Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
The transition is not that easy
I am working now on interested parties and trying to get to the context of the organization but need some guidance. Since our audits have been so good, everyone in the company feels that the transition is simple and we don't need much guidance, as a result we have done pretty much nothing. I am afraid that the time is passing and we have not much accomplished.
Answer:
Since you have a good system in your company the transition can go smoothly but it doesn't mean that it wont require effort, especially because you are doing in by yourself. Identification of interested parties is a good way to start defining context of the organization, however it will require other aspects of the context to be defined and this can't be done without engagement of the top management. Defining context of the organization in now one of the most important steps because it will influence the way you identify the risks and opportunities and also other parts of your system so it is crucial to engage all relevant roles in the company to define the context correctly and with sufficient level of details. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Also, this article might be helpful to you during planing of the transition How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Improvement and continual improvement
Thank you M. Strahinja for your answer :) -
A.7.2.3 Disciplinary process
Answer: Disciplinary process can take many forms - from verbal warning or written warning, decrease in salary, all the way to cancelling the employment contract. The appropriate option should be chosen based on the severity of the incident an employee has made.
We do not have a template that is focused on disciplinary actions, but they are briefly mentioned in these documents:
- Incident management procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/
- Statement of acceptance of ISMS documents: https://advisera.com/27001academy/documentation/statement-of-acceptance-of-isms-documents/ -
QMS and ISMS
2. Can the MR of QMS can act as MR for ISMS also? Or only Software professional should be appointed as MR?
3. We have a procedure for Data and document control for QMS. Can this be amended to include the soft copy data / information and used for ISMS?
Answers:
1.- It is not mandatory, I mean, not only software professional can be trained as auditor. This article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
2.- From my point of view a MR (Management Representative) is a fundamental part in a QMS and in a ISMS, and this profile is necessary for both systems, but it is not necessary that has a specific profile like a software professional (remember that ISO 27001 is about information security, so it covers many areas: IT, HR, compliance, etc). So, yes the MR of QMS can act as MS for ISMS.
3.- For me data/document control and soft copy data/information are things completely different (I suppose that with soft copy data/information you mean the software to copy data/information, that in the context of ISO 27001 is a backup software), so from my point of view¸it is better if you separate their procedures in different documents, although it is only my point of view, and there is no problem if you decide to integrate both in a unique document.
By the way, our online course about internal auditor can be interesting for you to become internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Conocer aspectos de auditoría y metodologías
Respuesta:
Si quieres conocer los aspectos y metodologías para realizar una auditoría interna, puedes seguir nuestro curso online, el cual te dará toda la información necesaria para llevar a cabo una auditoría interna (aunque el curso actualmente está en inglés) “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Por cierto, también puedes desarrollar tu propia checklist para realizar una auditoría, por tanto este artículo también puede ser interesante para ti “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Security organizations and security roles
Answer: This is not entirely true - you have to build an Information Security Management System, the term "Security organization" is not mentioned in the standard. See this article: What is an Information Security Management System (ISMS) according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
How important are the roles? For example Can a person title be “Network Engineer” and role be information security officer ? Is this understanding correct organization should have security roles reflected as HR title as well.
Answer: It is very important to clearly define roles and responsibilities - in smaller companies it does make sense to give a role of information security management to an employee who will perform this role together with his other regular duties. The standard doesn't require this, but you can give a title to this security role - e.g. Chief Information Security Officer, Information Security Officer, Security Manager, or similar.
See also these articles:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
Combining Quality Policy and Information Security Policy
Answer: Both ISO 27001 and ISO 9001 allow you to merge these policies into a single document, however I wouldn't recommend that. These policies have a different purpose and a different focus, so I don't think it would be a good idea to merge them.
On the other hand, you should combine many other documents between your ISMS and QMS - see this article: Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ -
Determining the context and risks and opportunities step by step
Answer:
First step is determine all internal and external issues relevant to your organization, your products and services and your customer satisfaction. This can be done on the meeting with all relevant roles in your company. You also must decide what you want to document regarding the context and how. My advice is to establish procedure for determining the context because in this way it will be much easier for you to identify all elements of the context that need to be discussed. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Next step is to decide what methodology to use for identifying and evaluating risks and opportunities, you can go with some simple methodology for small companies and simple processes or you can choose some more comprehensive methodology depending on the size of your compa ny and complexity of your processes. For more information, see Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
Then you need to identify key risks and opportunities and make plans for actions to address them, making plans includes defining deadlines, resources and responsible persons.
THe last step is to evaluate the effectiveness of the actions and this is usually done during management review. -
Options for surveillance audit and customer focus
Our organisation is in its second surveillance term, we are being audited in September my question is are we going to be audited on the old ISO Quality management system 9001:2008 or on the new ISO 9001:2015. Or would the certification body want to know how far did we implement the new quality management system?
Question 2:
We trying to wrap our minds around clause 5 Leadership; Clause 5.1.2 Customer focus i don’t really understand what is needed. Can you please clarify?
Answer:
Question 1:
The organization itself will choose according to which version of the standard will be audited. You don't have to be audited according to ISO 9001:2015 until September 2018.
Question 2:
The requirements from the clause 5.1.2 are usually met indirectly through some other processes and requirements of the standard. For example, the requirement 5.1.2a) is met through identification of interested parties and their needs and co mpliance and clause 8.2.2 Determining the requirements related to to products and services. The same is for other requirements of this clause. -
Acquiring competence for ISO 9001:2015
Answer:
The ISO organization declared that lead auditors that are certified according to ISO 9001:2008 doesn't have to get certified according to 2015 revision of the standard, they can attend any type of training, internal or external to get familiar with the new requirements.
I suggest you to take a look at our free online ISO 9001:2015 Foundation course https://advisera.com/training/iso-9001-foundations-course/