Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
QMS and ISMS
2. Can the MR of QMS can act as MR for ISMS also? Or only Software professional should be appointed as MR?
3. We have a procedure for Data and document control for QMS. Can this be amended to include the soft copy data / information and used for ISMS?
Answers:
1.- It is not mandatory, I mean, not only software professional can be trained as auditor. This article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
2.- From my point of view a MR (Management Representative) is a fundamental part in a QMS and in a ISMS, and this profile is necessary for both systems, but it is not necessary that has a specific profile like a software professional (remember that ISO 27001 is about information security, so it covers many areas: IT, HR, compliance, etc). So, yes the MR of QMS can act as MS for ISMS.
3.- For me data/document control and soft copy data/information are things completely different (I suppose that with soft copy data/information you mean the software to copy data/information, that in the context of ISO 27001 is a backup software), so from my point of view¸it is better if you separate their procedures in different documents, although it is only my point of view, and there is no problem if you decide to integrate both in a unique document.
By the way, our online course about internal auditor can be interesting for you to become internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Conocer aspectos de auditoría y metodologías
Respuesta:
Si quieres conocer los aspectos y metodologías para realizar una auditoría interna, puedes seguir nuestro curso online, el cual te dará toda la información necesaria para llevar a cabo una auditoría interna (aunque el curso actualmente está en inglés) “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Por cierto, también puedes desarrollar tu propia checklist para realizar una auditoría, por tanto este artículo también puede ser interesante para ti “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Security organizations and security roles
Answer: This is not entirely true - you have to build an Information Security Management System, the term "Security organization" is not mentioned in the standard. See this article: What is an Information Security Management System (ISMS) according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
How important are the roles? For example Can a person title be “Network Engineer” and role be information security officer ? Is this understanding correct organization should have security roles reflected as HR title as well.
Answer: It is very important to clearly define roles and responsibilities - in smaller companies it does make sense to give a role of information security management to an employee who will perform this role together with his other regular duties. The standard doesn't require this, but you can give a title to this security role - e.g. Chief Information Security Officer, Information Security Officer, Security Manager, or similar.
See also these articles:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/ -
Combining Quality Policy and Information Security Policy
Answer: Both ISO 27001 and ISO 9001 allow you to merge these policies into a single document, however I wouldn't recommend that. These policies have a different purpose and a different focus, so I don't think it would be a good idea to merge them.
On the other hand, you should combine many other documents between your ISMS and QMS - see this article: Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ -
Determining the context and risks and opportunities step by step
Answer:
First step is determine all internal and external issues relevant to your organization, your products and services and your customer satisfaction. This can be done on the meeting with all relevant roles in your company. You also must decide what you want to document regarding the context and how. My advice is to establish procedure for determining the context because in this way it will be much easier for you to identify all elements of the context that need to be discussed. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Next step is to decide what methodology to use for identifying and evaluating risks and opportunities, you can go with some simple methodology for small companies and simple processes or you can choose some more comprehensive methodology depending on the size of your compa ny and complexity of your processes. For more information, see Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
Then you need to identify key risks and opportunities and make plans for actions to address them, making plans includes defining deadlines, resources and responsible persons.
THe last step is to evaluate the effectiveness of the actions and this is usually done during management review. -
Options for surveillance audit and customer focus
Our organisation is in its second surveillance term, we are being audited in September my question is are we going to be audited on the old ISO Quality management system 9001:2008 or on the new ISO 9001:2015. Or would the certification body want to know how far did we implement the new quality management system?
Question 2:
We trying to wrap our minds around clause 5 Leadership; Clause 5.1.2 Customer focus i don’t really understand what is needed. Can you please clarify?
Answer:
Question 1:
The organization itself will choose according to which version of the standard will be audited. You don't have to be audited according to ISO 9001:2015 until September 2018.
Question 2:
The requirements from the clause 5.1.2 are usually met indirectly through some other processes and requirements of the standard. For example, the requirement 5.1.2a) is met through identification of interested parties and their needs and co mpliance and clause 8.2.2 Determining the requirements related to to products and services. The same is for other requirements of this clause. -
Acquiring competence for ISO 9001:2015
Answer:
The ISO organization declared that lead auditors that are certified according to ISO 9001:2008 doesn't have to get certified according to 2015 revision of the standard, they can attend any type of training, internal or external to get familiar with the new requirements.
I suggest you to take a look at our free online ISO 9001:2015 Foundation course https://advisera.com/training/iso-9001-foundations-course/ -
Preparing for certification audit
Answer:
Since QMS existed in the company before your promotion to production manager, you don't need to check the entire system and compliance with the standard. You only need to see the audit report form the previous audit to determine whether you need to initiate and conduct some corrective actions. This should be the first step.
There are some usual segments that will definitely be audited, such as document and record control (make sure that all procedures, work instructions and records are up to date and on the place of use), and also are the processes in line with the procedures.
All above mentioned is related to production process only, there also mus t be internal audit, management review, customer satisfaction monitoring, evaluation of the suppliers and so on.
For more information, see:
- What questions to expect on the ISO 9001 certification audit https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/
- How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/ -
The term "Contractors"
Answer: ISO 27001 always mentions "employees and contractors" together, which would mean that "contractors" are different from the employees - they are 3rd parties working for an organization. However, from ISO 27001 point of view, all the contractors are also considered to be suppliers according to Annex A section A.15.
This article may also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISMS scope question
Answer: The email service should not be included in your scope since you cannot control it. However, some of the data that will be sent through this email service will be included in the scope - basically, when you define the ISMS scope you should define which data is included in the scope.
Or, I cannot control all aspects of my employee's remote offices, but I plan on writing a policy based on telecommuting best practices, and how to secure everything from our company's physical assets (ie. lock laptop when in public places) to installing latest anti-virus , etc....but I won't include policies on how to configure their wireless network or to segment it via their own firewall, because they VPN into all the secure networks--so would my employee's remote offices be included in scope or not?
Answer: I don't think it is a good idea to include remote offices in the scope because you don't have direct control over them. But yes, you should define the rules on how the work they perform in these offices is to be protected.
This article might also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/