Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Risk management in ISO 9001


    Answer:

    First, ISO 9001:2015 does not require risk management in terms that you need to implement it on full scale. All the standard requires is to identify risks and opportunities related to the QMS and to take actions to address them. The standard does not require organization to document a procedure for addressing risks and opportunities, or to adopt methodology for risk assessment. Organization only needs to plan actions to address risks and opportunities and evaluate effectiveness of these actions.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • Safety file non compliant with ISO 9001


    Answer:

    The good start is to see if the client already stated which policies are not compliant with ISO 9001 and what clauses are in question. If you have such information provided by the client, you can start with correcting this part o your policies.

    If you weren't provided with any other information rather than your documents are not compliant with the standard, then you probably have a lots of nonconformities and they didn't want to bother by stating individual clauses of the standard. In this case, you will have to audit your procedures and policies against ISO 9001 and see exactly what parts of your documentation are not compliant with ISO 9001 and then try to correct them. If you do not ave text of the standard, I suggest you to use Internal Audit Checklist that contains all requirements of the sta ndard in form of "yes or no" questions. Here you can download free preview of such checklist https://advisera.com/9001academy/documentation/internal-audit-checklist/
  • Risks and opportunities in HR department

    There is no requirement in ISO 9001:2015 to have documents or records about risks and opportunities but ISO 9001:2015 invites us to determine risks around:

    • context and interested parties;
    • products and services; and
    • processes

    If I think about a process around competency and training I can determine risks like:

    • determining wrong competency requirements for each function within the QMS
    • failure to do a proper evaluation of people’s competency
    • determining the wrong or incomplete actions to close competency gaps (for example, hoping that
    • training is the right tool when it is not, choosing a bad trainer, …)
    • not enough time for training or other actions
    • failure to do a proper evaluation of training effectiveness

    If I think about a process around onboarding of new people I can determine risks like:

    • choosing the wrong person
    • allowing that a person without the proper training and experience starts performing a function
  • Management decisions


    Answer: Considering ISO 27001, top management can previously define under which circumstances can the rules (i.e., processes or controls) be bypassed, and must ensure that relevant information related to those decisions are recorded (e.g., a risk assessment). If you can provide such circumstances and evidences the situation is ok.

    The situation you should be worried about is if bypass situations happen often, because this would means that the information security management system is not properly aligned with business expected outcomes, and that is a problem, generally related to the perception of the risks the organization is will ing to take, also called risk appetite. I this case, what top management can do is to change policies or procedures as they think is needed.

    This article will provide you further explanation about risk appetite:
    - Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/

    These materials will also help you regarding risk appetite:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Statements for systems development


    Answer: No. Since systems development processes are unique for each organization these parts need to be adapted by the organization itself in the Secure Development Procedure template, on sections 3.2 and 3.3.

    This article will provide you further explanation about securing development environment and engineering principles:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/

    These materials will also help you regarding securing development environment and engineering principles:
    - ISO 27001 Annex A Controls in Plain Engl ish https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Function separation Matrix

    How did this person get on here?
  • Statement of compliance


    Do you have an executive attestation statement of compliance that they could use for now until the next ISO-27000 security audit occurs in August of this year? If they cannot provide an Executive Attestation at the very least, they may very well lose this client account.

    Answer: Regarding ISO 27001, as an equivalent for an Executive Attestation Statement, you could recommend the use of the Statement of Applicability (you can see a free demo of this document at this link: https://advisera.com/27001academy/documentation/sta tement-of-applicability/ and see if it can fulfil his needs).

    This article will provide you further explanation about the statement of applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    These materials will also help you regarding the statement of applicability:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Having only one quality objective


    Answer:

    The standard doesn't prescribe ho many objectives organization needs to have so your QMS with only one objective will be compliant with the standard even without justification for having only one objective in the manual. Certification auditor will probably frown upon this approach but he cannot report this as a nonconformity, as long as you comply with requirements of the standard related to the objectives. For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
  • Risk assessment flowchart


    Answer: At this moment we do not have this kind of flowchart for sale. This flowchart was created as a free material to help security practitioners understand and show the asset-threat-vulnerability risk assessment and treatment approach.

    For help you modelling other assets, I suggest you take a look at the free demo of our Risk Assessment Toolkit at https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    This toolkit has all the documents you will need to identify the information for modelling a similar flowchart. Another source is the book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • IT audit


    Answer: First of all you must define an audit methodology, and after that identify the audit scope (e.g., process, assets, locations, etc.) and which references you'll be using to perform the audit (e.g., ITIL, ISO 27001, etc.). With these information you can built a proper audit plan.

    I suggest you to take a look at this free online course to get a better view of the audit process: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    2. Can I use the knowledge of ISO 27001 to conduct one?

    Answer: Yes. Many of the ISO 27001 requirements and controls are perfectly applicable to audit IT environments.

    3. Must the company be certified?

    Answer: This will depend upon the requirements of the audit client (the person or organization that demands the audit). You should verify this with the organization.

    4. Which certification body do we use in case the client wan ts to be certified?

    Answer: This is a decision of the organization that wants to be certified, because there are many variable to be considered that will impact not only operations but future strategic decisions.

    This article will provide you further explanation about certification bodies:
    - How to choose a certification body https://advisera.com/27001academy/knowledgebase/how-to-choose-a-certification-body

    These materials will also help you regarding IT audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
Page 921-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +