Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Updating internal audit checklist to ISO 9001:2015


    Due to clauses have changed, I will need to change Internal Audit questions . Can you direct me or guide me ,how to create new questions for internal audits for every clause in ISO 9001:2015 .

    Answer:

    The clause numbers are not the only thing that changed, basically every clause and every requirements suffered at least some small change, so the internal audit checklist should be updated to reflect all these changes.

    Depending on the way of how your existing checklist looks like, you will need to take ISO 9001:2015 text and identify all requirements in it and then to insert them in the checklist. A lot of existing questions in the checklist will remain but also a lot of them will need to be changed and added. You will need to exclude some of the questions, for example regarding some no longer mandatory documents, management representative, etc. and to add some new ones regarding context of the organization, risks and opportunities, etc.

    All these ca n be a big effort and time-consuming, just to make a checklist. I would suggest you to take a look at free preview of our ISO 9001:2015 Internal Audit Checklist because it can really save you a lot of time and effort, you can find it on this link https://advisera.com/9001academy/documentation/internal-audit-checklist/

    Here are also some articles that might be interesting to you:
    - ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
    - Writing an Audit Checklist for ISO 9001 Processes https://advisera.com/9001academy/blog/2014/11/25/writing-audit-checklist-iso-9001-processes/
    - How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/

  • Is Asset register required?


    Answer: If I understood the question correctly, you're asking if Asset register is required - the answer is no, ISO 27001 does not require you to have such register.

    ISO 27001 covers this topic under the control A.8.1.1 Inventory of assets - since this is a non-mandatory control, you can choose whether to apply it or not. The most common reasons for applying this control are the following:
    a) You want to use the asset register for performing the risk assessment - see this article for details: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    b) You want to decrease some risks that you identified during the risk assessment - see this article: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    c) There is a legal or regulatory requirement for you to have such register.

    This a rticle may also help you: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Delay in implementing the controls

    Yes, it is acceptable, but you need to have a really good reason - shifting the dates without any justification will bring you trouble with the certification auditor.

  • How to treat suppliers that are ISO 27001 certified


    Answer: The fact that they are ISO 27001 certified doesn't change their status towards you - so yes, you have to treat them as suppliers. To understand the details on how to handle suppliers, please read this article: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    My second question is that as we are a new and small company we do not have any IT department so we (personally) managed our IT equipment, will this cause us problems in our certification?

    Answer: No, your size and the fact that you are managing your IT equ ipment won't cause any problems at the certification, as long as you comply with your policies and procedures.

    Is it better to have a dedicated IT department or have someone who manages our IT?

    Answer: I'm not sure if I understood your question correctly - if you meant whether it is better to have your own IT department or to outsource the IT function, this is primarily a business issue (what is more profitable) and a skill issue (does your IT equipment require some special skills that might not be easy to find in the market).

    Or can we just put encryption / passwords / administration rights to particular systems to get round this??

    Answer: Managing security is not only about encryption, passwords and administration rights - the best thing for you would be to go through this free online training to learn all that is important for security management: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • How to treat an ISMS document that is due for review

    Thank you so much for this answer. It is exactly what I was looking for. In my case, I will record it by listing all the docs due for review in our ticket management system and simply comment next to each one. In the case of docs not requiring change, I will just say "Reviewed but no changes were necessary. It will however be reviewed again next year 201x".

  • Asset value


    Answer:
    There is no universal way to calculate the asset value, but a common way is to select the high value from the 3 parameters (in your case 5), or another way is to sum the 3 parameters (so in this case you can have the value 15). If you want to know my opinion, for my is more easy is you select the high value (5).

    Anyway, for the risk management, it is not mandatory to use the asset value, so if you want an easy way you can use simply the impact value.

    This article can help you “How to assess consequences and likelihood in ISO 27001 risk analysis” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    And also this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    And also our online course, because we give more inform ation about the evaluation of assets “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Documenting the information security objectives


    Answer:

    ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document.

    When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

    This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    In this free online training you'll find detailed guidance on setting the objectives: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Focus the ISMS scope


    Answer:
    I am sorry but I am not sure what do you mean, but you can define the scope of the ISMS limiting it to only the IT department. Another way, is to define the scope for the whole organization, and generally it is our recommendation. For more information about the definition of the scope, please read this article “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    If you limit the ISMS scope to your IT department only, you will have to treat the other departments in your company as third parties, and this is why creating such a scope is difficult.

    This article can be also interesting for you “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    And our online course can be also interesting for you because we give more infor mation about how to define the ISMS scope “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/

  • Contents of Internal audit program

    In case you are planning a single audit to cover all the ISMS scope at once, these references you defined are sufficient.

    In case you are planning to perform multiple audits to cover small parts of the scope each time (e.g., IT processes audit, HR processes, etc.), then you need to be more specific about which criteria you will use. For example, in the case of auditing HR processes, most probably controls from section A.14 System acquisition, development and maintenance won’t be part of your checklist, while controls from section A.7 Human resource security will take more space in your checklist.

    This article will provide you a further explanation about building an audit checklist:

    These materials will also help you regarding building the audit program:

  • Clarifications reg GAP Analysis.

    ISO 27001 does not require you to perform the Gap Analysis prior to the start of the project; you should perform a kind of shortened version of Gap Analysis while writing your Statement of Applicability.

    These materials will help you:
    - article ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
    - article The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - free ISO 27001 Gap Analysis Tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Page 986-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +