Search results

Regarding safety precautions in IATF 16949:2016 QMS standard

The subject of product safety is specified in article 4.4.1.2 in the IATF 16949:2016 standard.

At the same time, safety issues are mentioned in articles 8.2.2.1, 8.3.3.1, 8.5.1.2, 8.5.2.1, and 9.3.2.1 of the same standards.

Evidence of InfoSec Awareness Training

ISO 27001 does not prescribe a format to document evidence of InfoSec Awareness Training, so organizations can adopt the format that best fits their needs (e.g., certificates, attendance lists, exam results, etc.).  

This article will provide you with a further explanation of competence evidence for ISO 27001:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

For an example of a document that can be used as evidence, please take a look at this template: Training and Awareness Plan https://advisera.com/27001academy/documentation/training-and-awareness-plan/

This material may also help you regarding InfoSec Awareness Training:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Secure system engineering principles (clause A.14.2.5)

ISO 27001 does not specify how to document secure system engineering principles, so organizations are free to document them as best fit their needs.To see a document covering secure system engineering principles compliant with ISO 27001, please see this demo template: https://advisera.com/27001academy/documentation/secure-development-policy/In its section 3.3 Secure engineering principles you can document the principles you have in place (e.g., adoption of user authentication techniques, secure session control, data validation, etc.), or refer to the documents where they are explained (e.g., documents about guidance on secure programming techniques).

These articles will provide you with further explanation:

• What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
• How to integrate ISO 27001 A.14controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

• Do we need an incident management procedure?

  ISO 27001 does not require an incident management procedure to be documented, so you only need to document one in case you have a legal requirement (e.g., law, regulation, or contract) demanding such procedure to be documented.

  Only response plans require documentation, in case-control A.16.1.5 (Response to information security incidents) is stated as applicable in the Statement of Applicability.

• ISO 45001 - Interdependencies in the components of an OHS system

  While ISO 45001 does not require an analysis of these interdependencies, clause 4.4 does ask that you identify the processes of the OHSMS and understand their interactions. One way that many companies do this is through a flowchart that includes the OPH&S processes and their linkages so that you understand exactly what is included in the OHSMS, and how they interact so that you can understand where inputs come from and where outputs go so that you can better plan and manage the processes. It is not required to align this with the clauses of the standard, but some companies will also do this.

  To learn more about the requirements of ISO 45001 in more plain language, see the whitepaper:

  • Clause-by-clause explanation of ISO 45001:2018 https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • Incidents

    Please note that the incident registers are records, and as such, they should not be deleted and should be evaluated in the context when they were created.

    Considering that, for the first case, you need to document which incidents were created only for testing purposes and store this document as a management decision.

    For the second case, you need to show to the auditor the incident procedure that was valid at the time the incidents were recorded. The auditor needs to evaluate the processes at that time considering that procedure, not the current one.

  • Costumer Satisfaction Sheet

    I’m not an expert in ISO 45001. However, I recommend looking into clause 4.2 in each standard. If you consider the customer as a relevant interested party, then determine what are their relevant requirements in terms of quality, environment and health, and safety. Then, you can create a customer satisfaction sheet where you ask customers to assess the extent to which the company meets their expectations and needs.

  • TIME CLOCK POLICY AND PROCEDURES

    I knew that it wasn't required but just took a shot that there is a clause for it...Thank you for the help!

  • Policies details

    1 - I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance?

    For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence.

    Please note that ISO 27001 does not specify how detailed the documents need to be.

    Considering that, the level of detail a policy or procedure needs to have, as well as the minimum requirements to be fulfilled will depend mainly on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts) related to that document.  

    For example, if you have a contract with a customer defining that workstations need to be locked after three minutes of inactivity, then these will be the requirements you need the document to fulfill. If there are no risks and no requirements, then you are free to define what will be written in the policy.

    For further information, see:

    • How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

    2 - Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs?

    Besides the information about what is configured, the auditor will look for evidence that the configuration is indeed implemented. In this case, the easiest way is to observe how long a workstation takes to activate the screen lock. Another test generally applied is to call for an employee, so the person goes away from the workstation and observes if the person locked the station.

    For further information, see:

    • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

    3 - Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?

    Handling remote employees will depend on which assets they are using.

    If they are using the company’s assets, you can configure them to work the same way they work on premises, applying policies preventing users to change configurations.

    If they are using their own assets, one approach would be to adopt a BYOD policy, so you can enforce the expected use of personal devices when accessing corporate data and systems.

    An important element of enforcing policies is the training and awareness of workforce (whether remote or on-site).

    For further information, see:

    • What is a remote access policy and how do you develop it with ISO 27001? https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/
    • What is a BYOD policy, and how can you easily write one using ISO 27001 controls? https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

    This material may also help you:

    • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

    • Audit point

      I’m assuming that by date stamping you are referring to the version and date information included in the footer of each document.

      In order to prove that the documents are still valid, you can show the auditor that these documents were reviewed by the document owner and considered fit for purpose without the need for changes.

      As the evidence of review, you can show to the auditor that the document owner receives a periodic task to review and make changes (if necessary) every “x” months depending on what is defined in the properties within the document. The tasks look like this: https://prnt.sc/-8VvUNAzNGMJ

      To access the list of tasks, please access the link “Responsibility Matrix” in the left panel on the Conformio Main screen. From there you can filter the task with “Recurring tasks”. 

      For further information, see:

      • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/