Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Tuesday, 27 May 2014

ISO 27001:2013 Transition – Final Stage

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.  This final part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

You should have all the procedures, records and evidence in place to show that your ISMS (information Security Management System) is working.

To confirm this you should now carry out an internal audit.

The first part of your audit will cover the 27001 mandatory requirements:

Documented Information  (formerly document and records control)

Management review
Internal audit
Risk assessment
Risk treatment

Then you can use this modified  SOA as a checklist   (you may need to adjust the formatting to suit your paper format)








Once the audit is complete you should carry out any corrective action for non-conformities found during the audit.

You will then be ready to have your chosen certification body carry out an assessment.

If all is well you will be awarded a certificate of compliance to ISO 27001: 2013.

If you have problems or think that you need help simply email us at QMLUK@aol.com.  We have been doing this type of work since 1991 and offer a guarantee of success.

Monday, 12 May 2014

ISO 27001:2013 Transition – Stage Six

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.  This is the sixth part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

By this time you should have created your documentation set.  Now the records and logs are produced to provide results achieved or providing evidence of activities performed. As each organisation will have different requirements for records, we have not gone into detail in this Blog.
These records and logs are identified in the Standard and Code of Practice.  The text tends to say “records should be maintained”. Records can be in any format, paper or electronic.

Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislatory, regulatory, contractual and business requirements.

In addition to the documents and records required, there is a need to have a business continuity plan and a disaster recovery plan for IT systems.  Once produced the plans should be tested and adjusted as required.  Testing can be done in a number of ways:

Table top exercise, where the company carries out the test around a table but no operational systems are interrupted.

Partial test, where the recovery systems are tested, but a full evacuation of the premises is not required.

Full test, where all systems are tested against the Business Continuity plan and DR plan as though a real emergency situation had occurred.

Lessons learned from these tests are incorporated into the documented plans.

Our final part (7) of this series of transition steps will conclude with a full internal audit prior to the external certification body assessment.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design