Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope definition
This has been discussed during our Management meeting and our main trigger is sales related. Most of our customers and prospects strongly request ISO27001 certification, especially since 1 year.
One thing we are all convinced is that we would like to attain this, but we still have open points about scope. The main reason is that we are part of a multinational environment and a lot is changing currently. Our IT has centralized since last year. So no local impact on decisions.
And our backoffice activities will now also get more centralized. From an ISO certification point of view we see a lot of (possible) impact.
So maybe you could assist me already with 1 important question. Do we need to go for an ISO27001 certification for the entire organization ?
Or would a certification for a specific part be enough. For example. We mainly require this in environments where we deliver the IT ser vices.
Would it be possible to get a short reply about pro’s and con’s ? Or maybe a reason not to do this for only a part of the organization ?
I’m responsible for 2 countries. 1 has already ISO9001, the other doesn’t.
Answer: ISO 27001 does not require the entire organization to be in the scope for the certification, so you can define the scope that will better suit your organization needs.
For small and mid-size organizations (up to 500 employees) often it is better to include all the organization in the scope, because the effort to keep only part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.
If your organization is smaller than 50 employees you should go for the whole scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control of documents
My question is relating to the structure of the documentation, I'm writing the documentation on XXXX and it's going to be (initially) located in a XXXXX.
I want to make the structure as easy to ready/use as possible, so thinking of having sub-folders for the likes of Employee procedures, Data-protection policies, and then the ISMS.
However, some documentation which would be intended for Employee use (e.g. Computer Acceptable Use Policy) would also form a policy under the ISMS for ISO27001. The same applies for Data Protection Policies (such as Data Portability procedures) - this would be covered in the ISMS and Data Security, so I'm uncertain where to locate it.
I guess to cut a long story short, everything I've seen seems to suggest placing all procedures and policies in the ISMS folder but logically to me that would n't work.
Can you offer any advise?
Answer: ISO 27001 does not prescribe how you must organize your documents, so you can place them the way it will be more useful and easier to understand by your employees.
My suggestion to you is to keep in the ISMS folder only the high level policies and procedures (e.g., information security policy, document control procedures, internal audit procedure, etc.), and keep specific policies and procedures in the folders most related to them (e.g., the backup policy could be kept on the folder that contain the IT staff documentation).
These articles will provide you further explanation about document control:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
ISO 27001 certifications
Answer: Certifications are one of the most common alternatives used by organizations when looking for competent personnel, as well as for professionals to demonstrate their knowledge and, for some certifications, experience. So, getting certified can improve your career opportunities.
Regarding if there are better certifications than those related to ISO 27001, this will depend of your objectives. There are certifications focused on technical aspects of information security (e.g., CISSP), certifications covering the link between information security and the business (with a wider approach on information security management) (e.g., CISM). ISO 27001 certifications focus on the requirements of the ISO 27001 standard for the implementation of information security management.
This article will provide you further explanation about personal certifications:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
2) If yes, then should I go with ISO 27001 Lead Implementer certification first before I approach the Lead Auditor certification?
Answer: There is no specific order to pursue ISO 27001 certifications. This decision will depend of your career objectives. If you plan to work on an information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification.
These articles will provide you further explanation about ISO 27001 certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Management review
However, what is the purpose of conducting a management review and internal audit as part of the initial project when in theory there is nothing yet to review or audit?
Answer: A BCMS project implementation involves running at least one complete cycle of the management system, which includes the internal audit and management review activities. Without these activities the project cannot ensure the BCMS is properly implemented, operated and improved.
Regarding issues to be audited, these are some examples:
- Results of Business Continuity Plans tests
- Records of operation of implemented controls
- Level of awareness and competency of personnel
As for inputs for management review, besides the results of internal audits, other example is the feedback of interested parties.
These article will provide you further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/ -
Evidencing revision
I believe you are not making a revolution in the quality management system documentation, you are making an evolution. So, it is important to underline that you have made the transition and reviewed the documentation. Changing the revision date and level is very appropriate. Please check clause 7.5.3.2 c).
The following material will provide you information about the documented information:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditor profile
Answer: ISO 9001 and ISO 27001 have a lot of requirements in common, so you can either change your profile from ISO 27001 auditor to ISO 9001 auditor or accumulate both profiles.
To acquire the competencies for ISO 9001 auditor you should attend an auditor course, to learn about ISO 9001 requirements and how these requirements must be covered by audit techniques and methodologies. After that you should seek for opportunities to be a part of an ISO 9001 audit process to practice.
These materials will also help you regarding becoming an ISO 9001 auditor:
- ISO 9001 internal auditor training: Is it for me? https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ -
ISMS internal and external parties
Answer: Internal parties are those under responsibility of the organization to which the ISMS belongs to. Examples are employees and contractors working on behalf of the organization.
External parties are those outside the control of the organization but interact with it (e.g., customers, stakeholders, providers, etc.) or that can affect the ISMS (e.g., government, regulators, etc.)
This article will provide you further explanation about interested parties:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
These materials will also help you regarding interested parties:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Audit template content
Answer: Clauses 4.2.1 and 4.2.2 are from ISO 22301, and the two questions identified for clause 4.2 on the ISO 22301 audit checklist cover the points that must be fulfilled to be complaint with this section, to mention:
- identification of interested parties relevant to the BCMS
- documentation of interested parties relevant to the BCMS and their requirements
So the way these questions are formulated do not affect the standard's implementation.
2- Also, later in the table, there are parts which are named the letter A in the beginning (for example A.5.1.1) - can you please explain to me what's this about?
Answer: The questions identified by the letter A in the beginning refer to the controls from ISO 27001 Annex A, and they are applicable only if you im plemented ISO 27001.
For better understanding of our templates I recommend you to read the comments included on them, because they can provide guidance on issues like this. -
Managing EAIA
Answer:
First you have to make an environmental assessment to determine the environmental aspects of your organization. I use flowcharts, visit facilities, speak with workers, and request figures to the purchasing and account departments in order to get a list of how an organization interacts with the environment. Then, I determine the environmental impacts. To determine which are significative or not, I look for environmental legislation and whenever an organization does not comply, we have a significative environmental aspect and impact. For all aspects, independently of legislation, I perform an evaluation very similar to your “Quantity, Occurrence, Impact, Detection and Control”. I designed a scale of measurement for each topic. For example:
Occurrence
1 point – Can occur but never occurred before
2 points – Occurs less than one time per year
3 point s – Occurs more than one time per year
4 points – Occurs every month
5 points – Occurs whenever the activity is performed
For each parameter I determine the measure to apply. Then I calculate a general level of significance (GLS) like:
GLS = Quantity x Occurrence x Impact x Detection x Control
And I set a number above which all GLS are considered significative. If an aspect is legislated and there is no compliance, there is no need of calculations, it is automatically significative.
The following material will provide you information about assessment of environmental interactions:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- Environmental aspects in the manufacturing sector - https://advisera.com/14001academy/blog/2015/06/22/environmental-aspects-in-the-manufacturing-sector/
- ISO 14001:2015 – How to set criteria for environmental aspects evaluation - https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free preview - Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Programs and environmental objectives
My understanding is that , we are arriving the objectives and targets and then we are making a pgm for that.
The question is pgm arrived should have the same subject of objectives?
that means pgm is an extension of objectives and target with the detail plan. is it right?
OR pgm can be different from objectives selected?”
Answer:
First of all, ISO 14001:2015 no longer mentions the word program associated with objectives and targets. That does not mean that an organization is prevented from using it.
1. An organization establishes its environmental objectives and targets (clause 6.2.1 of ISO 14001:2015);
2. An organization establishes one or more projects for each objective in order to meet the target at due date and within budget of resources (clause 6.2.2 of ISO 14001:2015);
3. Program is no longer mentioned in ISO 14001:2015 but still can be used as a set of projects coordinated with each other and that aim at common objective.
For example:
Objective 1 - Reduce water consumption
Target 1 – by 8% until the end of 2018
Project 1.1 – Reduce water consumption in the manufacturing process
Project 1.2 - Reduce water consumption in the gardening
Project 1.3 – Reduce water consumption at the canteen
Managing Program means coordinating Projects 1.1; 1.2 and 1.3 in order to meet the target.
The following material will provide you information about objectives, targets and programs:
- ISO 14001 – How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/