Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
¿Qué evalua ISO 27001 e ISO 22301?
Respuesta:
Si tu pregunta está relacionada con la auditoría de certificación, los auditores revisarán el cumplimiento de todos los requerimientos de la ISO 27001 o de la ISO 22301 en tu organización (teniendo en cuenta el alcance de tu sistema, lo cual significa que sólo se revisarán los procesos, áreas, departamentos, etc. involucrados en el alcance).
Este artículo te puede resultar interesante "17 steps for implementing ISO 22301" : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
Y también este otro "ISO 27001 implementation checklist" : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Y también este "Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)" : https://advisera.com/27001academy/es/blog/2015/05/04/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
Con respecto a las entidades certificadoras, en Perú es fácil encontrar entidades que certifiquen ISO 27001 e ISO 22301, porque hay muchas empresas certificadas (por ejemplo las administraciones públicas), por tanto este artículo te puede resultar interesante "How to choose a certification body" : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Finalmente, estos materiales también te pueden ayudar a conocer mejor la ISO 27001, como se implementa, y qué esperar de la auditoría de certificación:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Is internal audit mandatory?
Answer:
"Stage 1 audit" is normally part of the certification audit, this should not be confused with the internal audit.
Internal audit is mandatory according to ISO 27001, but in fact it is rather similar to self-assessment - you have to make sure you comply with all the rules (policies, procedures and plans) you have written. You can easily train an internal auditor using this free online training: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Tasks for an information security consultant
Answer:
I am sorry but I am not sure if I have understood your question 100%, but generally tasks for the information security consultant mainly are the development of the documentation for the ISMS, and also, he can give support to technical profiles for the implementation of the documentation in the organization.
Anyway, in some companies the information security consultant can be also the CISO (role that usually manages the ISMS in the organization), so this article can be interesting for you “What is the job of Chief Information Security Officer (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
This article can be also interesting for you “Roles and responsibilities of top management in ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-2 2301/
And also this one "3 phases of delivering an ISO 27001/ISO 22301 consulting job" : https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/
Finally, these materials will help you to understand better the roles and responsibilities in an ISMS:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Fixing nonconformities before the certification audit
I've received further question:
> You say that we can plan to implement some of the controls after the externa audit. Sorry, but it's still a bit confusing to me. Maybe better with an example. A.12.1.4 says: Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. Can this be implemented after the audit? If yes, how can the auditor verify that we are going to implement it? How can we know what controls can be implemented after, and what controls have to be implemented before the certification audit?
Answer:
Although this is not very popular, you can leave some of the less important controls for the implementation after the certification. There is no hard rule for this, but if you have controls that are not related to major risks, then you can leave them for later, and explain that you were not able to implement those because of time and budget restraints.
You have to make this planning very clear through the Risk treatment plan, and your risk owners need to accept the risks while those controls are not implemented.
The certification auditor will check whether you implemented those controls during the surveillance visits - see this article: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
When will ISO 45001 start to apply
Answer:
ISO 45001 is currently in DIS (Draft International Standard) stage and the final draft (FDIS) will be published in September 2017, while approval and publication of the ISO 45001 is expected in December 2017. There were some complications with the text of the standard so the deadline for publication is prolonged.
Currently, no one can provide e-learning or any other information simply because none of the information about the requirements are official and basically no one knows hoe the standard will look like. Once the FDIS version of the standard is published we will know exact requirements of the standard and then it will be possible to create e-leaning course which we will certainly do. At this moment you can see our free online courses for ISO 9001, ISO 14001 and ISO 27001, they are all available here https://advisera.com/training/ and are made according to the latest versions of the standards. -
ISO 27001 training & awareness
Thank You! -
Auditing design and development
Answer:
The design and development process is audited in a same way as any other process. You need to identify first all requirements of the standard, you can also create a checklist just to make sure you don't miss anything. For more information, see: Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/
Once you determine all requirements of the standard, you need to examine your design and development process and determine whether it is compliant with the standard or not. For more information, see: The ISO 9001 Design Process Explained https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
For more information about internal audit process, see:
- How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
And we also have free ISO 9001:2015 Internal Auditor online course available here https://advisera.com/training/iso-9001-internal-auditor-course/ -
Certified Implementer ISO 27001
Answer:
Basically to initiate your career you need courses and basic information about these standards, and our site is the best place for this, because we give many free resources.
For example, we have this course that can help you to learn basic principles about ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Our learning center can be also very interesting for you “What is ISO 27001” : https://advisera.com/27001academy/what-is-iso-27001/, "ISO 22301 Basics" : https://advisera.com/27001academy/what-is-iso-22301/
These material can be also interesting for you:
- Our free downloads section https://advisera.com/27001academy/free-downloads/
- Our free webinars : https://advisera.com/27001academy/webinars/
- Article about how to become consultant “How to become an ISO 27001 / ISO 22301 consultant" : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301 -consultant/
- Article about Lead Implementer Course “Lead Auditor Course vs. Lead Implementer Course - Which one to go for?” : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Finally, our ebook can be also very interesting for you: book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 9001 scope and clause exclusions
We do not have a formal procedure written for design work BUT we have a gateway for products we produce
this, to us, means that we regard our Operations as the customer of design. Our Operations ensures that the design is correct to achieve the end product through operations....
Can we then state that the scope of our ISO 9001 certification application is our Operations only?
We have procedures which control the drawings and Bills of Material that are used to make our products
Scope of the Quality Management System.... I need to know what to include in the scope and how to write what we exclude
Answer:
If your company does not conduct design and development of products, you can exclude clause 8.3 of ISO 9001:2015. Reviewing your customer design prior to production is part of clause 8.2.3 Review of requirements related to products and services so they are not di smissed once the clause 8.3 Design and development of product and services is excluded.
In the document about scope of QMS or in Quality Manual, you can write that clause 8.3 is not applicable to your business because you do not conduct design and development and this will be enough.
For more information, see:
- How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ -
Storing too many documents
Answer:
The standards does not usually prescribe how long you need to keep the outdated documents and records, they only require organization to define retention and disposition of the documents. Usuall practice is to keep the documents and records for three years but this period can be shorter or longer.
For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/