Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Combining Quality Policy and Information Security Policy
Answer: Both ISO 27001 and ISO 9001 allow you to merge these policies into a single document, however I wouldn't recommend that. These policies have a different purpose and a different focus, so I don't think it would be a good idea to merge them.
On the other hand, you should combine many other documents between your ISMS and QMS - see this article: Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ -
Determining the context and risks and opportunities step by step
Answer:
First step is determine all internal and external issues relevant to your organization, your products and services and your customer satisfaction. This can be done on the meeting with all relevant roles in your company. You also must decide what you want to document regarding the context and how. My advice is to establish procedure for determining the context because in this way it will be much easier for you to identify all elements of the context that need to be discussed. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Next step is to decide what methodology to use for identifying and evaluating risks and opportunities, you can go with some simple methodology for small companies and simple processes or you can choose some more comprehensive methodology depending on the size of your compa ny and complexity of your processes. For more information, see Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
Then you need to identify key risks and opportunities and make plans for actions to address them, making plans includes defining deadlines, resources and responsible persons.
THe last step is to evaluate the effectiveness of the actions and this is usually done during management review. -
Options for surveillance audit and customer focus
Our organisation is in its second surveillance term, we are being audited in September my question is are we going to be audited on the old ISO Quality management system 9001:2008 or on the new ISO 9001:2015. Or would the certification body want to know how far did we implement the new quality management system?
Question 2:
We trying to wrap our minds around clause 5 Leadership; Clause 5.1.2 Customer focus i don’t really understand what is needed. Can you please clarify?
Answer:
Question 1:
The organization itself will choose according to which version of the standard will be audited. You don't have to be audited according to ISO 9001:2015 until September 2018.
Question 2:
The requirements from the clause 5.1.2 are usually met indirectly through some other processes and requirements of the standard. For example, the requirement 5.1.2a) is met through identification of interested parties and their needs and co mpliance and clause 8.2.2 Determining the requirements related to to products and services. The same is for other requirements of this clause. -
Acquiring competence for ISO 9001:2015
Answer:
The ISO organization declared that lead auditors that are certified according to ISO 9001:2008 doesn't have to get certified according to 2015 revision of the standard, they can attend any type of training, internal or external to get familiar with the new requirements.
I suggest you to take a look at our free online ISO 9001:2015 Foundation course https://advisera.com/training/iso-9001-foundations-course/ -
Preparing for certification audit
Answer:
Since QMS existed in the company before your promotion to production manager, you don't need to check the entire system and compliance with the standard. You only need to see the audit report form the previous audit to determine whether you need to initiate and conduct some corrective actions. This should be the first step.
There are some usual segments that will definitely be audited, such as document and record control (make sure that all procedures, work instructions and records are up to date and on the place of use), and also are the processes in line with the procedures.
All above mentioned is related to production process only, there also mus t be internal audit, management review, customer satisfaction monitoring, evaluation of the suppliers and so on.
For more information, see:
- What questions to expect on the ISO 9001 certification audit https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/
- How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/ -
The term "Contractors"
Answer: ISO 27001 always mentions "employees and contractors" together, which would mean that "contractors" are different from the employees - they are 3rd parties working for an organization. However, from ISO 27001 point of view, all the contractors are also considered to be suppliers according to Annex A section A.15.
This article may also help you: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISMS scope question
Answer: The email service should not be included in your scope since you cannot control it. However, some of the data that will be sent through this email service will be included in the scope - basically, when you define the ISMS scope you should define which data is included in the scope.
Or, I cannot control all aspects of my employee's remote offices, but I plan on writing a policy based on telecommuting best practices, and how to secure everything from our company's physical assets (ie. lock laptop when in public places) to installing latest anti-virus , etc....but I won't include policies on how to configure their wireless network or to segment it via their own firewall, because they VPN into all the secure networks--so would my employee's remote offices be included in scope or not?
Answer: I don't think it is a good idea to include remote offices in the scope because you don't have direct control over them. But yes, you should define the rules on how the work they perform in these offices is to be protected.
This article might also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ -
Implementing business continuity management system
Answer:
Regarding your first question, generally the implementation project for a business continuity management system is not structured in process, it is structured in steps, and here you can see how to implement a business continuity management system based on ISO 22301 “17 steps for implementing ISO 22301” : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
Regarding the audit, I suppose that you mean the internal audit, and you can use a checklist for this, so this article can help you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Regarding the process involved in auditing business continuity management system, generally it is not used, I mean, the internal audit is structured in steps, not in process, and besides the previous article, you can also use our specific toolkit for the internal audit, which have all necessary tools that you can use to perform the internal audit in your company (you can see a free version clicking “Free demo” tab) “ISO 27001/ISO 22301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/ -
Creating policies and procedures: Stage of implementation
Answer:
Generally the creation of policies and procedures begins after the risk assessment & treatment, because you will need policies and procedures to implement the security controls.
Regarding your second question, the first policy that you can write is the top-level information security policy.
Anyway, remember that there are some mandatory policies and procedures that you need for the implementation of ISO 27001:2013, which you can see here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you "How to structure the documents for ISO 27001 Annex A controls" : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
And also this one “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Finally, our online course can be also interesting for you because we give more information about how to implement policies and procedures “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Monitoring and measurement results
There are two more documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan - in the column "Method for evaluation of results" you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column "Status" you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan.