Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security objectives and audit process
Answer: You can define as many objectives as you consider needed to fulfill the needs and expectations of your interested parties, information security requirements and the results of risk assessments and risk treatments. There is no predefined number to be achieved.
Please, see this article for more information: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
2 - Competencies of people with roles & responsibilities ie for MD (Information Security Lead). Do you think he should do some kind of high level course to evidence he is competent? Or would some online training suffice? Does he need proven credentials ?
Answer: For the standard, evidences of competence can be demonstrated in terms of education, training, or exp erience. So, if your IS Leader lacks a high level course but has recorded experience or certifications, this is sufficient for the standard. It's up to your organization to define which types of evidences it considers necessary for its needs.
Please, see this article for more information: What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
3 - Internal audit…does the person who will be likely to do the internal audit review also need some kind of proven training and certification to ensure they are competent to do the job? If so, do you please have any recommendations of suitable training courses? I am assuming that a different person would do the audit each year and am wondering if several people should therefore be trained ( or at least a new person each year?)
Answer: The same answer for question 2 applies here. You have to have evidences of competence for internal audit, either in terms of education, training, or experience. You do not need to have a different person to perform the internal audit each year if you can ensure there is no conflict of interest between the auditor and the audited process (the common rule is that no one should audit his own work or any work under his responsibility). The good practice recommends to have more than one auditor available so you can have a different view of the audited process (which is good to identify non conformities and opportunities for improvement) and to minimize risks regarding relying on a single person capable to perform internal audit, but this conditions are not mandatory by the standard.
Regarding an internal auditor course, please see more information here: ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
4 - Finally, is there any chance you could supply us with any more templates which would be helpful to use going forwards; Procedure for corrective actions and Internal audit form?
Answer: For the procedure and and form I suggest you take a look at the free demos and verify if they can meet your needs. The links are:
- Procedure for corrective actions https://advisera.com/27001academy/documentation/procedure-for-corrective-action/
- Internal audit form https://advisera.com/27001academy/documentation/internal-audit-report/
In those pages you just need to scroll down the screen a little to find the tab with the free demo preview.
These materials will also help you regarding security objectives and audit process:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Sources of requirements
Answer: 'Document stipulating the requirement' is any documentation with needs or expectations that can be measured in terms of information security characteristics. Examples of documents that stipulate requirements are contracts (e.g., Non Disclosure Clauses, which refers to confidentiality), service level agreements (e.g., clauses which define minimal availability to be delivered, like 99.999% availability during a year), and regulations (e.g., EUGDPR, which define how EU Citizens private information must be handle by organizations that offers services to EU, which also refers to confidentiality).
These materials will also help you regarding sources of requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- F ree online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Duration of ISO 27001 implementation
Answer: To identify the time required to implement ISO 27001:2013 you can use our Free ISO 27001 Duration Implementation Tool, which takes into account the effect of other management systems that are implemented. The link for the tool is https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Now, taking into account you are also planning to implement ISO 9001:2015, you can consider saving up to 30% in the time of implementing ISO 27001, because these two standards have a lot of requirements in common. The savings may be greater if they are implemented at same time as an integrated system, but without more detailed information we are unable to properly evaluate that.
This article will provide you fu rther explanation about ISO 27001 implementation:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
I also suggest you to take a look at Conformio, our online ISO tool that can provide you a very detailed list of steps that need to be done to implementation ISO 27001, as well as other resources to make your implementation easier. We offer a Free plan includes access for 10 users to ISO guidance, document management system, task management, social intranet, and 1 GB of storage. The link for Conformio is https://advisera.com/conformio/ -
Project risk assessment
Quite clear now. Appreciate your response. Thanks. -
ISO 9001:2015 documentation level
Answer:
Not all processes need to be documented and this version of the standard aims to decrease the amount of documentation. The documentation should be a balance between the competence of employees and complexity of processes. If you have competent employees you don't have to document every singe activity, the same is for the simple processes. Instead of writing procedures, sometimes it can be much easier to develop process flowchart or Quality Plan. For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Gaining competence for ISO 9001:2015
Answer:
There is no requirement for the top management to get training in ISO 9001 requirements. The auditors, on the other hand, must get familiar with the standard requirements in order to be able to audit the system. They can get familiar with the standard by themselves or take some in-house or external course, but they do not have to have the certificate.
Here you can find our free ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ -
The transition and the document coding system
For example, I have a flow-down list of document numbers, however it only lists one form number for a calibration list, using F-715-001. Currently we have a calibration form for each piece of lab equipment. Same form just, individual form for each thermometer, balance, etc. Would this form then be F-715-002?
Answer:
New version of the standard doesn't change the coding system, so you can keep the existing one and there is no reason for change. What will change during the transition are the documents themselves and their version number should be changed but they can have the same identification code.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
How to address life cycle perspective in providing services?
The life cycle perspective is not relevant for every type of business in the same way, the service companies will have far less difficulties meeting this requirement. In case of logistic company, you will basically examine the steps you go through when delivering the product and determine that environmental aspects regarding each step and it will overlap with your processes such as transportation and storage.
So, in your case you only need to identify and evaluate environmental aspects in your processes and there is no need for further assessments. For more information about life cycle perspective, see: Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/ -
ISO 20000 / ISO 27001 cost of implementation
There are two calculators which can help you:
ISO 27001 - "Return on Security Investment Calculator" https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/
ISO 20000 - "ITIL Return On Investment (ROI) Calculator" https://advisera.com/20000academy/itil-iso-20000-tools/roi-calculator/ (although it's ITIL calculator, it can help you with ISO 20000).
Additionally, there are some articles which explain this topic:
"How much does the ITIL/ISO 20000 implementation cost?" https://advisera.com/20000academy/blog/2016/12/13/how-much-does-the-itiliso-20000-implementation-cost/
"How much does ISO 27001 implementation cost?" https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/ -
ISO 27001 and ISO 9001 integration
Answer: Yes, both standards have the same structure and can be implemented as an integrated system. This article will provide you further explanation about ISO 27001 and ISO 9001 integration: - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/ - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ These materials will also help you regarding ISO 27001 and ISO 9001 integration: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/ - ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/