Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining context of the organization
I'm having some difficulty determining how to format the context of our organization. I was wondering if perhaps I could also state in our QMS that the internal and external issues are to be determined/addressed yearly, and that the meeting to determine these issues is to be held after our upcoming audit. Will that be acceptable? Our transition audit is rapidly approaching...
Thanks in advance for your input.
Answer:
Defining the context on annual meeting can be acceptable from the side of the standard when it comes to defining how the context will be determined. However, you need to determine context of the organization before the transition audit because without defined context, the QMS will be incomplete since so many other elements of the QMS depend on the context.
My suggestion is to determine the context prior to the audit and there are some simple ways to do it, for example SWOT (Strength, Weaknesses, Opportunities, Threats) analysis. This analysis will leave a record behind it and can be useful to demonstrate that d etermination of the context have been conducted.
For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
Supplier performance indicator
What would be the expectations in terms of evaluation of this kind of suppliers?
Answer:
The supplier performance indicators are mandatory for all suppliers. Depending on the type of service or product being provided, the organization will have to develop different suppliers performance indicators. For example, requirement 8.4.2.4 a) for maintenance providers can be the daily or monthly plan of maintenance and the organization can monitor whether the plan was realized. -
Inventory of assets and risk assessment
Answer: First of all, an inventory of assets is not mandatory according to ISO 27001:2013 (it is a suggested control from Annex A, which may be selected if there is an unacceptable risk that can be treated by its implementation).
Second, some risk assessment approaches are not based on assets for risk identification. Instead, they could be based on some method not related to assets (e.g., scenario based).
Third, for smaller companies that use the asset-based approach for risk assessment it is easier to list all the asset directly into the Risk assessment sheet; later on, they do not need to have a separate Inventory of assets.
This article will provide you further explanation about I nventory of assets and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding Inventory of assets and risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Information management
1 - In the case of the example when you say : “… you should verify what is defined in the procedures established by the area that provides the information” … what do you mean by “area”? The Management or the specialized area that reports to said management?
Answer: I meant the specialized area that reports to management. In your text you mentioned that was this specialized area that designed, developed,and is using the security protocols.
2 - If the Management owns the information .. why it should be subject to the procedures of the area that provides the information and that I understand is the specialized area.
Answer: Because there are situations where if the information owner's actions do not follow specific procedures the responsible area (in this case, the specialized area) cannot ensure proper information protection. Changing information classification level or the list of who can access them is one of them.
3 - Finally: There is no formal risk analysis that has been raised to the Board. As I wrote, the security policies were defined by the specialized area be cause there are no such policies in the Management. And one of the Security policies was not to share information with non-specialized areas.
What should the specialized area do?
Answer: The specialized area should consider providing a brief risk analysis showing the risks related to sharing that information with non-specialized areas for management evaluation. Based on this analysis management can decide to assume the risks and share the information, or consider the risks unacceptable and decide for another course of action (e.g., do not share the information, change the report content sent to non-specialized areas to minimize sensitive information sharing, etc.). The important thing here is that management makes a decision with clear information about risks involved on hands.
Additionally the specialized area should consider reviewing its procedures and protocols to include the performing of regular risk assessments. This can help anticipate potential risks. -
Study material
Though I have some idea about these but if you can suggest me good books or online material which I can refer to consolidate my Audit knowledge.
The areas to be audited are as below(in one of the organisations):
• Physical Security
• Device / Data Security
• Human Resource Security
• IT Environment management
• Business Information Processing
• Access to Applications & Network
• Privacy (data)
• Backup / Recovery
• Incident / Problem Management
• Business Continuity
• Vendor & Contract management
• Client contract management
Answer: Considering ISO standards, I suggest you to take a look at the following materials:
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
These material will provide you a comprehensive view of such diverse subjects in a not-so-large number of sources of information.
You also can consult the articles in our knowledge base (https://advisera.com/27001academy/knowledgebase/). There you can find materials divided in subjects covering the topics you mentioned. -
Documenting clause 8.4.2.2
Answer:
The standard requires organization to document a process (procedure) for ensuring that products are compliant with statutory and regulatory requirements related to the product in all countries in which the product arrives within its life cycle. This can be done in procedure for purchasing or in some separate procedure. -
Legal requirements
Answer: If your organization must comply with this law then yes, compliance with it is a requirement for ISO 27001 certification.
Regarding if you should work first on the law or on ISO 27001, the first thing you should consider is the duration of your ISO 27001 implementation project and the deadline for compliance with that law. If your project can be concluded before the deadline, maybe it is better to start with ISO 27001 because, it can deliver an environment which can fulfil both, the law you need to be compliant with and other requirements your organization may have for the ISMS.
If your project cannot be finished before the deadline, you should consider if a reduction in the certification scope, e.g. to cover only the part of the original scope that would be related to the law yo u must be compliant with, can allow you to meet the deadline, and if postponing the implementation of the remaining scope is acceptable (since the management part of the system will be already implemented you will have less activities to perform).
If none of these alternatives are acceptable, then you should consider work first for compliance with the law, and after that make arrangements in the ISO 27001 implementation project to include those controls in the system.
This article will provide you further explanation about ISO 27001 projects:
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
These materials will also help you regarding ISO 27001 projects:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Seven key problems to avoid in ISO 27001 implementation [free webinar] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/ -
Requirements from interested parties for working in public places
Answer:
Employee working in a public place is not an interested party, because he/she is part of your company - this person will have to comply with the security policies and procedures that your company develops. Therefore, the security requirements will come from within your company, n ot from an interested party.
By the way, you will be able to define the security rules for an employee working in public place after you perform the risk assessment and treatment, this article will explain you the concept: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
To learn more about interested parties read these articles:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding security controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Liderazgo
En la caracterización de los procesos establezco las rendiciones de cuentas por los lideres de proceso, y en las juntas de calidad como los ejecuto?
Debo establecer una caracterización para la parte de liderazgo "Gerencia"?
Mi respuesta:
El análisis GAP puede ser una buena herramienta en la implementación de ISO 14001:2015 para enfocar el liderazgo y el compromiso de la alta dirección. Puedes considerar también el mapa de procesos existente para conectarlo con las responsabilidades de gestión documental para cada tipo de proceso.
En cuanto a la alta dirección o "gerencia", necesitará cumplir con los siguientes aspectos:
- Asegurar que los planes estratégicos de la organización y los objetivos son compatibles y están integrados, y que se encuentran dentro del alcance de la organización.
- Asegurar que los recursos necesarios están disponibles y que el SGA puede interaccionar con los procesos de negocio existentes.
- Adoptar la responsabilidad para de legar y dirigir empleados con el fin de asegurar que los objetivos de desempeño son cumplido.
- Asegurar que la mejora continua se alcance.
- Proporcionar liderazgo a otros puestos de apoyo dentro de la organización para asegurar que las metas generales son cumplidas.
- Comunicación: asegurar que los objetivos críticos, aspectos, y los parámetros de desempeño y resultados con comunicados de manera efectiva y continua a todos los grupos de interés.
Para más información, vea: https://advisera.com/14001academy/blog/2015/10/05/how-to-demonstrate-leadership-according-to-iso-140012015/ -
Controls applicability
P.S. we did a risk assessment for the IT-Services delivered and Chose the controls from A.15 for rist mitigation.
Answer: Even if your organization's IT operations are outsourced, some controls from section A.12 might still be applicable to it, like A.12.1.2 (change management), A.12.1.3 (Capacity Management) , and A.12.7.1 (Information systems audit controls), so you have to perform an evaluation first to verify this situation before consider all controls as "not applicable". For those t hat are totally under the provider control you can state them as "not applicable", providing as justification the IT operation is outsourced.
Regarding stating a control as "applicable" referring it to the ISMS of another organization, you cannot do that because you do not have control over provider's ISMS (at most you are an interested party - customer - that is considered in that ISMS context). For situations like that you can state controls from section A.15 as "applicable" to your ISMS, to ensure that the provider will take as much care of IT security as if you were performing the IT operations yourself. For example, if in your IT operations you would use backup practices, you have to ensure the service agreement also define that the provider also has I to use backup practices.
This article will provide you further explanation about suppliers and controls applicability:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding supplies and controls applicability:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/