Search results

Costumer Satisfaction Sheet

I’m not an expert in ISO 45001. However, I recommend looking into clause 4.2 in each standard. If you consider the customer as a relevant interested party, then determine what are their relevant requirements in terms of quality, environment and health, and safety. Then, you can create a customer satisfaction sheet where you ask customers to assess the extent to which the company meets their expectations and needs.

TIME CLOCK POLICY AND PROCEDURES

I knew that it wasn't required but just took a shot that there is a clause for it...Thank you for the help!

Policies details

1 - I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance?

For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence.

Please note that ISO 27001 does not specify how detailed the documents need to be.

Considering that, the level of detail a policy or procedure needs to have, as well as the minimum requirements to be fulfilled will depend mainly on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts) related to that document.  

For example, if you have a contract with a customer defining that workstations need to be locked after three minutes of inactivity, then these will be the requirements you need the document to fulfill. If there are no risks and no requirements, then you are free to define what will be written in the policy.

For further information, see:

• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

2 - Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs?

Besides the information about what is configured, the auditor will look for evidence that the configuration is indeed implemented. In this case, the easiest way is to observe how long a workstation takes to activate the screen lock. Another test generally applied is to call for an employee, so the person goes away from the workstation and observes if the person locked the station.

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

3 - Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?

Handling remote employees will depend on which assets they are using.

If they are using the company’s assets, you can configure them to work the same way they work on premises, applying policies preventing users to change configurations.

If they are using their own assets, one approach would be to adopt a BYOD policy, so you can enforce the expected use of personal devices when accessing corporate data and systems.

An important element of enforcing policies is the training and awareness of workforce (whether remote or on-site).

For further information, see:

• What is a remote access policy and how do you develop it with ISO 27001? https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/
• What is a BYOD policy, and how can you easily write one using ISO 27001 controls? https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

This material may also help you:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

• Audit point

  I’m assuming that by date stamping you are referring to the version and date information included in the footer of each document.

  In order to prove that the documents are still valid, you can show the auditor that these documents were reviewed by the document owner and considered fit for purpose without the need for changes.

  As the evidence of review, you can show to the auditor that the document owner receives a periodic task to review and make changes (if necessary) every “x” months depending on what is defined in the properties within the document. The tasks look like this: https://prnt.sc/-8VvUNAzNGMJ

  To access the list of tasks, please access the link “Responsibility Matrix” in the left panel on the Conformio Main screen. From there you can filter the task with “Recurring tasks”. 

  For further information, see:

  • How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

  • ISO 14001

    Your inputs are really help for me. Thank you so much Sir..

  • Risk Management Questions

    Can you help me with the following questions

    1. How much level of detail is necessary in the process of identification and analysis of Risks of Information assets?, since many risks could be formulated for each asset.

    ISO 27001 does not prescribe a level of details for identification and analysis of risks, so you can adopt the level of detail you understand that will provide confidence that you assessed the most relevant risks.

    This means that for some assets 1 or 2 risks may be enough, but for others, you may understand that a greater number of risks needs to be considered.

    To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 30 to 60 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 180 to 360 risks.

    For further information, see:

    • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    2. Can assets be grouped for risk analysis? we have many servers with similar characteristics and possibly the same level of exposure to the same threats. What considerations should be taken into account to group assets to facilitate risk analysis?

    ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are similar (in your case, the servers). As a consideration point, you should group assets also considering the asset owner, and other parameters that can make it easier to handle them (e.g., servers that are in the same location).

    This article will provide you with further explanation:

    • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    3. Is there a catalog of predefined and/or recommended Threats that can be used as a basis for risk analysis?

    In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Threats” with a catalog of suggested threats.

    4. Is there a catalog of predefined and/or recommended vulnerabilities that can be used as a basis for risk analysis?

    In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Vulnerabilities” with a catalog of suggested vulnerabilities.

    5. Is there a catalog of recommended controls that can be used as a basis to propose the ideal controls for the treatment of identified risks?

    In the Risk Treatment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Controls” with the catalog of controls defined in ISO 27001 Annex A.

    These controls are used in the Risk Treatment tab in the column K “Means of implementation”.

    For further information, see:

    • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    • Best method of internal audit checklist

      I’m assuming that your question is about which method to use (opened/closed question) when using a process-based approach for the audit.

      Considering that, the method will depend on your objective:

      • If you want to find out documents/records related to the process, the closed question method is more appropriated
      • If you want to find out people’s understanding of the process, the opened question method is more appropriated

      In a process-based approach to elaborate an audit checklist the questions should cover the process’s elements:

      • Customers: the entities which receive/use the outputs (e.g., customers, other departments/processes, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.
      • Outputs: what the process is intended to deliver (e.g., information, a product, a service, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.  
      • Tasks: what needs to be done, by whom, how, when. For this element, open questions are more useful.
      • Inputs and resources: the material that is needed to produce the outputs (e.g., raw material, specifications, manuals, policies, procedures, etc.) and required infrastructure (e.g., equipment, competencies, facilities, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.  
      • Suppliers: the entities that supply the inputs and resources (manufacturers, other departments/processes, etc.). For this element either closed or opened questions can be used, depending upon what you want to verify.  

    • ISO 27001Toolkit

      The most similar documents to be used are the documents for risk assessment and treatment and for the risk treatment plan. You can develop the process of web application vulnerability assessment as a subprocess of ISO 27001 Risk assessment (in the Methodology document).

      The documents for risk assessment and treatment can be found in the folder 05 Risk Assessment and Risk Treatment.

      The document for risk treatment plan can be found in the folder 07 Implementation Plan.

    • 17025 consulting

      I understand from your question you are asking if you can postpone the surveillance assessment by the accreditation body?

      It depends on when your accreditation cycle ends and the certificate of accreditation expires. You need to refer to the specific policy of your accreditation body and engage with them. There may be some flexibility with the date for a surveillance assessment, however it depends on availability of assessors. If the laboratory is at the end of the accreditation cycle and the full reaccreditation assessment is due, the laboratory would need to close any nonconformances before the expiration date anyway.

      Consider the laboratory’s commitment to clients, obligation as an accredited laboratory (contractual agreement with the accreditation body) and options. If there are major issues then they need to be identified, documented and addressed as a matter of priority. If these are minor issues that do not affect the validity of results, then acknowledge and start addressing them before the assessment. Then deal with the nonconformances raised by the accreditation body. If the validity of results are in question, then taking on work should typically be suspended until the issues are resolved. There are situations where a laboratory is obliged to go into voluntary accreditation suspension and cannot claim to be accredited until reassessed.