Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementation duration
Answer:
It is a big challenge, their present QMS is pre-process approach that was introduced in 2000. Do not try to do it alone, arrange a team to implement the new QMS. I do not know the dimension of your organization, but consider the following advice:
The duration of implementation depends primarily on the size of the organization, for example:
Smaller organizations (up to 50 employees) usually implement the standard in less than 8 months.
Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months.
Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months.
Beware of companies that drag such projects on for too long (e.g., small companies for more than 12 months) usually never finish the project.
The following material will provide you information about implementing a QMS:
- ISO 9001 – Five tips to ensure your ISO 9001:2015 implementation is successful - https://advisera.com/9001academy/blog/2016/10/04/five-tips-to-ensure-your-iso-90012015-implementation-is-successful/
- How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- Gaining employee buy-in for your ISO 9001:2015 implementation - https://advisera.com/9001academy/blog/2015/12/15/gaining-employee-buy-in-for-your-iso-90012015-implementation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Rev D requirements for FAI
Answer:
You are correct. In clause 8.5.1.3 of AS9100 Rev D, which covers Production Process Verification, there are the requirements which are referred to as First Article Inspection (FAI). The requirements within this clause make no reference to AS9102, and therefore the process of AS9102 is not a requirement of AS9100 Rev D. So, unless you are required by customer to use the AS9102 process and forms these requirements can be fulfilled in other ways as you determine adequate.
For more information on this see the article: https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/ -
ISMS implementation strategies
Option 1: Documentation Toolkit
Option 2: Conformio (As I understand, it comes to together with documentation template).
It seems that some consultancy is still needed for this company. What is your advise? How much consultancy is needed?
The scope is - NOC & SOC. (Staff around 15)
Total number of Staff 20 to 30.
Answer: The extent to which a consultancy is needed depends on the complexity and size of the scope, on the extent of the organization, and on the time and resources available. Considering that, and the information you already provided, the options would be:
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO standar d https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
2 - What is the rough estimate timeline for ISMS implementation.
Answer: With the information you provided, the implementation duration would be something between 3 and 12 months. For a more precise estimative, considering the aspects mentioned on the first answer, I suggest you to use our Free Calculator – Duration of ISO 27001/ISO 22301 Implementation at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
For more information, please see these articles:
- How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
3 - What will be steps and best approach for me to assist this company.
Answer: Roughly speaking, ISO 27001 implementation steps can be resumed in:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding the approach, please see the first answer.
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Contract with processors
Answer:
The common practice is not to engage processors that cannot be trusted to comply with the EU GDPR provisions or take liability in case of a breaching the EU GDPR provisions. Also remember that you will be responsible for the actions of the processors you contract so having a liability clause would be a must.
To learn more about the duties of processors under the EU GDPR this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Audit checklist
>1- Now looking at Dejan's checklist, it contains all requirements in 27001 from chapter 4 to 10 plus all the controls in the appendix.
It doesn't make sense to audit the full checklist for every department so I'm guessing that the auditor, as part of the preparation, choose what clauses in the checklist to include in each audit.
In short, each audit will consist of a subset of the checklist depending on the nature of the department. Can you confirm?
Answer: Your assumption is correct, the auditor can define a subset of the items to be included in the checklist, depending on the purpose of the audit and the audited department.
>2 - We're short on auditors that know infosec and the standard so would you say it would be compliant if we (the security office) audit ourselfs and our own work as long as we “select auditors and conduct audits that ensure objectivity and the impartiality of the audit process”?
Answer: The security office cannot audit its own work alone. The main requirements of ISO 27001 (from clauses 4 to 10) do not require deep knowledge about information security to be audited, so the security office and another auditor with competence in auditing ISO management systems (e.g., ISO 9001 and ISO 14001) working together would be sufficient to ensure the audit process is objective and impartial.
>3 - Regarding the scope of an audit (i.e. what clauses from the checklist to include), would it be ok to narrow the scope to just a few controls? I mean, in your template “Annual Internal Audit Program” the heading “Scope” exists suggesting that the auditor can choose what clauses to include.
An example: The auditor choose to audit the HR dept so he/she sets the scope to A.7 Human resource security and A.9 Access Control.
Would that fly?
Answer: The auditor can narrow the scope of an audit to a few controls if it fits the purpose of the audit, but you must ensure that all controls regarding the certification scope are audited between external audits, according to the external audit plan. For example, if in the next maintenance audit the certification auditor will audit the HR department, you must ensure all controls applicable to HR department, not only the controls from sections A.7 and A.9 (e.g., requirement 7.2 will also be audited by the external auditor). Another option is to use a couple of auditors in each audit event, where each would focus on only one group of controls. -
Management principles
Answer: Management principles are concepts that can be used as a foundation to guide an organization’s performance improvement. ISO 27001 shares some management principles with other ISO management standards, such as:
- Leadership
- Process approach
- Improvement
- Evidence-based decision making
Specifically for the ISMS, we can consider as principles:
- Risk-based approach
- Protection of confidentiality, integrity and availability -
Auditing ISO 27001 and ISO 27018
Last December our 27001 documentation was audit and approved, and now we have planned an audit type two (implementation phase) for November, but we want to go a bit further and also get and audit against ISO 27018 and scope the requirement of the GDPR Regulation.
My question are:
1 - It is possible to audit both ISO 27001 and 27018?
Answer: ISO 27018 is a supporting standard to ISO 27001, providing detailed guidance and recommendations on the implementation of ISO 27001 Annex A controls, considering privacy in cloud environments, so it is perfectly possible to perform an audit considering these two standards as references.
This article will provide you further explanation about ISO 27001 and ISO 27018:
-ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ loud/
2 - Is it possible to audit the 11 extra controls of the ISO 27018 only as the controls of the ISO 27001/27002 already apply? how would you recommend to do it?
Answer: You can reduce your audit scope to cover only the ISO 27018 extra controls and the other controls from ISO 27001 that have some specific recommendations provided in the ISO 27018 with no problem.
To support this activity, I suggest you to take a look at the free demo of our Internal Audit Checklist for ISO 27001 & ISO 27017 & ISO 27018 at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
It provides a list of questions in order to help perform an internal audit against ISO 27001, considering also ISO 27018. For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.
This article will provide you further explanation about internal audits:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 20000 and Demand Management/Service Portfolio Management
Answer:
Demand Management and Service Portfolio Management processes are part of the ITIL i.e. ITIL/ISO 20000 Premium Documentation toolkit. You can find them in the list of documents https://advisera.com/20000academy/iso-20000-documentation-toolkit/#toolkit-documents-lightbox
Additionally, list of mandatory documents, according to ISO 20000-1:2011 (still valid standard) can be found in the free Whitepaper Checklist of Mandatory Documentation Required by ISO/IEC 20000-1:2011 https://info.advisera.com/20000academy/free-download/checklist-of-mandatory-documentation-required-by-iso-iec-20000-1-2018/ -
Auditor certifications
Answer:
Passing those exams will document in a formal way that you acquired knowledge about ISO 9001:2015 and about preparation, realization and reporting of internal audits. Your previous experience and education will certainly be very useful for you and for your future audit customers, that kind of experience and education cannot be learned in a fast course and are very important to deal with situations and having a mature and business-friendly point of view. As soon as you get those two diplomas you can start acting as internal auditor for organizations and as long as you gather some actual experience you can start requesting to certification bodies if they have more particular requirements that you must obey in order to be able to apply.
The following materials will provide you details with internal audits:
- Article - ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Third Party and cross border transfer data
2. In cross border transfer data , if the adequacy is not fulfilled , what are the penalties?
Answers:
1. There are actually the same. In the context of the EU GDPR both are entities that are receiving personal data. Depending of the purpose of processing ad the business context the Recipient or Third Party can be a data processor, a joint controller or a controller in its own rights. You can find out more about controllers and processors from our article “EU GDPR controller vs. processor – What are the differences?” – https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
2. Fail to comply with the requirements regarding cross border transfers of personal data can be sanctioned with fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. To learn more about sanctions under the EU see this free online training GDP R Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// as well as our webinar “ What to expect from Data Protection Authorities under GDPR” - https://advisera.com/eugdpracademy/webinar/what-to-expect-from-data-protection-authorities-under-gdpr-free-webinar-on-demand/