SBS - The best value in QMS software

Required artifacts (records) for ISO 27001 Auditing

R

Ramaiyer

#1
GA all,

I have implemented ISMS in our small IT consulting company. I am the only one working on this project. I have already created the ISMS manual, scope, the policies (29 of them), procedures, Request for Change, document and record handling, corrective and preventive action procedures, security awareness training etc.

I have already given security awareness training and took attendance, employees have acknowledged that they have read the policies and manual, information configuration items auding, security auditing, document auditing records I have collected. Visitors logs, system security monitoring logs, etc are collected. Performed desk top business continuity plan and recorded. Are there (I am sure there are) any other artifacts I need to collect. Can anyone post a list of artifacts they are collecting?.

Thanks
 
Elsmar Forum Sponsor
#3
It's difficult to tell you what other records may be necessary, since this is going to depend on the scope of the ISMS.

I'm a bit concerned that you (alone) have been compiling this, as unless you engage with the other management you risk not being able to maintain the system. I'd collaborate with your management team to see what records they generate.

Of course, there are plenty of records generated from things such as internal audits, management reviews, corrective actions and improvements etc.
 

Colin

Quite Involved in Discussions
#4
A lot of the records required will be produced as a result of applying the control objectives in Annex A. Many of these will likely be electronic records but either way, they will need to be retained.
 
R

Ramaiyer

#5
GM Collin,

Thanks for the response. Can you give couple of examples/samples of electronic records of applyig controls?. I have the policies and procedures for applying controls. Examples are Access Control or password control for Information systems. or media disposable policy and the record of how the media was disposed. Will that do?.


TIA
 

Colin

Quite Involved in Discussions
#6
I was thinking of things like records of privileges, network logs, fault logs, asset records, results of risk assessments, confidentiality agreements, change management records, system logs, etc.
 
D

darbym

#7
Some of the information that I would be looking for in addition to the items already mentioned are:
1. Risk Management procedures and associated information.
2. Risk treatment plan(s) and activities.
3. Business continuity tests and information.
4. Security incidents records and results.
5. Background checks of staff (if applicable)
6. List of emergency contacts related to the scope.
7. List of security goals and objectives.
8. Access control review records.

I tried to provide items that were not already covered in the thread but it really depends on what is implemented and what is included in the scope.
 
R

Ramaiyer

#8
Thanks Darbym,

Good list and very much appreciated. The scope is the entire HQ operations. We are a small IT consulting company. We are already collecting artifacts for the compliance of other ISO standards and CMMI certificates that we have. All that I have to do is create a document listing the artifacts and where they can be found on our SharePoint. I am already using the shared document list. I will create a shared record list. Those that are not part of those standards, I will create.

Thanks
 
D

darbym

#9
No problem, just remember that you are following the process / policies. If the policy for access control states that profiles are reviewed quarterly than we should expect to see the form or evidence that associates with that requirement. Since many of the security controls can be managed dynamically through software, for example password strength and expiry requirements the auditor may need to consider records/artifacts that are included within the systems used by your HQ office. Using a CMMI based "PIID" approach to records management in SharePoint will be good for an external auditor as it can denote if a security control is managed through a system without a resulting form or record as the final evidence.

Markus
 

Richard Regalado

Trusted Information Resource
#10
Check your statement of applicability for the controls that you have implemented based on the risks your organization is facing. The requirement is that these controls are established, implemented, managed and assessed for effectiveness. Hence, records must show all of the above for all the implemented controls.

For example: one of the controls for HR Security is Screening Prior to Employment. One would expect that you have background investigation reports, interview records, records of claimed expertise and experience.

Hope the above helps.
 
Thread starter Similar threads Forum Replies Date
I IQOQ or just initial calibration required? General Measurement Device and Calibration Topics 2
B NIOSH Approval for Surgical N95 Respirators - Required testing US Food and Drug Administration (FDA) 2
A Is calibration of test weight required General Measurement Device and Calibration Topics 4
A 8.6 Release of products and services, 8.3 Design and development - evidence required ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R Green dot required on packaging? Medical Device and FDA Regulations and Standards News 2
M Indian Medical Device Rules - Manufacturing and Wholesale Lic. Required ? Other Medical Device Regulations World-Wide 3
M Is IEC 60601-1-2 required by FDA for all electronic medical devices? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
B Where to acquire EN 868-5 required dye (Amaranth red)? Other Medical Device Related Standards 2
Marcel DS How do I know if my product is required be RoHS certified? REACH and RoHS Conversations 6
K When is Bioburden Testing Required? Other Medical Device Related Standards 4
G Is repeatability required for equipment calibration? General Measurement Device and Calibration Topics 10
D Device functionality over service life - Objective evidence required? Design and Development of Products and Processes 10
M Quality management certification required by Health Canada Canada Medical Device Regulations 3
N Usability testing required for FDA IDE (investigational device exemption)? Human Factors and Ergonomics in Engineering 8
M Case study solution help required as per ISO 9001 : 2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
R Shall a new UDI-DI be required when stand-alone software device's version is updated? EU Medical Device Regulations 1
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 11
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4
V Manufacturing requirements for respiratory ventilators - clean room required? Medical Device and FDA Regulations and Standards News 6
A When there is a 2 year lapse in production, is a full FAI required? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
C Is it required to put"Rx only" on the home page of an app? Medical Device and FDA Regulations and Standards News 4
B IEC 60601-2-10 - Accuracy of Pulse Parameters - Required Measurement Uncertainty IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
S Is Optical Parallel Set required calibration? ISO 17025 related Discussions 1
R Is it required to have an SOP for external audits? Medical Device and FDA Regulations and Standards News 7
M MDR - Is a formal GSPR Procedure required? EU Medical Device Regulations 20
M When is FAI required? AS9100 8.5.1.3 and 8.4.3 requirements AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9
B IATF 16949 - Is a Deviation required for sample components in a prototype build? IATF 16949 - Automotive Quality Systems Standard 13
J MDD to MDR transition - Time required for the implementation of the MDR EU Medical Device Regulations 7
Robert Stanley Required Documentation Templates ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M ISO 9001:2015 8.2.1 Contingency Plan required for small Business? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M MDR - Under what circumstances is a PMCF not required? EU Medical Device Regulations 1
B AIAG-VDA FMEA - When the new format will be required FMEA and Control Plans 5
MrTetris Are GLP required for testing cytotoxicity and soil remaining after sterilization of MD? Other Medical Device Related Standards 8
Z EN 868-8 "required tests" - Rigid sterilization containers Other Medical Device Related Standards 0
D Design Verification - Is testing required? Design and Development of Products and Processes 5
M User manual / instructions for use for class II device always required? Medical Device and FDA Regulations and Standards News 3
A Calibration required by OEM General Measurement Device and Calibration Topics 2
S How many mandays required for the below mentioned standards IEC 27001 - Information Security Management Systems (ISMS) 3
S Examples of software changes that required a 510k US Food and Drug Administration (FDA) 2
D Required Checklist Showing Compliance to IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 11
C ETO Sterilised Class II Medical Device - Required Temperature Storage ISO 13485:2016 - Medical Device Quality Management Systems 1
P 21 CFR 807.81 When a premarket notification submission is required Other US Medical Device Regulations 0
D Are medical device companies required to document every change made to their website? Document Control Systems, Procedures, Forms and Templates 2
D How to Identify the Risks and Opportunities required for QMS Processes? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
A Glass and brittle plastic Policy - Required per FSSC 220002-4? Food Safety - ISO 22000, HACCP (21 CFR 120) 0

Similar threads

Top Bottom