Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Document control procedure
Answer: ISO 27001 does not prescribe any specific document formatting, only that format and media must be established, so you have to specify the format your organization will use, and this can be an already defined guideline or any other format the organization wants to use.
2- Is there a requirement that have to notate in each document when it is approved or that it is the current approved document?
Answer: There is no specific requirement to notate in a document when it is approved or that it is the current approved document, but including this information in the document is a good practice, since it can help prevent the use of an unapproved or obsolete version.
These materials will also help you regarding document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
These materials will also help you regarding docum ent management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide -
Risk management
Answer: For risk management in ISO 27001 you can use ISO 27005.
For risk management for ISO 9001, ISO 14001, ISO 45001 and ISO 22000 you can use ISO 31000 (which covers the risk management process) and ISO 31010 (which covers techniques and methodologies). ISO 27005 is based on ISO 31000, so you can easily integrate both approaches.
These articles will provide you further explanation about risk management:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/ 2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Starting ISO 20000 implementation
Can you help us to define what is the most convenience strategy to guide our IT Client?
Answer:
Decision to implement ISO 20000 (and reasoning behind it) as well as management commitment are - must have before you start your work. Scope is one of the first issues you will face. Here is the article that can help " How to define the scope of the SMS in ISO 20000" https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/
Scope will direct your activities, but this article can help you organize for the implementation (and see where assessment, GAP analysis or internal audit fits) "12 steps for ISO 20000 implementation" https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/
And, here is GAP analysis too l you can use "ISO 20000 Gap Analysis Tool" https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/ -
Change Management roles in small IT organization
Answer:
There are several points I'd like to address related to your situation:
1. Initiator - that could be user, customer, someone from IT department, supplier/vendor, CSI, Problem Management, Service Desk...so, it's not necessary that only someone from Change Management i.e. IT department triggers the process.
2.Assessor - that depends on the change category. E.g. for standard changes (see the article Tips and tricks for using the ITIL standard change mechanism https://advisera.com/20000academy/blog/2017/06/27/tips-and-tricks-for-using-the-itil-standard-change-mechanism/), you don't need assessor. See the article "ITIL V3 Change Management – at the heart of Service Management" https://advisera.com/20000academy/knowledgebase/itil/ -v3-change-management-at-the-heart-of-service-management/ and "Three key elements of assessment and evaluation of changes according to ITIL" https://advisera.com/20000academy/blog/2015/06/30/three-key-elements-of-assessment-and-evaluation-of-changes-according-to-itil/ to learn more about other types of changes
3. Approver - that's related to assessment and types of changes. Depending on the type of change - so will be the authorization
4. Change Manager - see the article ITIL/ISO 20000: What is the job of the Change Manager? https://advisera.com/20000academy/blog/2016/10/04/itil-iso20000-what-is-the-job-of-the-change-manager/ to find out more
It is usual (particularly for smaller organizations) that several roles are combined in one person. This article provide more information "What ITIL roles can be combined in one person?" https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/ -
Control de la producción y la provisión del servicio
En la versión ISO 9001: 2008 se hablaba acerca de la validación del producto, hay entidades que se exoneraban de ese apéndice (creo que era el 7.5.2 de esa versión); mi consulta es a qué se aplicaba realmente ese concepto y cómo se enfoca actualmente con la versión 2015? -
GDPR Documentation Requirements
Answer:
If you are under time pressure you could of course start with the mandatory documents that would be covering most of the outstanding amount issues in terms of the compliance. Also consider to implement the mandatory documents in the order from the Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ since they are interlinked. This will make your implementation effort more streamlined.
However, I strongly recommend that you consider all the documents in the Toolkit after implementing the mandatory ones. -
Internal audits and checklists
Where is a good place to find audit questions to use for auditing these areas? Is it ok to use the internal QMS audit checklist that provides questions pertaining to each section? Also for each section who is the best person to audit? We are a company with just a Plant Manager, HR, Controller, Salesman, Quality Manager, and Production Manager.”
Answer:
You should audit your QMS, that means to check if:
* it is conforming with all 7 areas of ISO 9001:2015;
* it is conforming with your own requirements; and
* it is effectively implemented and maintained.
The auditors can read the standard and the internal documentation and list topics about what they want to ask, what they want to see, what they want to read, in order to be able to conclude if the QMS is being applied and it is effective . Those collected topics can become your internal QMS audit checklist, that can be collected and improved audit after audit.
Your organization must have defined what are the competence requirements for your internal auditors. For example, what kind of training on audits and ISO 9001:2015 they must have. So, your internal auditors must be competent, according to your own requirements and, very important, they must not audit their own work. That means that, for example, your Quality Manager even if competent should not audit the Quality Department activities.
The following material will provide you information about audits and checklists:
- ISO 9001 – ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- How to create a check list for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
- Internal Audit Checklist [ISO 9001:2015] - https://advisera.com/9001academy/documentation/internal-audit-checklist/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Applicability of GDPR
Answer:
The EU GDPR might be applicable to your company even if you are not located in the EU/EEA under the following circumstances defined in article 3 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/territorial-scope/) :
- Your company is offering goods or services to individuals in the Union. It refers to both free and paid goods and services; and
- Your company is monitoring the behavior of individuals in the EU/EEA. This refers to more intrusive activities such as tracking individuals across multiple sites or using Apps to track an individual’s location.
So, assess if these situations are applicable to your company and if the answer is yes this means that in relation to the EU/EAA processing activities you need to comply with the EU GDPR. You can also take look at this interesting article on this topic : https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/ -
Certification and partnerships
Answer: Holding an ISO 27001 certification is not necessary if your partners can evidence you by other means they can effectively manage information security. A common situation is by fulfilling security clauses established on a partnership agreement (you can include in the agreement clauses related to the practices you want them to follow, and how these clauses will be verified).
These articles will provide you further explanation about security caluses (the general concepts are still valid if the partner in question is not a supplier):
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- How to perform an ISO 27001 second-party aud it of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/ -
Infrastructure requirements
Answer: ISO 27001 does not prescribe specific infrastructure and system requirements to support an Information Security Management System. These should be identified based on the organizational context, ISMS purpose and results of risk assessment.
These articles will provide you further explanation about ISMS requirements:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- How to set security requirements and test systems according to ISO 27001https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-syste ms-according-to-iso-27001/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 Requirements to implement network segregation according to ISO 27001 control A.13.1.3
These materials will also help you regarding ISMS requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/