Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining the scope of EMS
Where do you see the place of purchase in ISO 14001? In my company this department get all the information and requirements from the development department, so I do not see a smart contribution.
Asking because of determining the scope. And purchasing in our situation is outside, on the group level.
Thank you in advance for answer
Answer:
Purchasing process is important part of the organization and clause 8.1 has significant part about the control of outsourced processes and externally provided products and services. Even if the purchasing is conducted on the higher level, the part of the organization you want to put under the EMS (Environmental Management System) scope still makes purchasing requests and it needs to define those requirements in terms of environmental protection and operational control.
I don't say it cannot be done, but think it is beneficial for the EMS to include the purchasing process in the scope.
For more information, see: How to determine the scope of the EMS according to ISO 14001:2 015 https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
These materials will also help you regarding the EMS scope:
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Information Security control and revision over third parties
Answer: For verifying the compliance of an outsourced service like Office 365 you should use as reference the terms of service for the provision of the service. In this term of service you should look for clauses referring to which and how information controls will be implemented and how the provider will demonstrate to the customer that the controls are implemented and working properly.
From this point you can ask for evidences of how the controls are implemented and how they are being verified and evaluated either by the provider (e.g. by means of an internal or external audit of the provider's premises) and by the organization (e.g. through a review of audit reports sent by the provider to the person responsible by the service in your organization).
In case big providers do not provide enough security, then you should consider switching to smaller providers with you can specify the security clauses they need to comply to.
This article will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
This article will provide you further explanation about internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
SOA content
Answer: Basically you have to put the reason why the control is applicable or not to your organization.
To justify the application of a control you can state it is applicable because:
- of the results of risk assessment (e.g., applicable because the risk number xxxx);
- it should comply with a legal requirement (e.g., applicable to ensure compliance with law, industry regulation or contract);
- of a top management decision
In general the justification to not apply a control is related to the fact that there is not unacceptable risk related to that control, or that Top Management has accepted the risk as it is.
These articles will provide you further explanation about SOA content:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/b log/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding SOA content:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 4 Context Of the Organization
Hi Rhandleal,
The scope is IT Infrastructure along with HR Administration. -
Providing evidence for requirements regarding interested parties
Answer:
The auditor will try to determine whether you identified relevant interested parties and their needs and expectations and how you are meeting those needs and expectations. Although it is not required by the standard, the best way to provide evidence that you've identified interested parties and their needs and expectations is to document them in some kind of record or register.
For more information, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
Internal Audit after the ISMS release
Thank you for your answer. -
Becoming an ISO 9001 consultant
Answer:
There is no certification required to be an ISO 9001 consultant, at least in most countries. Put yourself in the shoes of a potential customer and think about what they would look and care when searching for an ISO 9001 consultant, things like background, experience with ISO 9001 and economic sectors. Most customers expect a consultant to have some certificates
These materials will also help you regarding the topic of becoming an ISO 9001 consultant:
• article - How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/
• article - How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
• article - What does ISO 9001 lead auditor training look lik e? - https://advisera.com/9001academy/blog/2020/04/10/how-to-become-an-iso-9001-lead-auditor/
• free webinar – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/
• free checklist - List of questions to ask an ISO 9001 consultant - https://info.advisera.com/9001academy/free-download/list-of-questions-to-ask-an-iso-9001-consultant
• - free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
Mandatory documents and records
Answer: We're sorry about this confusion. You should use the list that comes with your documentation toolkit. Besides the mandatory documents, the documents listed in the toolkit also include forms for mandatory records. -
ISMS in a bank
Answer: For implementing an ISMS, we recommend you to use the ISO 27001 standard as reference. These material can help you understand this standard and the steps required for an implementation project:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- What is an Information Security Management System (ISMS) according to ISO 27001?
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
All these materials are applicable to a bank or to any other organization.
Additionally, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit has all documents required to comply with ISO 27001, together with additional material and support to guide you through your implementation project. These templates are also applicable to any kind of organization.
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/