Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policies and procedures development
I mean at this initial stage without having gone through all the documents in details, how can I identify which documents would need direct involvement and input from the other departments in the scope? So that I could fill in those policies and procedures first and dispatch those to the concerning departments under scope, so that they could start sending me the inputs? (i.e. assets list etc etc).
Answer:
By reading the section one of each document (Purpose, scope and users) you can realize who to ask for information. For example for Backup policy (and other templates addressing information technology), you will need to ask the IT department, for Supplier Security Policy policy, you should ask your Procurement department.
By the way , in the video tutorials that come with the toolkit, you will see practical examples about to who should provide input for policies and procedures. -
Justification for Soa
Answer: Considering information systems life cycle, the introduction of new technologies in an already existent environment is part of the maintenance step, so to justify the adoption of security practices to minimize risks like poor systems compatibility (new systems working together with old ones) and lack of portability (migration of functionalities from old platform/solutions to new ones) issues, you could use as justification "process requirement". -
Annex A18 controls in the documentation toolkit
Answer: This A.18.2.1 control is covered in the toolkit by the internal audit procedure, which defines that internal auditors must be selected in such a way as to ensure objectivity and impartiality, i.e. to avoid conflict of interest, because auditors are not allowed to audit their own work. -
Annex A5 controls in the documentation toolkit
We only have from 6 onwards, or can we use the one in the following folder __ISO_27001_ISO_22301_Premium_Toolkit_EN�4_Information_Security_Polic y
Answer: Your understanding is correct. Reference for security requirements summary and the recommendations from the controls listed in the section A.5 from ISO 27001:2013 Annex A are included in the Information Security Policy, so by implementing this policy template you will be compliant with these entries.
You should also note that the controls in section A.5 are covered not only by the Information Security Policy, but also by all other policies in the toolkit. -
OHSAS SMART objectives
Answer:
Writing SMART objectives means writing Specific, Measurable, Agreed upon, Realistic and Timed objectives. Having such objectives will help organization to evaluate level of achievement of the objectives. In order to write such objectives, you must relate them to every process and this can be done by identifying some parameter of the process that will give you information on whether the process performed as it should. Such parameters are usually called key performance indicators.
For more information about the objectives, see: How to define OHSAS 18001 objectives and programs https://advisera.com/18001academy/blog/2015/11/11/how-to-define-ohsas-18001-objectives-and-programs/ -
ISO 9001:2015 and health care organization
1. Do we need to identify and define risks in all the core and support processes?
The organization must identify and address risks and opportunities not only in the core processes but also all risks and opportunities emerging from context of the organization. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
2. Does the documentation for ISO require TIER system like Manuals,policies,procedures,record ?
The standard explicitly requires only documents such as Quality Policy and Quality Objectives, other than that it basically requires only records. But besides the mandatory document there should be other documents that company determines as necessary for running its QMS. For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
3. For a Home Healthcare Company like Ours,the core processes would be mostly clinical in nature, so do we need to write SOP s for all the clinical protocols could we have generic documents on common processes?
No, there is no requirement to document every process and every activity, you should document only those where is a chance of nonconformities. For more information, see: Deciding Which Procedures to Document in QMS https://advisera.com/9001academy/blog/2013/11/26/deciding-procedures-document-qms/ -
Which clauses must be covered with particular documents?
What is needed for ISO 27001 certification?
Answer:
The article you are referencing to lists the minimum of the documents you need to have. However, in most cases you will need to implement some other documents as well, because this will be required by the situation in your company - here's the article that will help you with such decisions : 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
We have written our policies and procedures in such a way that makes it easy for you to delete any part of them - when you read this template for Acceptable Use Policy, you will find comments saying e.g. "Delete this section if you marked control xyz as inapplicable" - this means you have to assess if a particular control is needed for you, and if not you can simply delete a part of the document that describes it.
This article will help you with understanding the logic of when you can mark a control as applicable or not: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This article you might also find useful: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
These materials will also help you regarding selection of controls and documenting them:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online ISO 27001 tool) https://advisera.com/conformio/ -
Risk assessment
Answer: If you already have controls implemented, you should consider the totals of likelyhood and consequence after their implementation, so that your risk assessment table reflects the current situation of your environment. The existing controls should be included in the "Existing Controls" column.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk assessment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Free webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Toolkit support
Answer: The classification of each document will depend on the information the organization will include to complete the document. In a general manner, documents with processes results (planned or achieved), formulas, drawings, instructions and other elements that gives your organization a competitive advantage should be considered restricted. Policies in general should be considered internal, since many people inside you organization will need to access them. The Quality Policy is an example of a document you should consider public, since people inside and outside the organization may have access to it.
This material will also help you regarding information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2) Also like to know how many documents are needed related to business continuity. I can see only Backup_Policy_Cloud_EN and Disaster_Recovery_Plan_27001_Cloud_EN. Do we need back up procedure/back up plan and back up logs
Answer: To be compliant with ISO 27001 business continuity requirements, you need only the disaster recovery plan, considering the recovery of IT infrastructure/services. If you consider your organization needs to consider other business process or all the steps in business continuity management, I recommend you check out ISO 22301 Documentation Toolkit.
Regarding the Backup, you can include the information describing the backup plan and how to perform the procedure in the policy document itself (see comments in section 3.1) or decide to create a separated document, what suits you best. As for backup logs, you need to generate and manage as evidence your backup process is being performed and achieving its proposed results. The log generation will depend upon the process you use in your organization (e.g., performed manually by your staff or automatically by a specific tool)
These materials will also help you regarding documentation elaboration:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
3) I also didn't found controls for A 18 Compliance
Answer: If you consult the list of documents in your ISO 27001, 27017 and 27018 Documentation Toolkit it will show you which documents support each controls of ISO 27001 Annex A. In the case of A.18 controls the documents are "Procedure for Identification of Requirements", "List of Legal, Regulatory, Contractual and Other Requirements", "Policy for Data Privacy in the Cloud ", "Acceptable Use Policy", and "Policy on the Use of Cryptographic Controls". -
Lack of resources for Change implementation
Answer:
Changes are, prior to the implementation, assessed, evaluated and authorized. After that comes implementation planning, e.g. who (resources) and when (time plan). So, this is the first moment when you can influence which resources will be dedicated to which change. Later on, once change is ready for deployment, you still have time to manage i.e. prioritize implementation and its schedule. Important is to manage change implementation right from the creation of RfC (Request for Change). read the article "ITIL/ISO 20000 Request for Change – Your steering wheel throughout the change lifecycle" https://advisera.com/20000academy/blog/2015/09/01/itiliso-20000-request-for-change-your-steering-wheel-throughout-the-change-lifecycle/ to learn more.