Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Processes and activities
Answer:
The process is a series of activities that deliver desired result. The column "Activity/Action" in our Appendix 1 – Quality Objectives is for defining action to accomplish the objective and doesn't have to be related to the activities in the process.
For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ -
Performance Evaluation for ISO 9001:2015
Answer:
The clause 9.1.1 requires organization to determine what needs to be monitored and measured , how and when the monitoring and measurement will be performed and to retain records as an evidence of monitoring and measuring. In simple terms, that can be key performance indicators that you defined for your processes and you need to have a records about the monitoring and measuring the KPIs. Here you can find a free preview of our Matrix of Key Performance Indicators https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
For more information, see: How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
The clause 9.1.3 defines what data should b e analysed and with what purpose, our toolkit contains one simple record with this purpose, you can find the free preview of Data Analysis Report here https://advisera.com/9001academy/documentation/data-analysis-report-2/ -
If I do pen test, which controls from Annex A can be covered?
Answer: Unfortunately, out of 114 controls from Annex A, with penetration testing your would partially cover only the control A.12.6.1 "Management of technical vulnerabilities." And I say partially because pen testings wouldn't be enough to cover this control completely.
See also these articles:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/ -
Implementing ISO 27001 in a SMB start up company
Answer: Yes, it is possible that small start up company implements ISO 27001 - we have quite many such clients who have successfully done that with our toolkits. Some companies will find ISO 27001 more useful than others - each company needs to decide which benefits can be achieved on their own . This article will help you with details: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Should they take external help for this project or is it possible for them to initiate this on their own with some virtual help from outside?
Answer: This depends how quickly this company needs to implement ISO 27001 - if this is something urgent, then it would be better to hire a consultant; if this is not so urgent, and if there are some confidential data that should not be shared with others, then they can implement the standard usin g the Do-It-Yourself approach using some online tools.
This article explains these options in detail: 3 strategies to implement any ISO standard https://advisera.com/articles/3-strategic-options-to-implement-any-iso-standard/ -
Warehousing Procedure
In your case, there is no need for warehousing procedure, storage of hard files of your clients may be covered with procedure for document and record control.
You don't need to use every procedure and record from our toolkit, only those that are mandatory and the ones you find useful for your business -
ISO 31000 and ISO 27005
Answer:
From my point of view no, because ISO 27005 is specially developed to provide guidelines on how to organize information security risk management, and ISO 31000 is developed to provide guidelines on how to organize global risk management, so if you have an ISMS (Information Security Management System) and you have information security risks, the best way (and the logic way) is to use ISO 27005. Anyway, remember that both standards are only code of best practices, you cannot certify them. For more information, please read this article “ISO 31000 and ISO 27001 – How are they related?” : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
And if you are interested in ISO 27001, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
How to match ISO 9001:2015 with ISO 27001?
Answer:
You can implement both together, and it is very easy because there are many common points (document management, internal audit, corrective and preventive actions, human resources management, management review, setting the business goals), so first you can start with the implementation of these common points, after you can implement the specific points of ISO 9001 (operating procedures) and after the specific points of ISO 27001 (risk assessment & treatment).
This article can help you “Using ISO 9001 for implementing ISO 27001” : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
And this free webinar can be also interesting for you “ISO 27001 implementation: How to make it easier using ISO 9001” : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Finally, our online course can be also interesting for you because give you detailed information about ISO 27001 “ISO 27001:2013 Fou ndations Course” : https://advisera.com/training/iso-27001-foundations-course/
And also our online course about ISO 9001 "ISO 9001:2015 Foundations Course" : https://advisera.com/training/iso-9001-foundations-course/ -
Relations with subcontractor and ISO 9001
Main contractor will request subcontractor to records their inspection activities in the form they provided according and comply to their procedure. On the other hand, subcontractor also has establish own procedure and records as required by ISO standards.
From my opinion, both main and sub's forms shall be used and filled in by subcontractor because it is mandatory for subcontractor to comply with main contractor requirement in order to maintain ISO requirement for the main contractor and it is also mandatory for the subcontractor to comply to ISO standards and keep records for its own.
So in an inspection, there shall be two forms are used, one from main contractor and will be kept by main contractor and one from subcontractor to be kept for subcontractor proof of their QMS implementation.
I t hink it is logical but I need confirmation whether it is indeed the common practice for subcontractor company.
Answer:
It is not a very common practice for organization to prescribe records to its subcontractors, it is not a nonconformity but it definitely isn't something that the standard requires. But if the main organization decided to prescribe a procedure and records to sub contractor, then in the point of view of the subcontractor there is no need to double the records of their own, they can use the main company records and refer to them in the Quality Manual or some other procedure.
There is no need or requirement of the standard to have two records for the same thing, regardless of the origin of the record. The records and procedures provided by the main company will be considered as external documents in the QMS of the subcontractor and that is all. -
Scope of the internal audit
Answer:
The scope of the internal audit needs to be aligned with the scope of the ISMS, and should include the review of all requirements of the standard, including the security controls implemented by the organization. So, you can develop a checklist with all points that you need to review during the internal audit, and for this, you can read our article “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
And our template can be also interesting for you (you can see a free version clicking on “Free demo” tab) “Internal Audit Checklist” https://advisera.com/27001academy/documentation/internal-audit-checklist/
Or maybe can be also useful for you our Internal Audit Toolkit “ISO 27001/ISO 22301 Internal Audit Toolkit” : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
Finally, our online course can be also interesting for you, because we give more details about the internal audit “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Service Management objectives and quality objectives
Answer:
Setting up objectives is mandatory but there is no fix-defined period how often they should be changed/updated. Review of objectives (whether quality or service management) should take place at least once a year. And, as you said, they should be measured and adapted accordingly to the results. But to set completely new objectives once a year - I think that's not possible. Additionally, objectives should point into mission/vision direction so they will be, from time-to-time, slightly adapted.
Is Quantitati ve Measurement is not a mandate from Standard Point of view. Lots of people debate on this. What is exactly. As per me It must measurable but how you are measuring it is matter of choice.
Answer:
Measurement should be quantitative. This means that you have to have exact values which are result of measurement. They are compared to expected/desired/required numbers. Consequence is to define what to do or where to go once you have quantitative results.
Read the article "Facing reality – measurements in ITIL" https://advisera.com/20000academy/blog/2013/04/02/facing-reality-measurements-itil/ to learn more.
If aim of both Quality objective, Service Management objective and Service Improvement Plan is same then why to have to at same place. Main question is again same is it mandatory from Standard Point of view to have a objective for a time bound period and then achieve it. Can't we have a running objectives. Is it Non-conformance ?
Answer:
Quality objectives and Service Management objectives do not need, necessarily, same. Service Improvement Plan is your plan (containing concrete measures) how to achieve improvements. It could directly affect your service management objectives but it could affect some e.g. operational activity or some part of the service which does not directly influence service management objective. So, I think is't not possible to declare Service Improvement Plan same as Service Management objective. Read the article "ITIL Continual Service Improvement – don’t lose the momentum" https://advisera.com/20000academy/blog/2014/04/15/itil-continual-service-improvement-dont-lose-momentum/ and "ITIL CSI 7-step improvement process: How to analyze and present findings" https://advisera.com/20000academy/blog/2015/07/21/itil-csi-7-step-improvement-process-how-to-analyze-and-present-findings/ to learn more about improvement in IT Service Management.