Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Getting support for ISO 9001 implementation


    Even I as a System Compliance Manager, the only reason I can give this change is that it will enable all management systems to be easily integrated since the requirement will be having the same structure now. Business risk management, stakeholders(interested parties) management - a sort of Context of Organisation has always been in company books and is always discussed.
    Well, to change is always difficult. Lets hope this seemingly unnecessary burden works.

    Answer:

    Introducing changes, especially systematic ones is always difficult. The best way to persuade the rest of the cmpany is to arrange awareness raising meetings where you will explain them that they wont have too many new obligations and that their company will have a lot of benefits. The most important is that you acquire your top management support, once you have this, the rest of the company will follow.

    For more information, see: Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

  • Control of external documents


    Answer:

    One way to deal with this situation is to limit recording only external documents related to the quality management system. The standard requires external documents to be controlled but non necessarily recorded into list of external documents, so you only need to add to the procedure how you handle this drawings.

    For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • What kind of information is of external origin?

    1. What kind of information about ISMS we may receive from outside? And to which units this information can be addressed?

    Answer: You can receive all kinds of security communication and documents from regulatory body and from your partners and clients. This information could be addressed to your IT department, legal department, management board, etc.

    2. We also ask you to clarify this item: "[job title] then classifies documents according to the Policy for handling classified information and determines to whom the document should be forwarded." Is it necessary to classify documents? What is the reason to classify documents if this documents will be stored by other units?

    Answer: Classification of documents is specified in control A.8.2.1 - you have to apply this control if you marked this control as applicable in your Statement of Applicability, and you will mark it as applicable if there are (1) risks that would req uire such control to be implemented, and/or (2) if there are legal or contractual requirements. In most cases, when the documents are stored on the intranet, there are risks that someone unauthorized will see them - this is why classification is used; further, very often the regulatory body is requiring the classification to be implemented.

    By the way, you can learn a lot about the document control, and all other requirements of ISO 27001 through our free online ISO 27001 Foundations course - I would recommend you register: https://advisera.com/training/iso-27001-foundations-course/

  • Disaster vs. Incident


    Answer:
    The difference is that an incident is a situation that might be, or could lead to a disruption, or a loss, or in a situation of emergency or crisis, while a disaster always is a situation that implies a serious damage to the organization.

    From the perspective of business continuity, the difference between incident and a disaster is in timing - if the duration of the incident is short, then this is just an incident; if it lasts longer, then it could become a disaster

    An example of incident can be the interruption of communications in the organization (for example you do not have Internet), while an example of disaster can be an earthquake, or a fire, or a flood, etc.

    And, an incident can result in a disaster, for example, if you detect a fire in an information system, it can be notified as incident, but it can also result in a disaster (it the fire spreads to all the organization).

    Regarding the information security incidents, this article can be interesting for you “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/

    And also this article “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    And I think can this document can also help you because gives you information about examples of disruptive incidents scenarios “Examples of Disruptive Incident Scenarios” : https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/

  • Scope of the QMS

    If you fill in all the sections from the document, you will define your entire scope. Sections from 3.1 to 3.6 cover different aspects of the scope and once you complete them, you will have the your scope defined. There is no expected length of the scope, in some cases it can be defined in one sentence.

    For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

  • Processes and activities


    Answer:

    The process is a series of activities that deliver desired result. The column "Activity/Action" in our Appendix 1 – Quality Objectives is for defining action to accomplish the objective and doesn't have to be related to the activities in the process.

    For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

  • Performance Evaluation for ISO 9001:2015


    Answer:

    The clause 9.1.1 requires organization to determine what needs to be monitored and measured , how and when the monitoring and measurement will be performed and to retain records as an evidence of monitoring and measuring. In simple terms, that can be key performance indicators that you defined for your processes and you need to have a records about the monitoring and measuring the KPIs. Here you can find a free preview of our Matrix of Key Performance Indicators https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/

    For more information, see: How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/

    The clause 9.1.3 defines what data should b e analysed and with what purpose, our toolkit contains one simple record with this purpose, you can find the free preview of Data Analysis Report here https://advisera.com/9001academy/documentation/data-analysis-report-2/

  • If I do pen test, which controls from Annex A can be covered?


    Answer: Unfortunately, out of 114 controls from Annex A, with penetration testing your would partially cover only the control A.12.6.1 "Management of technical vulnerabilities." And I say partially because pen testings wouldn't be enough to cover this control completely.

    See also these articles:
    - How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

  • Implementing ISO 27001 in a SMB start up company


    Answer: Yes, it is possible that small start up company implements ISO 27001 - we have quite many such clients who have successfully done that with our toolkits. Some companies will find ISO 27001 more useful than others - each company needs to decide which benefits can be achieved on their own . This article will help you with details: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    Should they take external help for this project or is it possible for them to initiate this on their own with some virtual help from outside?

    Answer: This depends how quickly this company needs to implement ISO 27001 - if this is something urgent, then it would be better to hire a consultant; if this is not so urgent, and if there are some confidential data that should not be shared with others, then they can implement the standard usin g the Do-It-Yourself approach using some online tools.

    This article explains these options in detail: 3 strategies to implement any ISO standard https://advisera.com/articles/3-strategic-options-to-implement-any-iso-standard/

  • Warehousing Procedure

    In your case, there is no need for warehousing procedure, storage of hard files of your clients may be covered with procedure for document and record control.

    You don't need to use every procedure and record from our toolkit, only those that are mandatory and the ones you find useful for your business
Page 1005-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +