Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Mandatory documents for ISO 27001


    Answer: Clause 4.2 requires the determination of relevant interested parties and the requirements of these parts, but it does not require these information to be documented. You can document them as a best practice to record information you used to develop the ISMS scope, but the standard does not require the documentation of such information.
  • Training or awareness


    Answer:

    If they attend training or awareness sessions about the quality policy, and/or the quality objectives, and/or QMS effectiveness, and/or importance and impact of non-conformities I believe that clause 7.3 is more appropriated. In other cases, I believe that clause 7.2 is more appropriated.

    The following material will provide you information about ISO 9001 training:

    - ISO 9001 Training - https://advisera.com/9001academy/knowledgebase/iso-9001-training/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • AS9100 Elements for distributor


    Answer:
    If you are already AS9100 certified, these requirements have not changed, so what you were already doing for AS9100 Rev C would be applicable to AS9100 Rev D. In general, configuration management for a broker could be as simple as tracking the revision of the parts you buy and sell so that you know your customer is getting the correct revision of the part they ask for, special requirements, critical items and key characteristics may not be necessary for you as there may not be any identified for the parts and components you sell. Additionally, the regulatory and statutory requirements will differ depending on your location because different countries have d ifferent laws.
    One other thing to consider, if you are only acting in a buy and sell capacity, then maybe looking into AS9120 which is for aerospace distributors rather than the entire AS9100 standard. There is a liitle more information on this standard here: https://advisera.com/9100academy/blog/2017/10/30/how-does-as9110-as9120-relate-to-as9100-rev-d/
  • Internal auditor requirements


    Answer:

    No, it is not mandatory. The only requirement is that the auditor complies with the organization/company’s own competence requirements.

    The following material will provide you information about internal auditors:

    - ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  • Key control activities


    Answer: First of all it is important to understand that ISO 27001 controls go beyond activities in processes and procedures. They are safeguards to protect information that can be implemented as policies, procedures, physical mechanisms or technologies.

    Considering that, ISO 27001 requires, as part of the information security risk treatment (clause 6.1.3.b), that controls necessary to implement the information security in the ISMS scope shall be determined. The need to identify and implement security controls for process/procedures will depend on the results of risk assessment. Since the risk assessment and risk treatment are mandatory requirements for ISO 27001 this is certainly something auditors will look for.

    These articles will provide you further explanation about risk assessment and risk treatment:
    - The basic logic of ISO 27001: How does information security work? https://adv isera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment and risk treatment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Maintenance of records


    Answer: ISO 27001 does not specific solutions to maintain online ISMS records, so you can use solutions as simple as keeping files in corporate servers, publish information on corporate webpages or use dedicated software like our Conformio platform. You can take a free look at our Conformio platform at this link: https://advisera.com/conformio/

    This article will provide you further explanation about document management:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
  • Internal audits records

    Whether internal audits reports are mandatory before certification 27001 ?

    Answer: ISO 27001 requires in its clause 9.2.c that evidence of the audit program(s) and the audit results are retained, so the internal audit reports are mandatory for an organization that wants to be certified against ISO 27001.

    This article will provide you further explanation about mandatory documentation:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision
  • Secure Development Policy template content

    We received this question:

    >Thank you for answering my previous question. I was wondering if you have a list of the mandatory records and logs needed. If so, are the requirements for each of the records/logs the same? What are the requirements? In your documentation toolkit, in each document you have a section for "managing records kept on the basis of this document". Are all of these records mandatory? If so, are there templates included in the toolkit?

    Answer: To see a list of mandatory documents and records for ISO 27001, plesase access this article:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    All these documents and records are included in the ISO 27001 & ISO 22301 Premium Documentation Toolkit you bought. Also included in the toolkit there is a List of Documents file (located in the root folder) which shows which requirements and controls are covered by each document or record.

    Regarding the section "managing records kept on th e basis of this document", some records mentioned in it are not mandatory, but they needed to be mentioned because the documents require their usage.

    If during the template customization you identitfy that one or more of those non mandatory records are not necessary you can exclude them without problems.
  • Risk acceptance criteria


    You should establish a set of criteria to be used in all you evaluations, so you can produce comparable results. If you adopt different criteria depending on the asset group, the results of that risk assessment will only be comparable to similar asset groups, which will make the evaluation of your overall risk assessment more difficult.

    This article will provide you further explanation about risk assessment:
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • ISAE 3402 and ISO 27001

    ISO 27002 is a supporting standard that provides guidance and recommendations for the implementation of ISO 27001 Annex A controls.

    This article will provide you further explanation about ISO 27002:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Page 790-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +