Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO standards for schools
Answer:
Implementation of management system standards has more or less the same workflow but again it will depend on the standard that you want to implement. The first step is to conduct the GAP analysis to determine to what level your organization is already compliant with the standard, in case of ISO 9001, you can use this free GAP analysis tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
Once you determine the gaps, you need to define what activities will be taken and what documents should be created to achieve full compliance with the standard and this is where the implementation starts. The best way to implement the standard is to manage the implementation as a project, so you can develop project plan for the implementation where you will define all roles and responsibilities in the project, all activities and documents and resources and deadlines. Here you can find our free Project Plan for ISO 9001 implementation htt p://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
After the project is finished, you need to conduct internal audit and management review to make sure that your management system is compliant with the standard and then you can hire certification body to conduct certification audit and issue your organization the certificate.
For more information about implementation and certification steps, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
Control of ISO documents
Answer:
The purpose of controlling the documents is to ensure that appropriate documents are available on the place of application and it is adequately protected. In order to establish document control, you need to define how the documents are created and updated, and you also need to define how following activities should be conducted:
- distribution, access, retrieval and use;
- storage and preservation, including preservation of legibility;
- control of changes (e.g. version control);
- retention and disposition.
Beside defining how these activities will be carried out, you also need to define roles and responsibilities within the document control process. Also, you need to identify and control the documents from external origin.
For more information about document control, see: Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ -
Sensitive data back up
Answer: Your scenario provides a reasonable justification to not backup customer sensitive data, but before going with that decision I would consider what would be the impact, if for any reason, during troubleshooting you render the data useless to proceed with the activity. One example is that you would have to ask for the customer to send the data again. What would be the impact of that situation for you (e.g., for the image of the organization?)
If you evaluate there is no relevant impact regarding this situation, you can go fine with not doing that backup. If you consider that there may be an relevant impact, you can go for an different backup schedule, let's say something like making a single copy of the data, to troubleshoot on it, and keep the original data away from the process, only for as long as the troubleshooting duration. It's the standard procedure used by forensics investigators to work on evidences to preserve their integrity you can adapt to your availability needs.
This article will provide you further explanation about sensitive data back up:
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
These materials will also help you regarding sensitive data back up:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 Consultant effort
1 -Would you be expected to be on site for the full 5 months? I would think this is very restrictive with regards to taking on more clients
Answer: It will depend upon your role in the implementation. Will you be responsible for elaborating and implementing policies and procedures, or will you provide support and orientation to your client team?
If your situation is the first one, you will probably have to be on site once or twice a week throughout the 5-month period.
If your role falls in the second scenario you probably will have to be on site only a few times to verify on-site implementations and orient the implementation team. But be aware that at the beginning of the project you will spent a lot of time on site to get things running.
2 - If you don’t have to be on site for the full 5 months, on average, how many days would you be expected to be on site? Of course, I understand that this would be dependent on scope and possibly work req uired as part of the risk treatment plan , but I am hoping you could give guidance from experience.
Answer: Since the project duration is only 5 months, I would recommend you to be on site from 2 or 3 days every 15 days. During this time you can verify the implemented controls, suggest and plan adjustment, prepare the team for the next phase, and most important of all, talk personally with management to report the project progress and get their feelings about the project.
3 - If you do not have to be on site for the full 5 months, do you/have you taken on more than one implementation at once? If so, how do you manage your time? (do you use a tool (e.g. MS Project), an assistant, or possibly a simple timetable)
Answer: The quantity of projects you can manage at same time will depend upon your need to be on site and the distance between sites. As a personal rule, I try to keep from 2 to 4 simultaneous projects where there is a need to be on site, so that in perfect conditions I can dedicate at least one day a week for each of them. If you work remotely this quantity may be greater. And regarding remote work, I suggest you take a look at our online ISO Tool, Conformio https://advisera.com/conformio/ , which can help you manage your projects.
These articles will provide you further explanation about consultant effort:
- 3 phases of delivering an ISO 27001/ISO 22301 consulting job https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/
- How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Additionally, I suggest you take a look at our Consultant toolkit https://advisera.com/27001academy/consultants/ . As part of the templates you can use to manage your consultation projects and stakeholder you are eligible to get continuous support from us throughout your implementation consultancies.
These materials will also help you regarding consultant effort:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Sample results of risk assessment
Answer: You can find examples on how to fill out the data into the Risk assessment sheet in these materials:
- book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ - you'll see there couple of examples of risk assessment results
- ISO 27001 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/ - as part of the toolkit you'll get access to video tutorials that will show you how to fill out real risk assessment data -
ISO 22301 as part of information security audit
Answer: When you implement ISO 27001, it is not mandatory to implement ISO 22301 as well - consequently, during the ISO 27001 internal audit or certification audit it is not necessary to audit BCMS according to ISO 22301. However, if you implemented only ISO 27001, the auditor will have to review the business continuity implementation according to ISO 27001 controls in Annex A.17 (these controls have much smaller requirements than ISO 22301).
If you have decided to implement both ISO 27001 and ISO 22301 (which I think is a very good thing to do), then internal audit/certification audit can be performed at the same time for both of these systems - this is called "integrated audit".
These materials will also help you:
- article How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementa tion-of-business-continuity-in-iso-27001/
- webinar ISO 27001 & ISO 22301: Why is it better to implement them together? https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
- book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001 project schedule development
Answer: Yes. In a general manner, to determine the time needed for each step individually you need to:
1 - Identify which result you have to deliver (e.g., information security policy)
2 - Identify which tasks required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 - Identify how much time you need to perform each task
4 - Identify the sequence in which the tasks should be executed
After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of the method, but for small and medium implementations it works well.
When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.
I recommend you to look at our Project checklist for ISO 27001 implementation (https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation), which can give you some ideas about tasks required in a ISO 27001 implementation project.
To get an estimated duration of the whole project you can use our Duration calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These materials will also help you regarding ISO 27001 schedule development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Objective evidence of conformity
Answer:
There is no one kind of evidence that can be universal for every requirement. in some cases the objective evidence can be a report or a record, in other cases the readings from the monitoring or measuring equipment and even reports from the third independent party.
For more information about evidencing requirements, see: Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/ -
Software development: product or a service?
Answeer:
Software development is considered as a production but it can go either ways. For example, if they develop the software by themselves and selling it to their customers as a product, than it is considered as production. In case when the software developing organization is only coducting the programming while idea for the software, the code and the software it self are a property of the customer, the sowtfare company is only providing service of programming. Although it is important to define whther the company is delivering product or a service, it doesn't change muc h since the same requirements of the standard need to be meet.
Here is one article that discusses products and services and might be interesting to you: Understanding Product & Service Provision in ISO 9001 https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/ -
ISO 27001 implementation phases
(I used the calculator and got: Estimated number of months required for implementation: 10 - However, we would like to know from your experience how much time is estimated for each phase and so we can put together the project plan and give an estimated date to top management.)
Answer: Considering the 10 month period you estimated, a good estimation of phases duration are:
Months 1-2: Project planning and elaboration of basic management system documentation (e.g., ISMS scope, information security policy, procedure for documentation control, procedure for internal audit, procedure for risk assessment and treatment, etc.)
Month 2-3: Carrying out the risk assessment and risk treatment plan elaboration
Month 4: Information security policies and procedures elaboration
Months 5-8 : Implementation, operation and evaluation of policies and procedures ( at this point some corrective actions may be required)
Month 9: Internal audit and management review
Month 10: Treatment of internal audit nonconformities and management review decisions
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/