Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documenting context of the organization
Answer:
ISO 14001 does not require context of the organization (internal and external issues) to be documented. However, if you decide to document them you can do it through some kind of record, it can be a sheet or record from the meeting on which the organization determined the context. This document can be kept separately, or can be an appendix to the manual, the document about the scope, etc.
For more information, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
These materials will also help you regarding the documentation and the context:
- Book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/iso-standard/iso-14001/
- Free online training ISO 14001:201 5 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Who must perform the Risk Assessment within the Company?
The risk assessment must be performed by all organization units involved with the ISMS scope (good practice would be the risk assessment being performed by one person from each department), either all together in a single process or in separated processes that will be consolidated later (this will depend on the size of the scope, its complexity, number of people involved, etc.). Regardless of the approach, you should consider the participation of the Information Security Manager, or someone with knowledge on the risk assessment process, to act as facilitator, supporting the organization units personnel to identify, analyse and evaluate the risks concerning their activities.
This article will provide you further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding the risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Required documentation vs documented process
Answer:
The standard does not use the term "required documentation" and it can refer to all documents and records required by the standard. The term "required documented process" refers to mandatory documented procedures required by the standard.
Besides the term "documented process", IATF 16949 uses the term "documented information", the same as ISO 9001. There are two phrases where this term is used and they mean different kind of documented information. The first is "maintain documented information" and this refers to different documents such as Quality Policy and QUality Objectives and the second is "retain documented information as an evidence" which means that you need to produce some kind of record, for example record of risk analysis.
For more information, see: How to structure IATF 16949:2016 documentation https://advisera.com/16949academy/knowledgebase/how-to-structure-iatf-16949-2016-documentation/ -
ISO 27k project sponsor
Answer: Generally a project manager has to report to the project sponsor, the person who has the most interest in the project success and the authority to make things happen if the project is not going well. In some cases this person is the CEO or a member of top management, but since you stated that an information security manager is already designated, then you should verify in the project plan documentation who is the project sponsor.
This material will also help you regarding ISO 27001 project implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Asset inventory content
Answer: In the inventory of assets you should list anything inside the ISMS's scope that has value to the organization, generally grouping them in terms of processes, information and resources that support them (e.g., hardware, software, network, etc.). To avoid excessive, and sometimes unnecessary effort, if there is no specific reason to list an individual asset separately (e.g., the information on a employee's laptop), you can refer to them as general asset in your inventory (e.g., HR laptop, or corporate laptop, etc.). Regarding additional information, besides the identification o f the asset's owner, an organization is free to decide which information to include that in its evaluation will make the asset management easier (e.g., software version, asset's physical location, etc.).
This article will provide you further explanation about asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Management Representative: Role and responsibility
Each organization can design a particular role and responsibilities for its Management Representative, the minimum required by ISO 9001:2008 is on its clause 5.5.2. For example:
• Maintenance of the QMS – like following-up internal audits;
• Reporting on QMS performance – like communicating to top management how the performance of the system is going
• Promoting customer requirements – like communicating customer requirements inside the organization and showing how each employee contributes to their fulfillment
• Liasing with external parties like the certification body
The following material will provide you details with the role and responsibilities of the Management Representative:
Article - What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
Article - What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
ISO 27001 implementation process
Answer: The first and most important step is to gain the buy in of top management to support this project, because without the top management support, in terms of capital, personnel, equipment, and authority, you will have a very difficult job to convince the organization to adopt information security practices.
This article will provide you further explanation about ISO 27001 implementation process:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Log monitoring tools
-A.12.4.1, A.12.4.3 Logs of user activities, exceptions, and security events
This mean, we are required to have a centralized log management system in place e.g. SIEM?
Answer: No. Centralized log management system is one of the solutions that you can use to fulfill these controls if they are applicable, but depending on the size, resources and requirements of your organization, you can manage the logs provided by your applications and systems in decentralized form. Additionally, you also may have situations where you do not use systems to log information, like occurrence books to record physical access.
These articles will provide you further explanation about log and monitoring controls:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
This material will also help you regarding log and monitoring controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
The procedure manual, context and interested parties
Answer:
The standard has several requirements for documented procedures but, it does not require documented procedure for each clause. For those clauses that require documented procedures, they usually define the content of the procedure and the key requirements that the procedure must cover. For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
As far as context of the organization is concerned, you need to gather relevant people in the organization and determine internal and external issues that affect Quality Management System. For more information, see: How to define the context of the organization in IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/how-to-define-the-context-of-the-organization-in-iatf-169492016/
Within requirements for determining context of the organization, the organization also needs to identify interested parties and their needs and expectations related to Quality Management System. For more information, see: Determining interested parties and their requirements according to IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/determining-interested-parties-and-their-requirements-according-to-iatf-16949/ -
Matrix for communication
Answer:
Matrix for communication is not really a requirement in ISO 9001, however, if you decide to make it, the best way is to create a table where in one column you will list all relevant roles in the QMS (Quality Management System) and in each row in the table will represent one responsibility for communication, for example communicating Quality Policy. Then you can put check marks to mark which role is responsible for which communication.
For more information, see: Communication requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
These materials will also help you regarding communication process:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundat ions Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/