavailable this free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ After attending the course you can obtain a certificate that proves that you passed the exam.
To learn more about how to become a consultant, see this article - How to become an ISO 9001 consultant: https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/ -
Cost of ISO standards implementation
Answer:
If you want to implement ISO standandars you will need to plan some financial and personnel resources in order to carry out the implementation project efficiently. The cost will vary depending on many factors such as the size of the organization and the complexity of the processes.
To learn more about the budget that you need for the implementation of ISO 9001:2015, you can download this free white-paper -How to budget an ISO 9001 implementation project:
https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project
You can also read this article -How much does the ISO 9001 implementation cost?: https://advisera.com/9001academy/blog/2016/12/20/how-much-does-the-iso-9001-implementation-cost/