Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about ISO 22301/BS 25999 Toolkit
1. Do I get a copy of the ISO 22301/BS 25999 standard if I buy this package?
2. Why is risk assessment and treatment documents not included in this package?
3. Is this toolkit enough to implement BCP in our organization?"
Answers:
1.- No I am sorry, we do not offer these standards with our toolkit, although the BS 25999 is obsolete, and the current “universal” standard about business continuity is ISO 22301 (ISO 22301 was developed from the BS 25999). You can buy ISO 22301 from the official site of ISO.org : https://www.iso.org/standard/50038.html
2.- Large majority of our clients who go for the implementation of ISO 22301 already have some kind of risk assessment and treatment documentation. If you do not have risk management in place, I would suggest you go for our ISO 27001 & ISO 22301 Premium Documentation Toolkit https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ which also has the risk management documents, and the documents that will help you with policies and procedures that will mitigate the risks.
3.- Certainly, our ISO 22301 Toolkit contains the Business continuity plan (BCP) template, but also all other document templates that are required by ISO 22301. The toolkit provides you all the documentation and support that is needed to implement this standard in your company without using a consultant. -
Shredding CDs and USB memory sticks
Answer: If I understood your question well, you're asking about the documentation you should use for the process of shredding the media. From our ISO 27001 Documentation Toolkit you can use the Disposal and Destruction Policy https://advisera.com/27001academy/documentation/disposal-and-destruction-policy/ through which you can define some basic rules on how this process is handled.
You should also keep records of destruction of these media, however there is no need for some special form - in such records you need to specify what media was destroyed, method of destruction, when was this done, and by whom.
This article will also help you: Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipment-and-media-disposal-according-to-iso-27001/ -
SLA and stakeholders
Answer:
To explain how an SLA helps i.e. empowers various stakeholders, let's assume some of them:
- Service Level Manager and operational team - SLA provides them with objectives which need to be achieved (e.g. resolution time for incidents of priority 2)
- Management of the organization/company - SLA is obligation to the customer and management want's to know whether company fulfills its requirement. Additionally, SLA is a tool to evaluate operational team (do they fulfill SLA requirements or not or whether we are much better then agreed in SLA so we can introduce new service level package)
- Customer - they know what to expect and they can control delivery of services they pay for (i.e. check whether they get what they paid for
- Suppliers - although not visible in SLA (or they don't know the content of SLA), but indirectly SLA defines their obligation, too.
Read the articles
"SLAs, OLAs and UCs in ITIL and ISO 20000" https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/
"ITIL – Service Level Agreements: Designing frameworks" https://advisera.com/20000academy/blog/2015/01/27/itil-service-level-agreements-designing-frameworks/
"ITIL Supplier Management and Service Level Management – How to put the two in balance" https://advisera.com/20000academy/blog/2015/11/10/itil-supplier-management-and-service-level-management-how-to-put-the-two-in-balance/
to learn more about SLA and other contracts. -
Environmental aspects in office
One more thing. Our main activity is designing high voltage installations and system analysis of power systems. I cannot see how the Procedure of Production & Services apply to us as we do not produce anything. Maybe I am on the wrong track here and hopefully you can give me a hi nt that help me with this issue.
Answer:
Since you are involved only in the office work, only environmental aspect related to your business are waste papers, toners for printers and other electronic waste. In case when there are no significant aspects in your company, you will have to define some insignificant environmental aspects as significant only because without significant environmental aspect you simply can't ave environmental management system. For more information, see: How to identify environmental aspects in your office using ISO 14001 https://advisera.com/14001academy/blog/2015/05/18/how-to-identify-environmental-aspects-in-your-office-using-iso-14001/
You are right, basically your main process is design and development and not production. In this case, you can use only Procedure for Design and Development but you need to add the reference documents from Procedure for Production and Service Provision and the part about customer property if you use any during your processes. -
Implementing ISO 9001 in hospitals
- organizational context
The requirements for determining context of the organization do not differ much from the industry to industry. You need to determine all internal and external issues relevant to our hospital and its ability to achieve its objectives. The best way to do it is to involve key people in the hospital and discuss and issues relevant to the quality of your service and satisfaction of your customers. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- resources management
This shouldn't be too difficult because it existed even without QMS. You need to determine all necessary resources for your hospital, this includes human resources, infrastructure, equipment, etc. However, you don't have to document the process of providing resources but you will need to keep records about competence of your employees and records about calibration of measuring equipment.
- design and development
This clause can be excluded if your hospital does not design new practices for patient treatment.
- control of nonconforming output
Nonconforming output in the case of hospitals is when some procedures are not followed. The nonconforming product can be out dated or corrupted medicines or improper disposal of medical waste.
In addition, Will I have to contain the clinical units in our QMS, if yes, How?
It depend on how you defined the scope of your QMS, if you decided to include all your clinical units in the scope then you need to define them in the document Scope of QMS. For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
Getting support for ISO 9001 implementation
Even I as a System Compliance Manager, the only reason I can give this change is that it will enable all management systems to be easily integrated since the requirement will be having the same structure now. Business risk management, stakeholders(interested parties) management - a sort of Context of Organisation has always been in company books and is always discussed.
Well, to change is always difficult. Lets hope this seemingly unnecessary burden works.
Answer:
Introducing changes, especially systematic ones is always difficult. The best way to persuade the rest of the cmpany is to arrange awareness raising meetings where you will explain them that they wont have too many new obligations and that their company will have a lot of benefits. The most important is that you acquire your top management support, once you have this, the rest of the company will follow.
For more information, see: Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/ -
Control of external documents
Answer:
One way to deal with this situation is to limit recording only external documents related to the quality management system. The standard requires external documents to be controlled but non necessarily recorded into list of external documents, so you only need to add to the procedure how you handle this drawings.
For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
What kind of information is of external origin?
1. What kind of information about ISMS we may receive from outside? And to which units this information can be addressed?
Answer: You can receive all kinds of security communication and documents from regulatory body and from your partners and clients. This information could be addressed to your IT department, legal department, management board, etc.
2. We also ask you to clarify this item: "[job title] then classifies documents according to the Policy for handling classified information and determines to whom the document should be forwarded." Is it necessary to classify documents? What is the reason to classify documents if this documents will be stored by other units?
Answer: Classification of documents is specified in control A.8.2.1 - you have to apply this control if you marked this control as applicable in your Statement of Applicability, and you will mark it as applicable if there are (1) risks that would req uire such control to be implemented, and/or (2) if there are legal or contractual requirements. In most cases, when the documents are stored on the intranet, there are risks that someone unauthorized will see them - this is why classification is used; further, very often the regulatory body is requiring the classification to be implemented.
By the way, you can learn a lot about the document control, and all other requirements of ISO 27001 through our free online ISO 27001 Foundations course - I would recommend you register: https://advisera.com/training/iso-27001-foundations-course/ -
Disaster vs. Incident
Answer:
The difference is that an incident is a situation that might be, or could lead to a disruption, or a loss, or in a situation of emergency or crisis, while a disaster always is a situation that implies a serious damage to the organization.
From the perspective of business continuity, the difference between incident and a disaster is in timing - if the duration of the incident is short, then this is just an incident; if it lasts longer, then it could become a disaster
An example of incident can be the interruption of communications in the organization (for example you do not have Internet), while an example of disaster can be an earthquake, or a fire, or a flood, etc.
And, an incident can result in a disaster, for example, if you detect a fire in an information system, it can be notified as incident, but it can also result in a disaster (it the fire spreads to all the organization).
Regarding the information security incidents, this article can be interesting for you “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
And also this article “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
And I think can this document can also help you because gives you information about examples of disruptive incidents scenarios “Examples of Disruptive Incident Scenarios” : https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/ -
Scope of the QMS
If you fill in all the sections from the document, you will define your entire scope. Sections from 3.1 to 3.6 cover different aspects of the scope and once you complete them, you will have the your scope defined. There is no expected length of the scope, in some cases it can be defined in one sentence.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/