Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Evidence about providers
Answer: The point is not whether these providers are ISO 27001 certified or not, the point is whether they comply fully with the security clauses that are part of the contract they have signed with you.
The evidence about this you can get in couple of ways:
- They can send you reports
- You can send your auditor to their company
- You can send third-party auditor to their company to check whether they are compliant with the contract
This article explains more how this relationship with suppliers work: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding handling suppliers:
- Book Secure & Simple: A Small-Busines s Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Justification in a Statement of Applicability
Answer: To justify an implemented control that do not have identified risks on the Risk Assessment, that can be related to it, the most suitable justification on the Statement of Applicability would be, as you thought, the original reason that justified the control implementation, something like "control implemented as a requirement of interested parties", or "control considered common sense / normal operating procedure in our industry".
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding risk assessment and SoA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
List of internal documents
Answer:
All documents produced by the company regarding the QMS are considered as internal documents and should be listed in the List of Internal Documents.
For more information about the documentation, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
Environmental aspects in warehouse
Answer:
There are no environmental aspects that will emerge in every warehouse. The aspects will depend mostly on the materials being stored and the way being stored. For example if you are storing oils, environmental aspect will be oil, the impact will be on soil and water, so you will need to implement operational controls to prevent oil spillage by defining what kind of barrels will be used for storage, how much they will be filled in, how they will be arranged in the warehouse, etc.
For more information about environmental aspects and operational control, see Free webinar – ISO 14001: Identification and evaluation of environmental aspects https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar/ -
Establishing operational controls
Answer:
The most important is that you identified and evaluated environmental aspects. For those aspects that you determined as significant, you need to establish operational controls. The controls can be:
- administrative - meaning that you need to place signs or to develop work instructions or procedures,
- engineering - meaning that you will introduce some new technology or change your processes to decrease impact on the environment.
Examples of operational controls are work instructions for waste disposal or installation of filters to decrease polluting gases emission.
For more information about establishing operational controls, see: Defining and implementing operation al control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/ -
Methodology for developing documentation
Answer:
There is no prescribed methodology for developing documentation, different people have different approaches. The documentation itself is not an only factor for compliance with the standard, it is only a tool for achieving compliance and avoiding nonconformities.
The most important thing is to understand requirements of the standard and develop set of activities and processes to meet those requirements, than you need to document them through procedures in order to avoid nonconfomances. Records and forms are then used to demonstrate that the procedures are being followed.
For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/ -
Language requirements for an ISO 27001 certification
Answer: Yes, references and/or evidences in multiple languages are acceptable for the final ISO 27001 audit certification, but you should inform the certification body of this fact when arranging the certification audit. In the audit, it is certain that the certification auditor will seek evidence that people who use this documented information to carry out their activities, have the necessary fluency in the languages involved (e.g. lawyers evaluating contracts, buyers evaluating suppliers proposals, etc.), so be prepared for that.
This article will provide you further explanation about why to consider language issues in a relationship with a certification body:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Thes e materials will also help you regarding requirements to consider for a certification audit:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Developing internal audit program
If you plan the audit this way, you wont be auditing entire scope of QMS over the course of one year, it would be much better if you define your plan like this:
1st location in March
2nd location in June
3rd location in September
Yes, it is recommendable to audit entire scope of QMS during the year. The aspects you mentioned influence frequency of the audit, meaning that some locations can be audit more frequently if they have greater number of nonconformities or if they have more complex or crucial processes. -
Assets valuation and the information classification policy
Answer: I assume you are referring to how to valuate an asset, considering the information it handles. A direct answer would be using the results of the risk assessment, i.e. the higher the impact you identified for a particular asset, the higher level of classification you should use.
This article will provide you further explanation about risk assessment:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding risk assessment and information classification:
- B ook Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Implementation steps for OHSAS 18001
Answer:
The best way to start with the implementation is to get familiar with requirements of the standard first and then to conduct a GAP analysis to determine to what level your company is already compliant with the standard and what needs to be done to achieve full compliance. Here you can find our free GAP Analysis tool https://advisera.com/18001academy/ohsas-18001-gap-analysis-tool/
Once you determine what needs to be done, it is good to develop project plan for the implementation, to define deadlines for each step as well as the responsibilities. Here you can download our free Project Plan for OHSAS 18001 Implementation https://info.advisera.com/18001academy/free-download/project-plan-for-ohsas-18001-implementation
When you finish the implementation, you can hire a certification body to conduct the certification audit and issue your company the certificate.
For more information about i mplementation and certification steps, see: OHSAS 18001 Implementation diagram https://info.advisera.com/18001academy/free-download/ohsas-18001-implementation-diagram