Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
In-house verification instead of outside calibration
Answer:
First, do not forget that clause 7.1.5 is about monitoring and measuring resources used to verify conformity of products and services. Monitoring and measuring resources used to verify conformity of processes is not mandatory.
Second, your suggestion is acceptable and used by several organizations.
The following material will provide you information about monitoring and measuring resources:
- ISO 9001 – Analysis of measuring and monitoring requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ ations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Integrating ISO 27001 to business
(1 - I would like to know more about the elements of document control procedures, corrective and preventive actions and internal audit. How specifically will I put this in the company's documentation what stage? In addition to document control procedures, corrective and preventive actions and internal audit, roles and responsibilities of employees, suppliers and third parties, contracting terms and conditions, operating procedures of information processing facilities.)
Answer: For detailed information about the issues you stated, I suggest you these articles:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
Regarding how you can implement these in you organization, you must first identify your organization's approach toward document control. If your organization has no document control procedure at all, I suggest you to take a look at the free demo of our Procedure for Document and Record Control at this link: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/
Regarding contracting terms and conditions and operating procedures of information processing facilities, their content will depend on the results of a risk assessment to identify the relevant risks that must be treated.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding IS 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/
2 - Como se daria essas auditorias?
(2- How would these audits be done?)
Answer: The performing of internal audits follow these general steps:
- Audit planning
- Audit performing
- Audit report
- Audit treatments follow up
In the previous answer you can find additional references.
3 - O que é possível, prático e aceitável elaborar por tabelas?
(3 - What is possible, practical and acceptable to elaborate by tables?)
Answer: ISO 27001 does not define how to implement the documentation (only requires that documents and records must be controlled), so organizations are free to implement them as they see fit. So, tables are acceptable as a mean to control documents if they can fulfill the standard's requirements.
This article will provide you further explanation about document elaboration:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ -
Stage 1 and stage 2 audits
Answer:
Sorry, I cannot help you regarding ISO 2200 but about ISO 9001:2015 - First comes the stage 1 audit, the auditor (or audit team) will review the management system documentation and compare it with the requirements of the standard and will verify if the scope of certification is clear and doesn’t present a misleading information. Also included is a review to ensure that internal audits and management review are being planned and performed, and that the level of implementation of the management system indicates that the organization is prepared for the stage 2 audit.
If weaknesses are identified in the Stage 1 audit, these must be corrected by the organization before the Stage 2 audit.
While stage 1 audit is about documentation and is normally performed in a meeting room, stage 2 audit is performed at the places where people do t heir jobs and is much more practical, much more about whether the employees are complying with everything that is written in the documentation. This is achieved by means of interviewing the employees, examining the relevant documents, records, forms and guidelines and also by visiting relevant areas of the organization. The point is – the auditor can talk to anyone, visit any part of your company and see and document within the scope of the certification.
The following material will provide you information about implementing a QMS:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Categories of Personal Data
For example: If this processing includes bank account number, which in its own right is not enough to identify a „Data Subject“, should we include that in the „Categories of Personal Data“ column? What about amounts, dates etc. ?
Answer:
Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physio logical, genetic, mental, economic, cultural or social identity of that natural person. You can easily observe that the definition is very broad.
Coming back to your question you need to put in there also that information which relates to a data subjects and bank account is one of these information. To continue with some examples you can use the following taxonomy:
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction data (bank accounts, transaction history etc.)
To learn more about personal data under the EU GDPR see this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Filing criteria
Answer:
There is no universal rule for filing ISO 14001 records. You can file by clauses or, for example by topics like: Calibration Records for Monitoring & Measurement Equipment or Compliance obligations records
The following material will provide you information about records of an EMS:
- ISO 14001 – ISO 14001 Control of Records - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-control-of-records/
- How to structure ISO 14001 documentation - - https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/
Checklist of Mandatory Documentation Required by ISO 14001:2015 - https://info.advisera.com/hubfs/14001Academy/14001Academy_FreeDownloads/Checklist_of_ISO14001-2015_Mandatory_Documentation_EN.pdf?t=1493193615266
- book - TH E ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Implementation duration
Answer:
It is a big challenge, their present QMS is pre-process approach that was introduced in 2000. Do not try to do it alone, arrange a team to implement the new QMS. I do not know the dimension of your organization, but consider the following advice:
The duration of implementation depends primarily on the size of the organization, for example:
Smaller organizations (up to 50 employees) usually implement the standard in less than 8 months.
Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months.
Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months.
Beware of companies that drag such projects on for too long (e.g., small companies for more than 12 months) usually never finish the project.
The following material will provide you information about implementing a QMS:
- ISO 9001 – Five tips to ensure your ISO 9001:2015 implementation is successful - https://advisera.com/9001academy/blog/2016/10/04/five-tips-to-ensure-your-iso-90012015-implementation-is-successful/
- How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- Gaining employee buy-in for your ISO 9001:2015 implementation - https://advisera.com/9001academy/blog/2015/12/15/gaining-employee-buy-in-for-your-iso-90012015-implementation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Rev D requirements for FAI
Answer:
You are correct. In clause 8.5.1.3 of AS9100 Rev D, which covers Production Process Verification, there are the requirements which are referred to as First Article Inspection (FAI). The requirements within this clause make no reference to AS9102, and therefore the process of AS9102 is not a requirement of AS9100 Rev D. So, unless you are required by customer to use the AS9102 process and forms these requirements can be fulfilled in other ways as you determine adequate.
For more information on this see the article: https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/ -
ISMS implementation strategies
Option 1: Documentation Toolkit
Option 2: Conformio (As I understand, it comes to together with documentation template).
It seems that some consultancy is still needed for this company. What is your advise? How much consultancy is needed?
The scope is - NOC & SOC. (Staff around 15)
Total number of Staff 20 to 30.
Answer: The extent to which a consultancy is needed depends on the complexity and size of the scope, on the extent of the organization, and on the time and resources available. Considering that, and the information you already provided, the options would be:
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO standar d https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
2 - What is the rough estimate timeline for ISMS implementation.
Answer: With the information you provided, the implementation duration would be something between 3 and 12 months. For a more precise estimative, considering the aspects mentioned on the first answer, I suggest you to use our Free Calculator – Duration of ISO 27001/ISO 22301 Implementation at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
For more information, please see these articles:
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
3 - What will be steps and best approach for me to assist this company.
Answer: Roughly speaking, ISO 27001 implementation steps can be resumed in:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding the approach, please see the first answer.
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Contract with processors
Answer:
The common practice is not to engage processors that cannot be trusted to comply with the EU GDPR provisions or take liability in case of a breaching the EU GDPR provisions. Also remember that you will be responsible for the actions of the processors you contract so having a liability clause would be a must.
To learn more about the duties of processors under the EU GDPR this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Audit checklist
>1- Now looking at Dejan's checklist, it contains all requirements in 27001 from chapter 4 to 10 plus all the controls in the appendix.
It doesn't make sense to audit the full checklist for every department so I'm guessing that the auditor, as part of the preparation, choose what clauses in the checklist to include in each audit.
In short, each audit will consist of a subset of the checklist depending on the nature of the department. Can you confirm?
Answer: Your assumption is correct, the auditor can define a subset of the items to be included in the checklist, depending on the purpose of the audit and the audited department.
>2 - We're short on auditors that know infosec and the standard so would you say it would be compliant if we (the security office) audit ourselfs and our own work as long as we “select auditors and conduct audits that ensure objectivity and the impartiality of the audit process”?
Answer: The security office cannot audit its own work alone. The main requirements of ISO 27001 (from clauses 4 to 10) do not require deep knowledge about information security to be audited, so the security office and another auditor with competence in auditing ISO management systems (e.g., ISO 9001 and ISO 14001) working together would be sufficient to ensure the audit process is objective and impartial.
>3 - Regarding the scope of an audit (i.e. what clauses from the checklist to include), would it be ok to narrow the scope to just a few controls? I mean, in your template “Annual Internal Audit Program” the heading “Scope” exists suggesting that the auditor can choose what clauses to include.
An example: The auditor choose to audit the HR dept so he/she sets the scope to A.7 Human resource security and A.9 Access Control.
Would that fly?
Answer: The auditor can narrow the scope of an audit to a few controls if it fits the purpose of the audit, but you must ensure that all controls regarding the certification scope are audited between external audits, according to the external audit plan. For example, if in the next maintenance audit the certification auditor will audit the HR department, you must ensure all controls applicable to HR department, not only the controls from sections A.7 and A.9 (e.g., requirement 7.2 will also be audited by the external auditor). Another option is to use a couple of auditors in each audit event, where each would focus on only one group of controls.