Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Requirements for corrective action
the standard not make that mandatory to record it on corrective action form?
Answer: The documentation of the correction process is no longer mandatory for the standard (it is now an organization decision to document or not a procedure). It only requires that the nature of the nonconformities, subsequent actions taken, and results of corrective actions, to be retained as documented information.
This article will provide you further explanation about mandatory documents and records for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Design and development process
I was not clear on how to cover the design aspects and supervision aspects processes.
Answer:
In order to align the design process with ISO 9001:2015, you need to implement all requirements of the standard from the clause 8.3. This includes defining the design and development planning, defining design and development inputs, outputs and controls and also how the changes in the design will be handled. For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
I'm not sure what you mean by supervision process, I assume you meant of supervision of the production process. This process and controls for this process are defined in clauses 8.1 and 8.5. You need to define criteria for the process and products, along w ith necessary documented information. The controls to be implemented should ensure that the product and production process is compliant with the standard and expectations of the organization. For more information, see: ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/ -
ISMS scope definition
Answer: Sure, as the main process in your ISMS scope this is a perfect choice considering your consultancy business. But you also should consider the size and location of your activities to define your scope, since for small or medium business, working from a single location, it is more practical to certify the business as a whole instead of handle a particular process.
This article will provide you further explanation about ISMS scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding ISMS scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
USA laws and regulations related to ISO 27001
Answer: We have a free article that can help you with that: Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Regarding documentation, I suggest you to take a look at the free demo of our List of Legal, Regulatory, Contractual and Other Requirements, which can help you organize the requirements you identify as relevant. The link to the template is https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
You only have to scroll down the screen a little to find the free demo tab. -
Corrective action process
1 - Is it an expectation that anyone within the organisation can complete a corrective action form? Or should it be directed through a central location e.g. the service desk for them to complete?
Answer: the standard only requires that corrective actions are performed when needed after a nonconformity is encountered. How to handle a corrective action is an organization decision, and both approaches you mentioned are valid ones. You only have to ensure that people who handle a corrective action are properly trained in doing so and that results of any corrective action are retained as documented information .
2 - Would it be appropriate to post the form on our intranet and direct all our people to it for them to complete and then submit the form?
Answer: In terms of the standard this point is indifferent (this is another "how" situation, and the standard only defined "what" must be done), but for an organization's operational purposes this is a good idea, because it makes easier to find the form.
3 - Presumably this is to evidence continual improvement?
Answer: Yes. Together with evidences of implemented opportunities for improvement, documented information about corrective actions are evidences that the management system is being improved over the time.
This article will provide you further explanation about Corrective action process:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding Corrective action process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free Tutorial: How to Write ISO 27001 Procedure for Corrective Action https://advisera.com/27001academy/tutorial/free-tutorial-how-to-write-iso-27001-procedure-for-corrective-action/ -
Assessing risks and opportunities
Answer:
All the risks that affect the QMS and the organization need to be addressed, regardless of the fact that the company faced them earlier. If these, let's say, old risks haven't been addressed properly and they still exist, they should be addressed again.
The way of dealing with the risks is to define actions to address the risks. You need to define what needs to be done, who will do it, what resources are needed and what is the deadline for the action.
The risks can be turned into opportunity, but the opportunity itself is perceived only as something positive. Whet trying to identify the opportunities, you need to ask yourself what can be done better, what can be improved and so on.
For m ore information about risks and opportunities, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Performing BIA and protecting privacy
Answer: Considering your need for a DIY tool for BIA, I recommend you to take a look at these articles:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
I also recommend you to take a look at the free demo of our ISO 22301 Business Impact A nalysis Toolkit at this link https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/ (you only have to scroll down the screen a little to find the free demo tab)
In this toolkit you have templates for Business Impact Analysis Methodology, and Business Impact Analysis Questionnaire, which can help you perform a business impact analysis according ISO 22301, the ISO standard for business continuity.
With this toolkit you also have access to business impact analysis video tutorials that will help you fill the documents and perform the BIA.
Regarding mapping GLBA and Cyber Security, unfortunately we do not cover this specific issue. We are focused in ISO standards, but since main concern of GLBA is protection of private information of individuals, by implementing an ISMS based on ISO 27001, and complemented by ISO 27018, we can ensure you will have a pretty strong base to develop your security controls.
This article will provide you further explanation about ISO 27001 and ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- What is an Information Security Management System (ISMS) according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
These materials will also help you regarding business impact analysis and ISMS implementation:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS checklist
Answer: Regarding an ISMS implementation checklist, I suggest you to take a look ate these materials:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
To understand the basics of how to prepare an audit checklist I suggest you to take a look at this article
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
We also have available, ready for use checklist for ISO 27001 internal audit. At the following link you can have access to a free preview of the checklist and verify if it can fulfill your needs: https://advisera.com/27001academy/documentation/internal-audit-checklist/
You just have to scroll down the screen a little to see the free demo tab.
These materials will also help you regarding preparing an ISMS checklist:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Scope and Policy Definition
Answer: For a ISMS project you should consider first ISO 27001, since this standard defines the requirements for an ISMS. This will help you define your project scope and policy. ISO 27002 can help you best in the risk treatment phase, when you need to define details regarding controls to be implemented.
These articles will provide you further explanation about scope and policy definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
Regarding documentation about an ISMS project, I suggest you to take a look at these materials:
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- Project checklist for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation
To help you organize your project material, I suggest you take a look at this material:
- Project plan for ISO 27001 / ISO 22301 implementation https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
These materials will also help you regarding scope and policy definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Asset owner
Answer: You are right in your assumption to substitute the mention of all single employees by a single term, but the correct one to be used is "asset user", because this term establishes that the person who handles the laptop in a given moment is the one responsible for its security. Defining "all employees" as an asset owner is the same as defining that no one is responsible for it.
This article will provide you further explanation about asset management:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Also in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.