Search results

Risk Management

This is a good approach. The point is that these similar devices should have a similar intended purpose and be produced by similar technological processes. 

Will ISO 9001:2015 be updated until 2030?

ISO 9001:2015, most likely will not remain valid until the year 2030.

Currently, Technical Committee 176, Sub Committee 2, (TC 176/SC2) is already working on ISO 9001 revision.

Last July 29th the result of an ISO ballot was announced, and the majority of the National Standards Bodies comprising TC 176/SC2 voted in favor of starting the revision of ISO 9001. It will be a limited revision.

ITSCM and BCM

ITSCM and BCM should be integrated. BCM is driving ITSCM in a way that BCM defines objectives (from the business point of view). Since all business activities are usually supported by IT services – defined BCM targets directly influence ITSCM targets.

In practice, ITSCM people should talk to BCM and get inputs for their TSCM objectives. If BCM doesn't exist, ITSCM should speak directly with the business.

Read this article to get more info: IT Service Continuity Management – waiting for the big one https://advisera.com/20000academy/blog/2013/09/24/service-continuity-management-waiting-big-one/

Guidance on Missing ISMS Documentation and Implementation Drafts

1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.

Please note that a Compliance document is not required by the standard. In case control A.5.36, Compliance with policies, rules, and standards for information security is stated as Applicable in your SoA, the implementation method for this control is defined in the SoA document itself. If this control is not applicable to your organization, no document or activities related to compliance are required to be compliant with the standard. 

Business Continuity Management is not required by the standard. In case control A.5.29, A.5.30, or A.8.14 is stated as Applicable in your SoA, it is sufficient to implement the Disaster Recovery Plan to be compliant with the standard.   

A communication document is not required by the standard. Communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So, to have a centralized communication document would create an overhead for people responsible for communication with activities that may not be a part of their regular tasks.

That’s the reason there isn’t a specific template for clause 7.4.

The main documents in Conformio that define how communication needs to be done are:

• the Information Security Policy
• the Training Module
• the Incident Management Procedure
• the Disaster Recovery Plan

Additionally, most of the communication an organization performs is already registered through emails, Slack messages, etc. - so those can act as “registers.”

If you do want to create a separate Communication plan, then this article will provide you with further explanation about communication plan:

• How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

The remaining documents you mentioned are the ones as follow:

• Operational Security: Security Procedures for IT Department
• Development Security: Secure Development Policy
• Incident Processes: Incident Management Procedure

Please note that these documents will be available only if the controls that require their implementation are defined as applicable in the Statement of Applicability.

2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?

The definition of Design, Development & Test activities are included in the Secure Development Policy.

Facilities and asset management are not commonly used documents for ISO 27001, so there aren’t specific drafts for them. In this case, you can use the blank template located in the Documents folder to create your documents.

In case you need assistance, you can schedule a meeting with one of our experts, who will help develop the documents. You can schedule a meeting here: https://advisera.com/consultations/

Audit report

I’m assuming this question refers to ISO 27001, but the answer is applicable to any other standard like ISO 9001, 14001, etc. (respected the respective internal audit clause of each standard).

The Internal Audit Report is an example of a mandatory record related to audit results to fulfill clause ISO 27001 9.2 Internal audit, but please note that it is a different document from the Internal Audit Program. 

The Internal Audit Program is a mandatory document that plans all audits that must be performed in a period of time, while the Internal Audit Report refers to the results of a single performed Internal Audit.

See this article for further information about ISO 27001 mandatory documents.

Question on risk register and selection of the assets

You have to include only the assets that are owned by your company that are part of the ISMS scope, i.e., the assets you control.

For further information, see:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

• Physical Security (A.11)

  Please note that not all controls from ISO 27001 Annex A need to be documented according to the standard (and in our opinion, it would be an overhead to document each and every one of them in a small company). This applies to most of the controls from section A.11 from the 2013 version of the standard.   

  Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork; for larger companies that require more documents, we recommend getting some other solution. 

  Information about how Controls that do not require documentation, such as those from Annex A section A.11, are implemented is included in the Statement of Applicability (which can be found in folder 06 Applicability of Controls). 

• Implementing Clause 8.4

  First, determine which external processes, products, or services are relevant to your organization's quality management system. These can include suppliers, contractors, outsourced processes, and other external parties. You don’t need to include everything.

  Then, establish a process for selecting and evaluating external providers. This may involve supplier audits, performance assessments, and risk assessments to ensure that external providers meet your quality requirements.

  Clearly define your organization's requirements for externally provided processes, products, or services. Document these requirements and communicate them effectively to external providers (may be in specification sheets, may be in design documents or projects)

  Develop formal contracts, agreements, or purchase orders that clearly specify the quality-related requirements, responsibilities, and expectations between your organization and external providers.

  Implement a system to monitor the performance of external providers. This can involve regular quality checks, inspections, and key performance indicators (KPIs) to measure their compliance with your requirements.

  Assess and manage risks associated with external providers. Identify potential risks that could impact the quality of your products or services and implement mitigation strategies.

  Establish effective communication channels with external providers to ensure that they are aware of your quality requirements and any changes in those requirements

  Maintain documentation related to the control of externally provided processes, products, and services. This includes contracts, records of performance evaluations, and any corrective actions taken.
   

  You can find more information in the following links:

  • Article - How to evaluate supplier performance according to ISO 9001:2015 
  • Article - How to control outsourced processes using ISO 9001 
  • Purchasing in QMS - The Process & the Information Needed to Make it Work 

• Quality Control Processes

  I would start by designing a high level map of the flow of work in each department (mapping each department as a set of interrelated processes).

  Then, I would establish a set of performance targets for each process based on the purpose of each process.

  Then, I would determine and evaluate risks regarding each process and its output. For each critical risk you can now establish a quality control plan:

  • What to control;
  • When to control;
  • Sample size to control;
  • Success criteria;
  • Who is responsible for doing the control;
  • Who has the authority to handle nonconformities;
  • Where to record quality control results.
     

  You can find more information in the following links:

  • Live Virtual Training - Understanding the Process Approach - 
  • Free webinar on demand - How to Implement Risk Management in ISO 9001:2015 
  • Free webinar on-demand - Measurement, Analysis, and Improvement According to ISO 9001:2015