Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope of second party audit
Answer:
This situation is very strange. The scope of the customer audit can only include the processes and products they are using and you can prohibit them from auditing other processes and facilities. Taking pictures of processes and documents is completely off limits, you cannot allow this. There cannot be an agreement that can grant them this especially if they are not using products produced in this way.
They will probably try to threaten you with canceling the contract or something like that but you should endure. This sounds like behaviour of some big company but sometimes is better to lose some contract th an to allow third party to find out all sensitive information about the company.
For more information, see: First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/ -
Implementing clause 4.4
Answer:
Clause 4.4 of ISO 9001:2015contains general requirements for QMS (Quality Management System) and it cannot be fulfilled by single document or process but rather with establishing the entire system. You will need to identify all the processes, determine their interaction and sequence, inputs and outputs and so on. Basically, by defining each process, documenting procedures and performing the processes, you will meet requirements of this clause.
For more information, see: How do you prove to the certification auditor that QMS processes are carried out as planned? https://advisera.com/9001academy/blog/2016/12/13/how-do-you-prove-to-the-certification-auditor-that-qms-processes-are-carried-out-as-planned/ -
Implantación del SGC
The first step that needs to be done is the company´s decision to follow the ISO 9001 as the guide for the QMS. Thus, the organization will need to carry out the creation and documentation of its QMS according to ISO 9001. After some time, and having assesed internal audits and al least one management review, the implementation will be completed. Finally, a certification body will verify that the company meets the standard. -
Controls elaboration
Por exemplo, eu desejo falar da segurança em recursos humanos: eu desejo falar com as minhas próprias palavras e não pegaria aquelas informações que a própria norma já cita ou define.
Answer: Primeiramente deve ser entendido que a norma disponibiliza informações sobre o que deve ser alcançado e feito, não sobre o como. Dessa forma, as organizações têm a liberdade necessária para dar a roupagem mais apropriada aos seus controles.
Dito isso, para dar uma roupagem adequada aos seus controles você precisa considerar quais são as necessidades a serem atendidas (os requisitos de segurança), como por exemplo, contratos, leis e objetivos internos. A partir disso você pode elaborar os controles de forma a atender estes requisitos.
Considerando recursos humanos, a norma requer que um controle seja estab elecido para tratar o não cumprimento de controles. Caso sua organização já possua um processo disciplinar implementado você precisaria apenas fazer referência ao mesmo. Caso este ainda não exista, você tem a liberdade de definir quais sanções seriam aplicáveis e como seria o processo, limitando-se apenas ao permitido por lei.
Este artigo lhe dará mais explicações sobre a elaboração de documentação:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//#
- Como realizar treinamento e conscientização para a ISO 27001 e ISO 22301 https://advisera.com/27001academy/pt-br/blog/2014/05/20/como-realizar-treinamento-e-conscientizacao-para-a-iso-27001-e-iso-22301/
- 8 Práticas de Segurança para Usar em seu Programa de Treinamento e Conscientização para Empregados https://advisera.com/27001academy/pt-br/blog/2015/03/04/8-praticas-de-seguranca-para-usar-em-seu-programa-de-treinamento-e-conscientizacao-para-empregados/
Estes materiais também ajudarão você com relação a elaboração de documentação:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Records maintenance
Answer: Regarding software requirements and software design, ISO 27001 has no specific requirement related to what to keep as records. The standard leaves this decision to the organization itself, being the single condition that the defined records are sufficient to ensure the effectiveness of the information security management system. So, your organization do not need to keep records with 100s of lines if this is not needed to ensure that information and security objectives are protected. As an example you can take a look at the free demo of our Specification of Information System Requirements at this link: https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/
In this demo you will note that the record will be only as big as your need to specify systems requirements.
This article will provide you further explanation about documented information in ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding documented information in ISO 27001:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
BCP and DRP
Answer: To get an overview of how to structure and test a BCP I suggest you to take a look at these material:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/
Regarding the differences between BCP a nd DRP, your thinking is right, BCP is wider than a DRP. BCP aims to ensure the business continues to operate after a disruptive event, while the DRP aims to handle the impacts at the affected area and bring operations back to normal conditions.
These articles will provide you further explanation about BCPs and DRPs:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
These materials will also help you regarding BCPs and DRPs:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/ -
ISO 27001 implementation
First thing I suggest you is to build a project plan and a project presentation, so you can get all this information you already have and make them available for a quick presentation if needed. The second point is that even if you already have management support (your implementation is already considered in strategic plan), you should approach processes owners asking them to validate your BIA, so you both are aligned regarding what is considered important in terms of information security, and only after that you should ask them for resources. This way you work on their needs first and yours will be easier to gain.
Regarding on which process you should start, this will depend on the resources you will have available (both in terms of quantity and competence) and your organizations priorities.
This article will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/es/knowledgebase/lista-de-apoyo-para-implementacion-de-iso-27001/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Enforcing ISO 27001 in satellite offices
Answer: When you refer to "satellite offices" I'm not sure if you refer to your company branch offices, or home offices of your employees/consultants? If those are branch offices, then you simply create security rules that will be valid throughout your company, in all company locations - e.g. according to Acceptable Use Policy the employees in all locations would be required to create the backup of their files in a certain way.
If these are home offices, then you need to create a Teleworking policy that will define the security rules for employees working from home.
So basically you are enforcing the implementation of the security rules in both cases, only you're doing it through different documents.
These articles will help you:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
These materials will also help you regarding implementation of ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online ISO 27001 tool) https://advisera.com/conformio/ -
Auditing risks and opportunities
Answer:
It is really hard to identify nonconformity regarding clause 6.1 because the requirements are very vague. If the remark is not directly related to some requirement of the standard, it is impossible to raise nonconformity. Inadequate clarity on risk based thinking cannot be stated as nonconformity but rather as observation.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Risk management in ISO 9001
Answer:
First, ISO 9001:2015 does not require risk management in terms that you need to implement it on full scale. All the standard requires is to identify risks and opportunities related to the QMS and to take actions to address them. The standard does not require organization to document a procedure for addressing risks and opportunities, or to adopt methodology for risk assessment. Organization only needs to plan actions to address risks and opportunities and evaluate effectiveness of these actions.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/