Search results

ISO 27001 Suppliers relationships for small company

I’m assuming that by online audit you mean online assessment since an audit is not part of the risk assessment process.

Considering that, for supplier risk management this approach (online assessment, internet, and social media search and site review) is acceptable for certification purposes.

Regarding NDA and awareness training, please note that these are alternatives for risk treatment, not a risk assessment. These would be applicable if you identify relevant risks that can be treated by them, or in case you have legal requirements (e.g., laws, regulations, or contracts) demanding their implementation.

As for online resources for supplier risk assessment and audit, please take a look at these resources:

• Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
• Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/

ITIL to improve IT Service Management in Organizations

During my (ITIL) trainings, I noticed that participants lack the knowledge about ITIL, its purpose and applicability. That's one of the reasons. Additionally, they think „it's complex and complicated“. They also don't know where to start. Training fixes some of the issues. Additionally people think they need a lot of human resources and they don't see benefits. There are some additional challenges that companies face. See the article „5 excuses why IT organizations avoid ITIL implementation here: https://advisera.com/20000academy/blog/2015/08/25/5-excuses-why-it-organizations-avoid-itil-implementation/.

Information Security Policies and Procedures

1 - Can you have a look at the document (for review proposes)? The document will be sent once you confirm.

Yes, you can send us the finished document for an expert review. In your package, you have the option of the review of 5 documents.

2 - What do you recommend, shall I keep all Information Security policies and procedures in 1 document or shall I keep every policy in 1 document and the procedures in also in another document.

ISO 27001 does not prescribe how documentation must be elaborated, so organizations can develop them the way it best suits their needs.

The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, if your single document does not become too big to use and manage it may be best to merge them, so you have fewer documents to manage in your ISMS.

These articles will provide you with a further explanation about developing policies:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

27001 questions

1 - What are the organizations where we could request the certification process in the US?

Certification bodies accredited to issue an ISO 27001 certification based in the US are registered to America’s national accreditation body (ANAB). At this site, you can identify the current valid certification bodies: https://anabdirectory.remoteauditor.com/

2 - Is it possible to develop audit processes with workers from various countries?

It is possible to develop such a process, but its complexity may turn it unnecessarily complex and difficult to manage, and independent local audits may be a better solution (please note that these can use the same general process, only using local resources).

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

3 - Is it possible to carry out the certification with an entity in the US and for the audit and evidence process to occur in Spanish? If positive, we would love to know if you have had any experience under this modality.

The answer to this question will depend on the certification body you chose for your certification process, so to have a definitive answer you need to contact two or three alternative certification bodies to know their opinion.

For further information, see:

• How to choose an ISO certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Annex A controls

Please note that many of the clauses and controls you mentioned do not need to be documented according to the standard, and in our opinion, it would be an overhead to document each and every one of them in a small company. 

Our ISO 27001 Documentation Toolkit was designed to cover all mandatory documents and some documents that are not mandatory but are commonly used.

Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork.

For faster verification, you can use the List of documents file included in the toolkit. This document shows you which controls are covered by each template.

In case there is a document you need to implement that is not in the toolkit, you can request support from us to help develop it.

This article will also help you: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 

ISO 27001 Documentation

In your toolkit, there is an Inventory of assets template that you can use to track assets. This template is located in folder 08 Annex A Security Controls >> A.8 Asset Management

For further information, see:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Three-Year ISO Certification Cycle

This three-year cycle period was a recommendation from the International Accreditation Forum (IAF) for certification bodies to be compliant with ISO 17021, the ISO standard which defines requirements for certification bodies.

IAF sets common requirements for organizations acting as certification bodies.

13485 Implementation

In section 1 Scope of the ISO 13485:2016 is stated that this standard is both for the medical device and related services. So, yes it is possible to implement ISO 13485 for providing the service. The best approach to this situation is that wherever you see the word production, read it as service. So when you will go through 7.5 Production and service provision, just look at it from the aspect of service provision.

Of course, certain requirements will not be applicable to your company,  therefore, you will not prepare any documentation for these requests (like for sterilization, installation, or work environment, and so on).

Conformio Risk Register

Conformio does not have a risk register module based on an information-focused approach, because “information-focused” is not an approach for risk assessment, but the way you need to see risks when using a risk assessment approach.

Please note that clause 6.1.2.c.1 does not define a risk assessment method, only that the chosen approach focuses on risks related to the loss of confidentiality, integrity, and availability of information the ISMS is intended to protect (which is to be “information-focused”).

Considering that, all chosen approaches for information security risk assessment (e.g., asset-based, process-based, scenario-based, etc.) need to be information-focused.

The asset-based approach used in Conformio’s Risk Register is information-focused because each asset vulnerability threat is defined in a way that leads to a potential loss of confidentiality, integrity, and availability of information.

For example, the risk of “paper report – single copy – fire” leads to a potential loss of confidentiality.

For further information, see:

• How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section8

SOPs SWIs etc.

It is important to note that while there is a documentation structure procedure, ISO 10013:2001, this structure is not required in the ISO management systems. It is a structure that is recommended for complex systems, but smaller companies do not need to have this sort of complex, multi-level system.

In this system, a policy is the top level, and gives the statement of intent on something. So, a policy that hazard identification will be done and why would be in a policy. A procedure is intended to give the who, what where, when and why of the activity. So, a procedure will give these details of the hazard identification. The work instruction gives the step-by-step instructions of how to do something, like how to do the hazard assessment, or how to actually do a process step-by-step to ensure safe operation.

Of course, nothing dictates that these need to be separate. You can include policy statements, procedure statements and step-by-step instructions in one document if you wish; including different sections for each work instruction for each type of welding. As stated at the beginning, this is the sort of structure that a large company might use, and is not necessarily required. To avoid duplication each work instruction will link to 1 procedure, and several procedures may link to 1 policy.

You can read more on the ISO documentation model in the following article from the 9100Academy that is applicable to all ISO management systems: How to structure AS9100 Rev D documentation, https://advisera.com/9100academy/knowledgebase/how-to-structure-as9100-rev-d-documentation/