Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Tools for ISO 27001 risk assessment and internal audits
Answer: Depending upon the size and complexity of your scope, simple spreadsheets can help you a lot to demonstrate a risk assessment and what you should do to conduct an internal audit. Since you asked for what you can use, I suggest you to take a look at these free document previews:
- Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
- Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/
These articles will provide you further explanation about risk assessment and internal audit:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Ho w to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding risk assessment and internal audit:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Supplier security according ISO 27001
Answer: The mentioned guideline refers to ISO 27001 Annex A.15 (Supplier Relationships). You must implement controls related to your suppliers only if:
1- Your Risk Assessment identified any supplier-related risks your organization considers unacceptable
2- Your organization decided to implement supplier controls for any other business reason not related to information security.
3 - Your customers requirements, or any legal or regulatory requirement, demands you to implement supplier control.
If your situation is not in any of these alternatives, you do not need to implement supplier-related controls.
This article will provide you further explanation about handling supplier security:
- 6-step process for handling supplier security according to ISO 27001https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These mat erials will also help you regarding handling supplier security:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Conducting internal audit for the first time
I recently completed an internal audit training and this is my first official audit that I will conduct. Can you please guide me what to look at and what kind of questions should I ask?
Answer:
First you need to read the standard and understand the requirements related to the processes you are about to audit. Then you need to read all procedures and records from the processes and see if they are compliant with the requirements of the standard. Afterwards you need to formulate questions to be asked during the audit. The question should provide you with "yes or no" answers and each question should be relate to ether requirement of the standard or activity within the processes you are auditing. Once you prepared the checklist and got familiar with the standard requirements and procedures used in the processes you are ready for the audit.
Here are some articles about internal audit that might be interesting to you:
- Five Main St eps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
- Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/ -
Definition of terms
Answer:
By control, I assume you think of operational control in ISO 14001. Operational Controls describe specific operations
for controlling and managing the activities, processes, products, and services associated with the significant environmental aspects.
By influence, I assume you think of environmental impact. The definition of environmental impact is change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization’s environmental aspects.
For more information about terms and definitions within ISO 14001, see: Glossary of Environmental Management Words https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/glossary-of-environmental-management-words/ -
Integrating ISO 9001, ISO 14001 and OHSAS 18001
Answer:
The best way to start the integration is to identify common requirements of those three standards and try to meet them trough the same documents. This includes a big part of ISO 14001 and ISO 9001 since they now have the same structure and similar requirements. For more information, see Free webinar - How to integrate ISO 9001:2015 and ISO 14001:2015
OHSAS 18001 still has the old structure that is different form ISO 9001 and ISO 14001 but there are still a lot of common requirements, from policy, objectives and targets, document and record control, internal audit, etc. And all these requirements can be met through same process. For more information, see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/ -
Defining operational controls
Answer:
The most important thing with defining operational control is what negative effect you want to prevent. For example if it is an emission of polluting gases in the air, you will need to put filters to prevent that, or if you want to prevent wrong disposal of electrical waste such as printer toners, you will sign a contract with the company that disposes and/or recycles such waste.
For more information about operational controls, see: Defining and implementing operational control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
SMETA Certificate
Answer:
The Sedex Members Ethical Trade Audit (SMETA) was developed by the Sedex Associate Auditor Group (AAG). SMETA is designed to reduce duplication of effort in ethical trade auditing, benefiting retailers, consumer brands, and their suppliers. It was developed in response to member demand for an ethical audit report format that could more easily be shared.
SMETA is not a code of conduct, a new methodology, or a certification process, but describes an audit procedure which is a compilation of good practice in ethical audit technique.
Unfortunately, we do not have any materials regarding it, since we are focused on ISO and ITIL standards. -
PIR
The answer:
You noticed right, Post Implementation Review (PIR) is a must in case of unsuccessful changes. There is no out-of-the box solution how to do it. That depends on the, e.g.:
- company size
- type of change
- available resources...etc.
But, once you define further activities (you mentioned - recommended actions) in order to make things right (i.e. change implementation) and learn the lesson, I see few things to do:
- analysis - usually Change Advisory Board (CAB) will do that. Make minutes and define responsibilities
- preparation - you will need to take new attempt. Be sure that something changed from last time (what - well, that depends on your analysis). Define all steps you need to do, take a trial if possible.
- implementation - when you get to this point, you'll be familiar with new implementation. Be sure to track all activities (and have all responsibilities defined).
- review - review new attempt. I f it was a success - compare it to unsuccessful attempt and look for difference -that's your lesson learned.
Read the article "
Post Implementation Review – Buzzword, or mighty tool?" https://advisera.com/20000academy/blog/2015/02/03/post-implementation-review-buzzword-or-mighty-tool/ to learn more about PIR. -
Evidence about providers
Answer: The point is not whether these providers are ISO 27001 certified or not, the point is whether they comply fully with the security clauses that are part of the contract they have signed with you.
The evidence about this you can get in couple of ways:
- They can send you reports
- You can send your auditor to their company
- You can send third-party auditor to their company to check whether they are compliant with the contract
This article explains more how this relationship with suppliers work: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding handling suppliers:
- Book Secure & Simple: A Small-Busines s Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Justification in a Statement of Applicability
Answer: To justify an implemented control that do not have identified risks on the Risk Assessment, that can be related to it, the most suitable justification on the Statement of Applicability would be, as you thought, the original reason that justified the control implementation, something like "control implemented as a requirement of interested parties", or "control considered common sense / normal operating procedure in our industry".
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding risk assessment and SoA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/