Disaster declaration procedure: this content focuses on criteria to be evaluated so a disaster situation can be identified and properly communicated.
Emergency notification procedure: this content focuses on the means and activities required to alert people about an emergency situation. This content differs from disaster declaration because it considers faster and local responses (e.g., a building evacuation), while disaster declaration involves incidents of greater scale.
Incident response procedure: this content focuses on how to react initially to an incident in order to reduce the damage
Recovery procedure: this material focuses on activities required to bring back operations back to agreed service levels, regardless if it is on original site or not.
2 - What other procedure are contained in the BCM plan other than the above?
Answer: You can also find as BCP content:
a - the communication plan, covering activities to ens ure information flow for organization's employees, and emergency services, as well as which information should be communicated to the media.
b - specific procedures for critical assets, like servers, information systems and key personnel.
3 - Should the BCM plan be one big book containing the above or should each be written separately?
Answer: Since BCPs cover multiple issues, in operational terms you should keep multiples BCPs, each one of them as small as possible, with only the necessary information for each team that will use them(e.g., systems recovery team, facilities disaster recovery team, emergency teams, etc.). In management terms, you can also keep one or two copies with all the BCPs, so you can use it to keep track of all plans, which will make their review easier.
(I am doing a TCC (Course Completion Work) on Information Security Policy in the course of Information Systems and would like to know if I can quote texts from the ISOs of the 27000 family as direct and indirect quotations in the TCC, even without actually buying any standard.)
Answer: Para ter acesso ao conteúdo das normas você não precisa necessariamente comprá-las. Você pode acessá-las através de uma biblioteca ou outra fonte autorizada (ex.: norma adquirida pela empresa onde você trabalha).
Caso você tenha tido acesso ao conteúdo das normas de forma autorizada você pode fazer uso de citações diretas. Caso contrário, você deve fazer uso somente de citações indiretas, referenciando a autores que você leu de forma autorizada que incluem estas normas em suas próprias bibliografias.
(To access the content of the standards you do not necessarily have to buy them. You can access them through a library or other authorized source (eg, standard acquired by the company where you work).
If you have had access to the content of the standards in an authorized manner you can make use of direct quotes. Otherwise, you should only use indirect quotes, referencing authors that you read in an authorized manner that included these standards in their own bibliography.)
ISO 9001 nonconformities during IATF 16949 internal audit
Thank you in advance and wish you a nice day,
Answer:
IATF 16949 includes all requirements of ISO 9001:2015, so if you find nonconformity regarding ISO 9001 requirements, that nonconformity can be raised during IATF 16949 internal audit.
Internal auditor competence in IATF 16949
Answer:
Requirements for internal auditor in IATF 16949 have been increased compared to the previous version of the standard. The standard now directly refer to ISO 19011 regarding competences of the internal auditor, the rest of the requirements regarding internal auditor competence are located in clause 7.2.3. There is a explicit requirement for internal auditor training to be provided by the competent trainer and the records about trainer's competency need to be retained.
If the internal auditors meet requirements of the standard in terms of competency, no further certification is necessary, unless it is explicitly required by the company's customer.
Management representative and ISO 9001:2015
No, you do not need MR in new version of the standard
ISO 27001 study material
I don’t have the official ISO 27001 requirements with all the clauses and annex A. I also don’t have the best practices ISO 27002.
Since I not only plan to perform internal audits (maybe later external audits) but also consult clients in the implementation of ISO27001, I want to learn more about the details in ISO27001 and ISO27002.
1 - Are there any online implementation courses you can recommend ?
Answer: You can learn about the details of ISO 27001 and the implementation steps in our ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/, and if you want more thorough training on the implementation, then I would recommend the ISO 27001 Lead Implementer Course - unfortunately, we do not offer such a course.
You can use the same logic, but backwards, that is, instead of you being a customer demanding security conditions from a supplier, your clauses would be about the security conditions you, as a provider, is offering to a customer.
For example, in a clause about backup, as a client demanding from the provider you would include a clause like "provider should ensure backup copies are made of all information classified information and handled according their respective classification". As a provider offering this service for a client you would have a clause something like "as service provider, we will provide to customer backup copies from all his information stated by him as sensitive information, handling them according their respective classification"
To better prepare SLAs for Customers, you could check ISO 27001 clause 4.2 (Understanding the needs and expectations of interested parties) and control A.18.1.1 (Identification of applicable legislation and contractual requirements), so you can have a better understanding on the rationale a potential customer can use to id entify his security needs.
Answer: The quantity of controls that would become not directly applicable would depend of the results of your risk assessment, so there is no way I can precise you a number of controls, but most of controls in sections A.10 to A.13 would not be directly applicable. I used the expression "directly applicable" because in a situation like this, when an organization adopts a SaaS provider, what happens is a risk transfer (your organization transfer the risks related to the operation and maintenance of an IT infrastructure to a third party).
In this case, the organization has to establish clear security clauses in the service agreement, including the monitoring of provider services, or it may find itself with an environment that is riskier than one r an by the organization itself.
For this situation, ISO 27001 has the Annex A.15 (supplier relationships), which covers controls regarding on what clauses to include in agreement's and how to monitor suppliers. Basically, the security clauses would define that the provider should ensure at least the same security levels the organization would deem necessary if it was was running the environment itself.
So, at the end what happens is that you change your direct application of many IT-related controls to the application of few administrative ones, related to contracts and monitoring.
This article will provide you further explanation about security in cloud computing:
1. The first column of the Risk Assessment Table and Risk Treatment Table ("Number"): should I refer to the applicable unique Asset ID Number that I placed in the first column of the Asset Inventory Table? or do I have to place complete new numbers (i.e. Risk Identification Number)?
Answer: No, you do not need to refer to the ID number from the inventory list, only use the asset name and asset owner information. You will have to place new numbers, one for each risk associated to the assets in the Risk Assessment Table.
2. The Risk Assessment (likelihood / consequence) do I have to score from a residual risk perspective (i.e. keeping in mind the effect of all existing control measures that are already in place)?
Answer: Yes, you have to assess the risk considering the effects of all the already implemented controls, and you should identify these implemented controls in the observation column.
In the vid eo tutorials that come with your toolkit you can access videos that can guide and help you fill the risk assessment table and risk treatment table.
Scope of stage 1 certification audit
Can they ask you many questions?
Answer:
The purpose of the Stage 1 audit is to review the QMS documentation and determine whether it is compliant with requirements of the standard. There is no requirement to have quality objectives for every procedure. All process procedures are part of operational controls, different processes need to meet requirements of different clauses, for example, production process need to meet requirements of cause 8.5, purchasing process needs to meet requirements of clause 8.4, etc. I noticed that you are mixing processes and procedures and this is not the same thing, here is an article that might be interesting to you: ISO 9001:2015 process vs. procedure – Some practical examples https://adv isera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/
The organization needs to determine what should be monitored and measured, as well as the methods and frequency of monitoring and measuring activities. The standard does not explicitly requires that every process has monitoring and measuring but it can be beneficial in order to monitor performance of the processes. For more information, see: Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/