Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Disaster vs. Incident
Answer:
The difference is that an incident is a situation that might be, or could lead to a disruption, or a loss, or in a situation of emergency or crisis, while a disaster always is a situation that implies a serious damage to the organization.
From the perspective of business continuity, the difference between incident and a disaster is in timing - if the duration of the incident is short, then this is just an incident; if it lasts longer, then it could become a disaster
An example of incident can be the interruption of communications in the organization (for example you do not have Internet), while an example of disaster can be an earthquake, or a fire, or a flood, etc.
And, an incident can result in a disaster, for example, if you detect a fire in an information system, it can be notified as incident, but it can also result in a disaster (it the fire spreads to all the organization).
Regarding the information security incidents, this article can be interesting for you “How a change in thinking can stop 59% of security incidents” : https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
And also this article “How to handle incidents according to ISO 27001 A.16” : https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
And I think can this document can also help you because gives you information about examples of disruptive incidents scenarios “Examples of Disruptive Incident Scenarios” : https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/ -
Scope of the QMS
If you fill in all the sections from the document, you will define your entire scope. Sections from 3.1 to 3.6 cover different aspects of the scope and once you complete them, you will have the your scope defined. There is no expected length of the scope, in some cases it can be defined in one sentence.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Processes and activities
Answer:
The process is a series of activities that deliver desired result. The column "Activity/Action" in our Appendix 1 – Quality Objectives is for defining action to accomplish the objective and doesn't have to be related to the activities in the process.
For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ -
Performance Evaluation for ISO 9001:2015
Answer:
The clause 9.1.1 requires organization to determine what needs to be monitored and measured , how and when the monitoring and measurement will be performed and to retain records as an evidence of monitoring and measuring. In simple terms, that can be key performance indicators that you defined for your processes and you need to have a records about the monitoring and measuring the KPIs. Here you can find a free preview of our Matrix of Key Performance Indicators https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
For more information, see: How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
The clause 9.1.3 defines what data should b e analysed and with what purpose, our toolkit contains one simple record with this purpose, you can find the free preview of Data Analysis Report here https://advisera.com/9001academy/documentation/data-analysis-report-2/ -
If I do pen test, which controls from Annex A can be covered?
Answer: Unfortunately, out of 114 controls from Annex A, with penetration testing your would partially cover only the control A.12.6.1 "Management of technical vulnerabilities." And I say partially because pen testings wouldn't be enough to cover this control completely.
See also these articles:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/ -
Implementing ISO 27001 in a SMB start up company
Answer: Yes, it is possible that small start up company implements ISO 27001 - we have quite many such clients who have successfully done that with our toolkits. Some companies will find ISO 27001 more useful than others - each company needs to decide which benefits can be achieved on their own . This article will help you with details: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Should they take external help for this project or is it possible for them to initiate this on their own with some virtual help from outside?
Answer: This depends how quickly this company needs to implement ISO 27001 - if this is something urgent, then it would be better to hire a consultant; if this is not so urgent, and if there are some confidential data that should not be shared with others, then they can implement the standard usin g the Do-It-Yourself approach using some online tools.
This article explains these options in detail: 3 strategies to implement any ISO standard https://advisera.com/articles/3-strategic-options-to-implement-any-iso-standard/ -
Warehousing Procedure
In your case, there is no need for warehousing procedure, storage of hard files of your clients may be covered with procedure for document and record control.
You don't need to use every procedure and record from our toolkit, only those that are mandatory and the ones you find useful for your business -
ISO 31000 and ISO 27005
Answer:
From my point of view no, because ISO 27005 is specially developed to provide guidelines on how to organize information security risk management, and ISO 31000 is developed to provide guidelines on how to organize global risk management, so if you have an ISMS (Information Security Management System) and you have information security risks, the best way (and the logic way) is to use ISO 27005. Anyway, remember that both standards are only code of best practices, you cannot certify them. For more information, please read this article “ISO 31000 and ISO 27001 – How are they related?” : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
And if you are interested in ISO 27001, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
How to match ISO 9001:2015 with ISO 27001?
Answer:
You can implement both together, and it is very easy because there are many common points (document management, internal audit, corrective and preventive actions, human resources management, management review, setting the business goals), so first you can start with the implementation of these common points, after you can implement the specific points of ISO 9001 (operating procedures) and after the specific points of ISO 27001 (risk assessment & treatment).
This article can help you “Using ISO 9001 for implementing ISO 27001” : https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
And this free webinar can be also interesting for you “ISO 27001 implementation: How to make it easier using ISO 9001” : https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Finally, our online course can be also interesting for you because give you detailed information about ISO 27001 “ISO 27001:2013 Fou ndations Course” : https://advisera.com/training/iso-27001-foundations-course/
And also our online course about ISO 9001 "ISO 9001:2015 Foundations Course" : https://advisera.com/training/iso-9001-foundations-course/ -
Relations with subcontractor and ISO 9001
Main contractor will request subcontractor to records their inspection activities in the form they provided according and comply to their procedure. On the other hand, subcontractor also has establish own procedure and records as required by ISO standards.
From my opinion, both main and sub's forms shall be used and filled in by subcontractor because it is mandatory for subcontractor to comply with main contractor requirement in order to maintain ISO requirement for the main contractor and it is also mandatory for the subcontractor to comply to ISO standards and keep records for its own.
So in an inspection, there shall be two forms are used, one from main contractor and will be kept by main contractor and one from subcontractor to be kept for subcontractor proof of their QMS implementation.
I t hink it is logical but I need confirmation whether it is indeed the common practice for subcontractor company.
Answer:
It is not a very common practice for organization to prescribe records to its subcontractors, it is not a nonconformity but it definitely isn't something that the standard requires. But if the main organization decided to prescribe a procedure and records to sub contractor, then in the point of view of the subcontractor there is no need to double the records of their own, they can use the main company records and refer to them in the Quality Manual or some other procedure.
There is no need or requirement of the standard to have two records for the same thing, regardless of the origin of the record. The records and procedures provided by the main company will be considered as external documents in the QMS of the subcontractor and that is all.