Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 project schedule development
Answer: Yes. In a general manner, to determine the time needed for each step individually you need to:
1 - Identify which result you have to deliver (e.g., information security policy)
2 - Identify which tasks required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 - Identify how much time you need to perform each task
4 - Identify the sequence in which the tasks should be executed
After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of the method, but for small and medium implementations it works well.
When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.
I recommend you to look at our Project checklist for ISO 27001 implementation (https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation), which can give you some ideas about tasks required in a ISO 27001 implementation project.
To get an estimated duration of the whole project you can use our Duration calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These materials will also help you regarding ISO 27001 schedule development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Objective evidence of conformity
Answer:
There is no one kind of evidence that can be universal for every requirement. in some cases the objective evidence can be a report or a record, in other cases the readings from the monitoring or measuring equipment and even reports from the third independent party.
For more information about evidencing requirements, see: Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/ -
Software development: product or a service?
Answeer:
Software development is considered as a production but it can go either ways. For example, if they develop the software by themselves and selling it to their customers as a product, than it is considered as production. In case when the software developing organization is only coducting the programming while idea for the software, the code and the software it self are a property of the customer, the sowtfare company is only providing service of programming. Although it is important to define whther the company is delivering product or a service, it doesn't change muc h since the same requirements of the standard need to be meet.
Here is one article that discusses products and services and might be interesting to you: Understanding Product & Service Provision in ISO 9001 https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/ -
ISO 27001 implementation phases
(I used the calculator and got: Estimated number of months required for implementation: 10 - However, we would like to know from your experience how much time is estimated for each phase and so we can put together the project plan and give an estimated date to top management.)
Answer: Considering the 10 month period you estimated, a good estimation of phases duration are:
Months 1-2: Project planning and elaboration of basic management system documentation (e.g., ISMS scope, information security policy, procedure for documentation control, procedure for internal audit, procedure for risk assessment and treatment, etc.)
Month 2-3: Carrying out the risk assessment and risk treatment plan elaboration
Month 4: Information security policies and procedures elaboration
Months 5-8 : Implementation, operation and evaluation of policies and procedures ( at this point some corrective actions may be required)
Month 9: Internal audit and management review
Month 10: Treatment of internal audit nonconformities and management review decisions
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Operation controls beyond the company's power
Answer:
ISO 14001 states that you need to apply controls to the level possible so in case that you mentioned you can print instruction for the product disposal so your customers can dispose it properly. You can state users manual as an operational control for this life-cycle stage.
For more information about life-cycle perspective, see: How does product life cycle influence environmental aspects according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/ -
ISO 27001 transition period
Answer: Since ISO 27001:2005 was withdrawn on October 1st, 2015, any certifications against this version of the standard are no longer valid from that date forward. So, unfortunately, your certification is no valid any more.
This article will provide you further explanation about transition to ISO 27001 2013:
- How to make a transition from ISO 27001 2005 revision to 2013 revision https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
These materials will also help you regarding transition to ISO 27001 2013:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Auditor formation
1 - Being a non technical person, is it possible for a person to become an ISO 27001/2013 auditor?
Answer: Yes. ISO 27001 main focus is management practices (e.g., planning, performance evaluation, etc.), so it does not require deeper technical knowledge to perform an audit, only knowledge of basic concepts (e.g., identification, authentication and authorization for access controls).
2 - Any prior experience is required in order to become an auditor?
Answer: To become an internal auditor no prior experience is required, but if you desire to become a lead auditor it's a good thing to have some previous experience in auditing, and if y ou aim to become a certification auditor, definitely you will have to demonstrate audit experience.
3 - Where to start from?
Answer: You can start with an internal auditor course to know the basics of performing an ISO 27001 audit, or go right to an lead auditor course if you want to go deeper and know about planning audit programs and plans.
These materials will also help you regarding auditor formation:
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
This article will provide you further explanation about auditor formation:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Excluding clause 7.6 from ISO 9001:2008
Alternatively please provide me with all the exclusion clauses in order to study them and see which one is applicable to our company.
Answer:
I assume you are asking about ISO 9001:2008 because ISO 9001:2015 doesn't have clause 7.6. If you want to exclude clause 7.6 Control of monitoring and measuring equipment, you need to provide justification for the exclusion and that can be your company doesn't use monitoring and measuring equipment in its processes. In 2008 version of the standard you can exclude practically any requirement from clause 7, here are some suggestions:
- 7.3 Design and development
- 7.5.2 Validation of processes for production and service provision
- 7.5.3 Identification and traceability
- 7.5.4 Customer property
For more information, see: What is an acceptable exclusion in Clause 7 of ISO 9001? https://advisera.com/9001academy/blog/2015/03/24/what-is-an-acceptable-exclusion-in-clause-7-of-iso-9001/ -
Calculating risk score
Answer:
In order to calculate likelihood or severity, you need to determine the criteria for them. This means that you need to define the scale and explain how each value is assigned. For example for likelihood you can have the scale from 1 to 5 where one is the least likelihood and 5 is the most. Value 1 will represent the occurrence of the events 1 in ten years and 5 will be for daily occurrence, and of course you need to define all the values in between.
Another very important point regarding hazards in OHSAS 18001 is that you can relay on the hazard evaluation or assessment conducted by some authorized organization. In many countries the companies are obliged by the law to assess work place hazards and you can refer to this assessment if your company has already performed it.
For more information, see: How to identify and classify OH&S hazards https://advisera.com/18001academy/blog/2015/05/14/how-to-identify-and-classify-ohs-hazards/ -
ISO 22301 and ISO 27001 projects
Answer: You can make use our following free tool to get an estimate about the time for implementation of your both projects:
ISO 27001 / ISO 22301 Implementation Duration https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These materials will provide you further explanation about how budget your implementation costs (they are focused on ISO 27001, but the aspects can be used for an ISO 22301 implementation as well):
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
These books will provide you further explanation about how budget your implementation costs:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/