Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Determining interested parties
Answer:
The standard requires organization to determine interested parties and their needs and expectations relevant to the Quality Management System and to monitor information about these interested parties and their requirements. If you meet these requirements you are compliant with the standard, it is up to the company to decide to group the interested parties based on either their requirements, functions, importance or any other criteria that the company determines, there is no requirement to name the parties individually.
For more information about interested parties, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/ -
Achieving quality objectives
All these elements, if we talk about the objectives, are product of practice and it is a proven method for establishing and achieving the objectives. The information needed for evidence based decision making are required by the standard and again the standard is made according to best practices that ensure quality of the products and services and customer satisfaction. -
Internal Audit Checklist
Answer: You can write one or more of the following types of evidences to support the decision that the audited area is compliant or not with the requirement covered by the question:
- Presence or absence of records, procedures, policies, or any other documentation defined by the ISMS;
- Auditor's observation of a compliant or non compliant situation; or
- Declaration by a person with authority to do so (e.g., a manager or process owner).
For example, for the question "Is the risk treatment process documented, including the risk treatment options?" if the audited area is compliant, you should write in the evidence column the identification of the procedure used by the audited area.
2- Do you have list on that evidence?
Answer: To answer this question, you must first understand that some questions are pretty straightforward, requiring only the existence of a specific doc ument or record (like my previous example), but others require more analysis to ensure conformity. For example, simply having a documented scope cannot answer the question "Are the general ISMS objectives compatible with the strategic direction?". For verifying compliance you should understand the process that lead to that scope and see how strategic direction influenced its creation. In fact, most part of an internal audit that adds value to the business is not about documentation, but about whether the processes and activities are capable to consistently meet the requirements.
That said, for a list of documents and records, you can consult this article to see not only mandatory documents (that for sure you can relate to the questions on the checklist), but also the most commonly used documents for ISO 27001 implementation (that may or may not cover the questions on the checklist, depending upon the context of the organization and audited area):
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Regarding other evidences that would require more preparation to analyse and evaluate, I suggest you take a look at these materials, so you can know how to prepare yourself properly:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Also, in the video tutorials that came with your toolkit, you can see examples of the mentioned types of evidences you can use to write your audit checklist. -
Security in SDLC
Answer: The whole section A.14 from ISO 27001 Annex A can provide you support for security testing to be included in you SDLC:
- From control A.14.2.1 (Secure development policy) you can get support to establish high level rules for security testing (e.g., the need to perform security testing).
- From control A.14.1.1 (Information security requirements analysis and specification) you can get support to establish security requirements for your systems (e.g., system should fail securely in case of error).
- From control A.14.2.8 (System security testing) you can get support to establish how to perform security testing (e.g., white/black box testing).
And finally, from the control A.14.3.1 (Protection of test data) you can establish directives to protect testing data, so the tests conditions can emulate the real environment as best as possible without putting t he real data at risk.
These articles will provide you further explanation about Security in SDLC:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
These materials will also help you regarding Security in SDLC:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 implementation project
Answer: Sure. In our free download area you can have access to the following material:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Diagram of ISO 27001:2013 Implementation (https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process) to help you get a view of the implementation process as a whole.
- Project plan for ISO 27001 / ISO 22301 implementation (https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation) to help you document the project information
These materials will also help you regarding ISO 27001 implementation project:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
To help you organize and manage your project, I suggest you take a look at our online ISO tool, Conformio (https://advisera.com/conformio/). When you open a free account you can get access to the most detailed list of steps in ISO 27001 implementation. -
Risk Assessment and Treatment
Answer: First of all, not all identified risks must be treated, only those considered unacceptable according your established criteria and security levels.
Considering this, a company can implement certain controls after the certification if: (1) all the major risks are resolved before the certification, (2) in the Risk Treatment Plan it is clearly defined that those controls will be implemented at a later date, and (3) the risk owners have accepted the risks related to controls that will be implemented later.
2 - Also, do you do ISO certification inspections?
Answer: Unfortunately, we do not provide certification services because this would be a conflict of interest. We provide you help with the implementation of a standard with our documentation toolkits, online courses, books and other online tools. This article will help you: How to choose a certificat ion body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
This article will provide you further explanation about Risk Assessment and Treatment:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
These materials will also help you regarding Risk Assessment and Treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 17020 and ISO 9001
Answer:
ISO 9001 and ISO 17020 have little in common since they cover completely different areas. ISO 17020 is contains requirements for the competence of bodies performing inspection and for the impartiality and consistency of their inspection activities while ISO 9001 specifies requirements for a quality management system. ISO 9001 can be used by organization to meet requirements in 8.2 to 8.8 of ISO/IEC 17020 but only when the QMS covers the activities of the inspection body. -
Risks and opportunities and environmental aspects
Answer:
ISO 14001:2015 requires organizations to consider risks and opportunities related to environmental aspects, compliance obligation and context of the organization. Although the standard does not make distinction between significant and insignificant aspects regarding this matter, it does not require organizations to determine risk and opportunities for each environmental aspect. For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
GAP analysis before the implementation
Answer:
The gap analysis is not a mandatory step, it represent the usual practice. The purpose of the gap analysis is to determine to what level your company is already compliant with the standard and what needs to be done to achieve full compliance with the standard. It represents a good basis for planning the implementation but again the company can implement the standard even without using the gap analysis. For more information about the gap analysis, see: Should you use a gap analysis in your ISO 9001 implementation? https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/