Required artifacts (records) for ISO 27001 Auditing

R

Ramaiyer

#1
GA all,

I have implemented ISMS in our small IT consulting company. I am the only one working on this project. I have already created the ISMS manual, scope, the policies (29 of them), procedures, Request for Change, document and record handling, corrective and preventive action procedures, security awareness training etc.

I have already given security awareness training and took attendance, employees have acknowledged that they have read the policies and manual, information configuration items auding, security auditing, document auditing records I have collected. Visitors logs, system security monitoring logs, etc are collected. Performed desk top business continuity plan and recorded. Are there (I am sure there are) any other artifacts I need to collect. Can anyone post a list of artifacts they are collecting?.

Thanks
 
Elsmar Forum Sponsor
#3
It's difficult to tell you what other records may be necessary, since this is going to depend on the scope of the ISMS.

I'm a bit concerned that you (alone) have been compiling this, as unless you engage with the other management you risk not being able to maintain the system. I'd collaborate with your management team to see what records they generate.

Of course, there are plenty of records generated from things such as internal audits, management reviews, corrective actions and improvements etc.
 

Colin

Quite Involved in Discussions
#4
A lot of the records required will be produced as a result of applying the control objectives in Annex A. Many of these will likely be electronic records but either way, they will need to be retained.
 
R

Ramaiyer

#5
GM Collin,

Thanks for the response. Can you give couple of examples/samples of electronic records of applyig controls?. I have the policies and procedures for applying controls. Examples are Access Control or password control for Information systems. or media disposable policy and the record of how the media was disposed. Will that do?.


TIA
 

Colin

Quite Involved in Discussions
#6
I was thinking of things like records of privileges, network logs, fault logs, asset records, results of risk assessments, confidentiality agreements, change management records, system logs, etc.
 
D

darbym

#7
Some of the information that I would be looking for in addition to the items already mentioned are:
1. Risk Management procedures and associated information.
2. Risk treatment plan(s) and activities.
3. Business continuity tests and information.
4. Security incidents records and results.
5. Background checks of staff (if applicable)
6. List of emergency contacts related to the scope.
7. List of security goals and objectives.
8. Access control review records.

I tried to provide items that were not already covered in the thread but it really depends on what is implemented and what is included in the scope.
 
R

Ramaiyer

#8
Thanks Darbym,

Good list and very much appreciated. The scope is the entire HQ operations. We are a small IT consulting company. We are already collecting artifacts for the compliance of other ISO standards and CMMI certificates that we have. All that I have to do is create a document listing the artifacts and where they can be found on our SharePoint. I am already using the shared document list. I will create a shared record list. Those that are not part of those standards, I will create.

Thanks
 
D

darbym

#9
No problem, just remember that you are following the process / policies. If the policy for access control states that profiles are reviewed quarterly than we should expect to see the form or evidence that associates with that requirement. Since many of the security controls can be managed dynamically through software, for example password strength and expiry requirements the auditor may need to consider records/artifacts that are included within the systems used by your HQ office. Using a CMMI based "PIID" approach to records management in SharePoint will be good for an external auditor as it can denote if a security control is managed through a system without a resulting form or record as the final evidence.

Markus
 

Richard Regalado

Trusted Information Resource
#10
Check your statement of applicability for the controls that you have implemented based on the risks your organization is facing. The requirement is that these controls are established, implemented, managed and assessed for effectiveness. Hence, records must show all of the above for all the implemented controls.

For example: one of the controls for HR Security is Screening Prior to Employment. One would expect that you have background investigation reports, interview records, records of claimed expertise and experience.

Hope the above helps.
 
Thread starter Similar threads Forum Replies Date
A Why is Protective Earth Resistance required <0.1ohm or 0.2ohm in 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
D Is Good Laboratory Practice (GLP) Required in ISO 17025? ISO 17025 related Discussions 4
K What are the differences between the certificates required for home and medical medical equipment? US Food and Drug Administration (FDA) 1
I MOPP required for SIP when considering Single Fault Condition (SFC) in 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 16
B AS9100:D - Purchase Order required if ordering paint on supplier portal? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
V Is it required to recalibrate reference- standard instruments after equipment qualification General Measurement Device and Calibration Topics 0
B Supplier Evaluation report - Validation required or not ISO 13485:2016 - Medical Device Quality Management Systems 3
H Registration for REACH required for Non-EU Down Stream Manufacturer? REACH and RoHS Conversations 3
P AS9100D clause 8.6 - Documentation required to show evidence of conformity AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
D Is IATF certification required when customer doesn't require it? IATF 16949 - Automotive Quality Systems Standard 19
Kevin Walters IAQG Required Audit Days Needed (Please help) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
S Is MDSAP Audit Required? ISO 13485:2016 - Medical Device Quality Management Systems 3
H Required explanation of sub clause 7.2.101.2 (Exception) of IEC 61010-2-020:2006 CE Marking (Conformité Européene) / CB Scheme 5
Ashland78 PPAP required for repair of machine? IATF 16949 - Automotive Quality Systems Standard 5
Y Is preventive action required for each CAPA initiated? ISO 13485:2016 - Medical Device Quality Management Systems 24
B Spreadsheet - Used for complaint investigation - Validation required or not ISO 13485:2016 - Medical Device Quality Management Systems 9
N 8.3.3.3 Special characteristics - Auditor said we are required to create our own, if no customer char. exist. IATF 16949 - Automotive Quality Systems Standard 10
P 9.2.2.2 & 9.2.2.3 Audit Cycle alignment required? IATF 16949 - Automotive Quality Systems Standard 1
M Is complete testing required as per ISO 10993 for materials used in orthopedic implants or is literature review route possible Other Medical Device Related Standards 3
I Are suppliers required to hand over process validation reports? ISO 13485:2016 - Medical Device Quality Management Systems 20
B Is 14971 Annex C checklist now in ISO/TR 24971 required to complete prior to 510k filing? ISO 14971 - Medical Device Risk Management 3
D IEC 60601-1-2: Is EMC immunity testing required for a device without essential performance? IEC 60601 - Medical Electrical Equipment Safety Standards Series 25
V ISO 9001 or ISO 17065 required for an organization issuing 5 star rating certification of digital experience? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
D Is calibration really required? IATF 16949 - Automotive Quality Systems Standard 6
D Filling totes and pails - when is a calibrated scale / flowmeter required in ISO 9001 General Measurement Device and Calibration Topics 4
S Supplier performance required to be reported to supplier? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Is the Design Service Provider required to be ISO 13485 certified? ISO 13485:2016 - Medical Device Quality Management Systems 13
B What are "appropriate drawings" required for a MDR in 21CFR820? ISO 13485:2016 - Medical Device Quality Management Systems 4
S Record approval- Signatures required ISO 13485:2016 - Medical Device Quality Management Systems 4
M MDSAP required for Device Initial Importer/Distributor into Canada? Other Medical Device Regulations World-Wide 11
I Is SRN required for a contract manufacturer (CE-Marking product)? EU Medical Device Regulations 2
O New GTIN (DI) required? Other US Medical Device Regulations 0
P Is the second factor authentication (2FA) required for external users? Qualification and Validation (including 21 CFR Part 11) 1
validationspec EN 868-5 pdf required. Medical Device and FDA Regulations and Standards News 1
F Uncertainty not Required Measurement Uncertainty (MU) 3
I How to find required testing for a specific device? Other US Medical Device Regulations 3
U Is Initial Importer Status Required if a Medical Device is Manufactured and Sterilized by an OEM in the US Other US Medical Device Regulations 1
S Is it required to complete Internal Audits within one year? ISO 13485:2016 - Medical Device Quality Management Systems 29
D "certified" in ISO 19011, as well as IATF required? IATF 16949 - Automotive Quality Systems Standard 6
M Is validation required when consumables are changed Qualification and Validation (including 21 CFR Part 11) 7
B Is labeling on the device itself required? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 6
J Scrap Material Scale Calibration Required? IATF 16949 - Automotive Quality Systems Standard 21
K Is Calibration Required for Non-Adjustable Commercial Inspection Devices? General Measurement Device and Calibration Topics 11
C ISO 9001:2015 8.3.2. h) Design and Development Planning - What is required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S Does a refurbished product required a new UDI? US Food and Drug Administration (FDA) 3
S For Parts Manufacturer Approval (PMA) Is 100% Inspection Required? Federal Aviation Administration (FAA) Standards and Requirements 2
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
R "Medical devices" required in scope ISO 13485:2016 - Medical Device Quality Management Systems 2
OpExPro AIAG VDA DFMEA Template Required FMEA and Control Plans 6
B PMA Supplement Required? US Food and Drug Administration (FDA) 3

Similar threads

Top Bottom