Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Formulating questions during internal audit
It means to audit your company against ISO 9001:2015 requirements to determine to what level your company is compliant with the standard. -
Providing evidence for clauses without mandatory documents
Answer:
The fact that there are no mandatory documents doesn't mean that documenting them is forbidden. Actually, some requirements are much easier to meet f there is some records of the actions taken. In case when there are no records or documents, the auditor will have to put additional effort to determine whether the requirements are met and it is usually done through interviews and observing activities.
When it comes to internal and external issues, the auditor will have to speak with the top management and other relevant roles to determine whether the organization have considered and defined context of the organization.
In case of interested parties and their needs and expectations, it is really hard to meet the requirements without any reco rd although there are no requirements for documenting this clause.For example, there must be contracts where needs and expectations of interested parties (e.g. customers, subcontractors, etc) are stated, or laws and regulations relevant to the organization business.
For risks and opportunities, if they are not documented, there must be some written trace of the actions taken, so it is up to the auditor to find them.
For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ -
Auditores internos
Debes asegurarte de que los auditores internos están cualificados y tienen la experiencia necesaria para llevar a cabo el trabajo adecuadamente. Es muy importante que los auditores internos ganen las competencias necesarias para llevar a cabo una buena auditoria interna para que tanto los resultados como las acciones correctivas encontradas ayuden a mejorar el SGC, y por supuesto para pasar con éxito la auditoria de certificación.
Si tus auditores internos no poseen estas competencias relacionadas con la nueva versión del estándar, entonces deberían de adquirirlas.
Es posible tomar este curso de auditor interno en ISO 14001:2015 a través de nuestra we, para más información vea: https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/ -
List of legal requirements
Answer: For reference about laws and regulations, I suggest you to take a look at this material: Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
I also suggest you to take a look at the free download of our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
This template can help you organize your requirements.
This article will provide you further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Cyber Essentials
Answer: Your decision will depend mostly on your organization's objectives and you current security level. Cyber essentials is more focused on controls implementation to enhance cyber security, while ISO 27001 is a management system standard focused on the implementation, maintenance and improvement of information security in all environments an information is handled (e.g., information systems, paper based information, etc.). Cyber essential will be quicker to implement, but ISO 27001 can provide you better results in the long term.
Consider performing a security diagnosis first. If your current situation is considered acceptable regarding your objectives, the best course of action may be implementing ISO 27001 first, using cyber essential during the implementation control phase of ISO 27001 implementation. If your situation is considered not acceptable you may go for cyber essentials first and after that start the ISO 27001 implementation.
This articles will provide you further explanation about ISO 27001:
- What is ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Certification requirements
Answer: No. If the department has not yet undergone a certification audit and has been considered in compliance with the requirements of the standard, it can not be declared that it is certified. This article will provide you further explanation about certification process: - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ These materials will also help you regarding certification process: - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-eng lish-guide/ - ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
SA 8000 and ISO 9001 and OHSAS 18001
Am from Human resource Background. Currently Am working as HR & compliance Executive. How would ISO 9001 would help my carrier as social compliance auditor.Suggest some good certificate body from India to do ISO 9001 Allso. -
Toolkit content
- A.5 Information security policies
- A.18 Compliance
I do not see an assessment tool for ISO27K. Is there any reason for this omission? Are not included as part of the toolkit?
Answer:
1) The controls from section A.5 Information security policies are covered in many policies provided in the toolkit (e.g., Information security policy, Access control policy, Acceptable use policy, Backup policy, etc.).
2) The controls from section A.18 Compliance are covered in the following documents: Procedure for Identification of Requirements, and List of Legal, Regulatory, Contractual and Other Requirements - you'll find them in folder 02 "Procedure for identification of requirements"
3) ISO 27001 does not require the usage of a tool for doing the risk assessment, so we are offering the Excel sheets for performing this task - in our experience, this is much easier for smaller companies for which our toolkit is designed. You'll find those sheets in the folder 0 5 "Risk assessment and risk treatment methodology"
By the way, you can find the information about which controls and requirements are covered by each document in the file List of documents that you'll find in the root folder of the toolkit. -
Nonconformities and corrective actions
In my previous employment and experience, we usually initiate only a CAR for audit findings. To me, it seems like redundancy.
Do you see a reason for initiating a NCR? Is it a requirement?
Answer:
Results of the certification audit can be minor and major nonconformities and recommendations. In case of nonconformities, you will need to document them as per clause 10.2.2 regardless of who identified the nonconformity. Then you evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, and that is corrective action.
This might seem as a redundancy but, it provides traceability and also enables the organ ization to file more information on the nonconformity, then the ones stated in certification audit report.
For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
Information security career
Answer: With the increase in the number of incidents involving information leakage, impacting both final users and big organizations, and in the number and rigidity of legislation, the need for information security professionals is also increasing, both on technical and management aspects. I suggest you to look at this report for an overview: The State of Cyber Security Professional Careers https://www.esg-global.com/hubfs/issa/ESG-ISSA-Research-Report-State-of-Cybersecurity-Professional-Careers-Oct-2016.pdf
Concerning learning, there is no such thing as "right path", it is more like the path most adequate for you. ISO management systems themselves recognize this (in terms of competencies, they consider as sources either education, training or experience). So, you can go for formal academic knowledge, attending information related courses and training, or develop your skills through daily activities. Here in Advisera you can find articles, white papers a nd online courses that can give you a start point.
Take a look at these links to access our knowledge base, white papers and courses:
- https://advisera.com/27001academy/knowledgebase/
- https://advisera.com/27001academy/free-downloads/
- https://advisera.com/training/
These articles will provide you further explanation about information security profession:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/