Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing ITIL/ISO 20000
Answer:
ITIL, i.e. ISO 20000 are applicable in variety of industries and companies.
Here are few case studies i.e. articles which can give you better overview:
"ITIL implementation in your IT organization" https://advisera.com/20000academy/free-downloads/
"Implementing ITIL in a telecommunications company" https://advisera.com/20000academy/free-downloads/
"Applicability of ITIL divided by industry" https://advisera.com/20000academy/free-downloads/
"Applicability of ISO 20000 divided by industry" https://advisera.com/20000academy/free-downloads/ -
ISO 27001, COBIT and SOX
Answer:
ISO 27001 is used when a company wants to Information Security Management System (ISMS) to protect the information of his business, or when a company needs an international certificate to demonstrate to the world that he is compliant with an international standard related to the protection of the information. This article can help you to know more basic information about ISO 27001 “What is ISO 27001?” : https://advisera.com/27001academy/what-is-iso-27001/
And this article can show you what are the benefits of the implementation of ISO 27001 “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
So, generally the compliance with ISO 27001 is optional, unless you have an agreement with another party that establishes that you need to implement the standard.
Regarding SOX, it is also related to the information security, although it is related to the public company accounting and investor protection, and it is applicable for all companies that traded in NYSE (New York Stock Exchange).
Regarding COBIT, it is similar to ISO 27001, because it is an international standard, although you cannot certify it, and it is related to the governance of IT (which includes information security, but not only this).
Our online course can be interesting for you if you need more information about the implementation and compliance of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and massive companies
Answer:
We have all necessary documents for the implementation of ISO 27001:2013, but our templates are mainly developed for small and medium companies. Those documents can be used by large companies, but they would need to be made more complex - for example, in our Risk assessment methodology we use the assessment scales of Low-Medium-High, whereas you could use the scales of 1 to 5; we assess impact and likelihood, while you could choose to assess separately the impact on confidentiality, integrity and availability, as well as vulnerabilities and threats.
Anyway, remember that ISO 27001:2013 establishes a number of specific documents which are mandatory, and you need to have t hem independently of the size of your company. Here you can see a list of these mandatory documents “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Other important thing for the implementation of ISO 27001 in any company, so I think that it can be also useful for you, is to see it as a project, so this article can be also interesting for you “ISO 27001 project – How to make it work” : https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
For the implementation, you can also use our approach based on 16 steps, so please see this “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
And you can also write your own methodology of risk management with the help of this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, our online course can be interesting for you to learn more about the implementation of ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Same person implementing and auditing ISO 14001
Answer:
Yes, the person involved in the implementation can be the internal auditor. Only condition is that the auditor can not audit his own work, so for areas where the person works or part of the system where the person participated in implementation should be audited by some other internal auditor.
Here is the link to our free ISO 14001:2015 Internal Auditor Course https://advisera.com/training/iso-14001-internal-auditor-course/ -
Evidence of ISO 9001 compliance
Answer:
In order to pass the certification audit, the company must be fully compliant with the standard, meaning that all documents (mandatory by the standard and ones that organization determine as part of QMS) and processes are in place and internal audit and management review are conducted.
For more information, see:
- ISO 9001 Certification https://advisera.com/9001academy/iso-9001-certification/
- Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
What is new in ISO 9001:2015
Answer:
New version of ISO 9001 brings lot of changes, basically there are some changes in every clause of the standard. The main changes are:
- The structure - instead of 8 clauses there are now 10 and it is better aligned with the new version of ISO 14001, ISO 27001 and all new versions of other standards.
- Context of the organization - this is completely new clause and requires organization to determine internal and external issues relevant to organization purpose and strategic direction. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Risk based thinking - this new approach replaces preventive actions and requires organization to identify risk and opportunities related to ability of the organization to achieve its objectives. For more information, see: Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits http: //advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
To get a full overview of the changes and differences between 2008 and 2015 revision of the standard, take a look at this free ISO 9001:2015 vs. ISO 9001:2008 matrix https://advisera.com/9001academy/free-downloads// -
Control objectives in the Statement of Applicability
Answer:
Control objectives are specific description of what you want to achieve with particular control - e.g. for backup, the objective might be "We want to achieve the loss of data of maximum 6 hours." Too see detailed explanation, read this article: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
ISO 27001 doesn't require you to list objectives for each control - you can specify objectives for group of controls, you can specify objectives for your processes, or any other way you feel is appropriate for your company. Further, you don't have to specify objectives in the Statement of Applicability - you can us e some other document for this purpose.
However, we felt that listing objectives next to each control in SoA is the most practical solution. If you want to make it really easy, you can copy the objectives for groups of controls from the standard itself (Annex A of ISO 27001.) -
Interaction of processes
Answer:
Interaction of processes represents basically their relations and sequence in your company, for example outputs of one process can be input to one or several other processes. How are they linked and is there any interdependence between the processes.
The processes you mentioned are the main processes in your company, but you also have some other processes such as procurement, storage, maybe even transport or delivery. There are also probably some supporting processes and outsourced processes as well. You need to create or define relationships between all these processes, by looking only at your main processes you will not have a whole picture and it will be hard to make interaction between them since some of them are very differe nt.
Here is the free material that might be helpful:
- How to create an ISO 9001 process flowchart https://advisera.com/9001academy/free-downloads// -
Too many environmental aspects
Answer:
There are industries that has a lot of environmental aspects, however I think the list of 500+ aspects is rather too long. The best way to start is to go process by process, dismantle the processes to activities and determine what are the inputs and outputs of the activities and how they impact the environment.
The company may theoretically have 500+ aspect but it doesn't mean that they are all significant, you should go through your existing aspect list and see what aspects were graded as significant and can be downgraded to insignificant and therefore don't need operational controls. Another way to decrease the number of aspects is to group them, for example, you may use different types of chemicals in your processes but if they all require the same operational control you can simply call them "chemicals" without separating each of them as an aspect.
Here are some articles that may help you:
- Environmental aspects in the manufacturing sector https://advisera.com/14001academy/blog/2015/06/22/environmental-aspects-in-the-manufacturing-sector/
- Catalogue of environmental aspects https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/ -
ISO 9001:2015 transition
Answer:
Actually, the new requirements do not bring to many new documents, especially risks and opportunities and context of the organization do not require additional procedures and records to be made. However, since they are new requirements and there can be some noconformities regarding these new requirements, it is recommendable to have a procedure for them just to ensure compliance with these requirements.
Here you can find free previews of our:
- Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
- Procedure for Addressing Risks and Opportunities https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/