Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 implementation
1- é possível implementar a ISO27001 em uma empresa dentro de 9 meses? (is it possible to implement ISO27001 in a company within 9 months?)
Answer: A duração da implementação depende de muitas variáveis (por exemplo, tamanho e complexidade do escopo, recursos financeiros e conhecimentos disponíveis, etc.), mas para pequenas e médias empresas geralmente é possível implementar a ISO 27001 dentro de 9 meses. Sugiro que você dê uma olhada na nossa Calculadora de Duração da Implementação ISO 27001 / ISO 22301 neste link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Esta ferramenta pode ajudá-lo a estimar a duração da implementação considerando o cenário da sua empresa.
(The implementation duration depends on many variables (e.g., size and complexity of the scope, financial resources and expertise available, etc.), but for small and mid-sized business generally is possible to implement ISO 27001 within 9 months. I suggest you to take a look at our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
This tool can help you estimate the implementation duration considering your company scenario.)
2 - Como funciona a auditoria de certificação dessa ISO? (How does ISO certification audit work?)
Answer: O processo de certificação ISO 27001 é como qualquer outro processo de certificação ISO. Está dividido em duas fases:
- Análise de documentação, para verificar se eles são compatíveis com os requisitos da norma
- Avaliação da operação e registros, para verificar se o que é definido na documentação é executado corretamente e como os desvios nos processos e resultados são tratados.
Uma vez que esta fase seja realizada, o auditor de certificação elaborará um relatório para apresentar as evidências e conclusões reunidas, que podem recomendar diretamente a certificação, recomendam a certificação após a submissão de um plano de ação, para lidar com não conformidades identificadas ou não recomendadas para a certificação. certificação.
(The ISO 27001 certification process is like any other ISO certification process. It is divided in two phases:
- Documentation analysis, to verify if they are compliant with the standard's requirements
- Operation and records evaluation, to verify if what is defined in the documentation is performed properly and how deviations in the processes and results are handled.
Once these phases are performed the certification auditor will elaborate a report to present the gathered evidences and conclusions, which can recommend for the certification directly, recommend for the certification after an action plan is submitted, to handle identified non conformities, or not recommend for the certification.)
These articles will provide you further explanation about certification process:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
This material will also help you regarding certification process:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Mandatory documents for ISO 27001
Answer: Clause 4.2 requires the determination of relevant interested parties and the requirements of these parts, but it does not require these information to be documented. You can document them as a best practice to record information you used to develop the ISMS scope, but the standard does not require the documentation of such information. -
Training or awareness
Answer:
If they attend training or awareness sessions about the quality policy, and/or the quality objectives, and/or QMS effectiveness, and/or importance and impact of non-conformities I believe that clause 7.3 is more appropriated. In other cases, I believe that clause 7.2 is more appropriated.
The following material will provide you information about ISO 9001 training:
- ISO 9001 Training - https://advisera.com/9001academy/knowledgebase/iso-9001-training/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Elements for distributor
Answer:
If you are already AS9100 certified, these requirements have not changed, so what you were already doing for AS9100 Rev C would be applicable to AS9100 Rev D. In general, configuration management for a broker could be as simple as tracking the revision of the parts you buy and sell so that you know your customer is getting the correct revision of the part they ask for, special requirements, critical items and key characteristics may not be necessary for you as there may not be any identified for the parts and components you sell. Additionally, the regulatory and statutory requirements will differ depending on your location because different countries have d ifferent laws.
One other thing to consider, if you are only acting in a buy and sell capacity, then maybe looking into AS9120 which is for aerospace distributors rather than the entire AS9100 standard. There is a liitle more information on this standard here: https://advisera.com/9100academy/blog/2017/10/30/how-does-as9110-as9120-relate-to-as9100-rev-d/ -
Internal auditor requirements
Answer:
No, it is not mandatory. The only requirement is that the auditor complies with the organization/company’s own competence requirements.
The following material will provide you information about internal auditors:
- ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Key control activities
Answer: First of all it is important to understand that ISO 27001 controls go beyond activities in processes and procedures. They are safeguards to protect information that can be implemented as policies, procedures, physical mechanisms or technologies.
Considering that, ISO 27001 requires, as part of the information security risk treatment (clause 6.1.3.b), that controls necessary to implement the information security in the ISMS scope shall be determined. The need to identify and implement security controls for process/procedures will depend on the results of risk assessment. Since the risk assessment and risk treatment are mandatory requirements for ISO 27001 this is certainly something auditors will look for.
These articles will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://adv isera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Maintenance of records
Answer: ISO 27001 does not specific solutions to maintain online ISMS records, so you can use solutions as simple as keeping files in corporate servers, publish information on corporate webpages or use dedicated software like our Conformio platform. You can take a free look at our Conformio platform at this link: https://advisera.com/conformio/
This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Internal audits records
Whether internal audits reports are mandatory before certification 27001 ?
Answer: ISO 27001 requires in its clause 9.2.c that evidence of the audit program(s) and the audit results are retained, so the internal audit reports are mandatory for an organization that wants to be certified against ISO 27001.
This article will provide you further explanation about mandatory documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision -
Secure Development Policy template content
We received this question:
>Thank you for answering my previous question. I was wondering if you have a list of the mandatory records and logs needed. If so, are the requirements for each of the records/logs the same? What are the requirements? In your documentation toolkit, in each document you have a section for "managing records kept on the basis of this document". Are all of these records mandatory? If so, are there templates included in the toolkit?
Answer: To see a list of mandatory documents and records for ISO 27001, plesase access this article:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
All these documents and records are included in the ISO 27001 & ISO 22301 Premium Documentation Toolkit you bought. Also included in the toolkit there is a List of Documents file (located in the root folder) which shows which requirements and controls are covered by each document or record.
Regarding the section "managing records kept on th e basis of this document", some records mentioned in it are not mandatory, but they needed to be mentioned because the documents require their usage.
If during the template customization you identitfy that one or more of those non mandatory records are not necessary you can exclude them without problems. -
Risk acceptance criteria
You should establish a set of criteria to be used in all you evaluations, so you can produce comparable results. If you adopt different criteria depending on the asset group, the results of that risk assessment will only be comparable to similar asset groups, which will make the evaluation of your overall risk assessment more difficult.
This article will provide you further explanation about risk assessment:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/