Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Training or awareness
Answer:
If they attend training or awareness sessions about the quality policy, and/or the quality objectives, and/or QMS effectiveness, and/or importance and impact of non-conformities I believe that clause 7.3 is more appropriated. In other cases, I believe that clause 7.2 is more appropriated.
The following material will provide you information about ISO 9001 training:
- ISO 9001 Training - https://advisera.com/9001academy/knowledgebase/iso-9001-training/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Elements for distributor
Answer:
If you are already AS9100 certified, these requirements have not changed, so what you were already doing for AS9100 Rev C would be applicable to AS9100 Rev D. In general, configuration management for a broker could be as simple as tracking the revision of the parts you buy and sell so that you know your customer is getting the correct revision of the part they ask for, special requirements, critical items and key characteristics may not be necessary for you as there may not be any identified for the parts and components you sell. Additionally, the regulatory and statutory requirements will differ depending on your location because different countries have d ifferent laws.
One other thing to consider, if you are only acting in a buy and sell capacity, then maybe looking into AS9120 which is for aerospace distributors rather than the entire AS9100 standard. There is a liitle more information on this standard here: https://advisera.com/9100academy/blog/2017/10/30/how-does-as9110-as9120-relate-to-as9100-rev-d/ -
Internal auditor requirements
Answer:
No, it is not mandatory. The only requirement is that the auditor complies with the organization/company’s own competence requirements.
The following material will provide you information about internal auditors:
- ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Key control activities
Answer: First of all it is important to understand that ISO 27001 controls go beyond activities in processes and procedures. They are safeguards to protect information that can be implemented as policies, procedures, physical mechanisms or technologies.
Considering that, ISO 27001 requires, as part of the information security risk treatment (clause 6.1.3.b), that controls necessary to implement the information security in the ISMS scope shall be determined. The need to identify and implement security controls for process/procedures will depend on the results of risk assessment. Since the risk assessment and risk treatment are mandatory requirements for ISO 27001 this is certainly something auditors will look for.
These articles will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://adv isera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Maintenance of records
Answer: ISO 27001 does not specific solutions to maintain online ISMS records, so you can use solutions as simple as keeping files in corporate servers, publish information on corporate webpages or use dedicated software like our Conformio platform. You can take a free look at our Conformio platform at this link: https://advisera.com/conformio/
This article will provide you further explanation about document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/ -
Internal audits records
Whether internal audits reports are mandatory before certification 27001 ?
Answer: ISO 27001 requires in its clause 9.2.c that evidence of the audit program(s) and the audit results are retained, so the internal audit reports are mandatory for an organization that wants to be certified against ISO 27001.
This article will provide you further explanation about mandatory documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision -
Secure Development Policy template content
We received this question:
>Thank you for answering my previous question. I was wondering if you have a list of the mandatory records and logs needed. If so, are the requirements for each of the records/logs the same? What are the requirements? In your documentation toolkit, in each document you have a section for "managing records kept on the basis of this document". Are all of these records mandatory? If so, are there templates included in the toolkit?
Answer: To see a list of mandatory documents and records for ISO 27001, plesase access this article:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
All these documents and records are included in the ISO 27001 & ISO 22301 Premium Documentation Toolkit you bought. Also included in the toolkit there is a List of Documents file (located in the root folder) which shows which requirements and controls are covered by each document or record.
Regarding the section "managing records kept on th e basis of this document", some records mentioned in it are not mandatory, but they needed to be mentioned because the documents require their usage.
If during the template customization you identitfy that one or more of those non mandatory records are not necessary you can exclude them without problems. -
Risk acceptance criteria
You should establish a set of criteria to be used in all you evaluations, so you can produce comparable results. If you adopt different criteria depending on the asset group, the results of that risk assessment will only be comparable to similar asset groups, which will make the evaluation of your overall risk assessment more difficult.
This article will provide you further explanation about risk assessment:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISAE 3402 and ISO 27001
ISO 27002 is a supporting standard that provides guidance and recommendations for the implementation of ISO 27001 Annex A controls.
This article will provide you further explanation about ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/ -
ICT policies and controls
Answer: First of all , you have to identify which requirements your polices must comply with and, considering ISO 27001, which risk you must treat with these polices. After that you have to ensure your polices are all aligned, so no conflict rules will exist, write your polices, get them approved and train your employees, so they can know what is expected from them.
These articles will provide you further explanation about implementing policies:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 12 steps for ISO 20000 implementation https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-de cide-which-iso-27001-policies-and-procedures-to-write/
2 - How would you gather IT procedures?
Answer: The way you gather your polices will depend mainly on your organizational context, but as a general model, you may consider procedures related to final users, procedures for technical staff and procedures for management personnel.
These articles will provide you further explanation about managin documentation:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- How to structure ISO 20000 documentation https://advisera.com/20000academy/blog/2016/09/27/how-to-structure-iso20000-documentation/
3 - What steps will you take to implement ICT best practices within the organisation ?
Answer: The first step is the definition of which best practices you intend to use (e.g., ITIL, ISO, COBIT), based on requirements you have to fulfill. The following steps are the same as described in the answer for question 1.
Thes article will provide you further explanation about best practices:
- ISO 27001 vs. ISO 20000 matrix https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix
- How to integrate ISO 27001, COBIT, and NIST https://info.advisera.com/27001academy/free-download/how-to-integrate-iso-27001-cobit-and-nist