Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS and CMMI
Answer:
Yes, you can merge CMMI into an ISMS, because CMMI can help you to evaluate the maturity level of your organization’s processes, which is fundamental for planning the implementation, establishment, ongoing operation, and improvement of the information security. But it is not mandatory (there is no requirement to merge ISMS and CMMI), but it can be a best practice, and you can develop a manual for both.
This article can give you information about the key points on how to start “Achieving continual improvement through the use of maturity models” : https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/
Finally, for more information about the information security, the ISMS and the ISO 27001 , our online course can be interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Some questions about information security and virtualized environments
There are many institutions/universities that have implemented successfully ISO 27001 with our templates, we have clients from all the world and from all sectors (including education). Keep in mind that ISO 27001 is developed for any type of business. So maybe can be interesting for you to try our toolkit, and remember that if you buy it, you will also have our support, so click here on “DOWNLOAD FREE TOOLKIT DEMO” and try it! “ISO 27001 Documentation Toolkit” : https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Is the author name mandatory on the first page of the document
I can understand it have to be identified with document number, revision and latest issue date but not with my name!!! But tell me please where in the standard it is written?!Which clause? Clause 7.5.2 says title, date, author or reference number
Answer:
You are right, there is no explicit requirements to write author name anywhere in the document, not only on the first page. The first page of our documents do require name of the author but if you don't want this, you can delete that row from the table. The reason why we included it in the document is because it is very common to have such information in the procedure but, again, it is not a requirement of the standard thus can be deleted. -
Interested parities and conformance evaluation
1. I think that having all the information in the appendix 1 “List of interested party” is enough to comply during the first audit about the identification of needs and expectations of interested party, is ok?
2. The appendix 2 “Conformance evaluation record” will be attached to the procedure and it will be useful until the company conduct a conformity evaluation with legal and other requirements. Your procedure recommend at least twice a year. I think this appendix will be a record maybe until the second audit to the QMS, is ok?
Answer:
1. Yes, once you identify interested parties and their needs and expectation, you are compliant with that requirement of the standard.
2. You need to run full cycle of the QMS in order to be ready for certification audit, but of course this depend mostly on the certification body. They might let you without conducting compliance evaluation but it is more usual that you need to perform all the activities of the QMS in order to be ready for the certification, this includes als o internal audit and management review. For more information, see: ISO 9001 Certification https://advisera.com/9001academy/iso-9001-certification/ -
Purchasing process in branch office
Thank you so much for the clarification, that helps. Yes, the branch office actually has its own QMS so we will just define its own internal purchasing process but only for their office supplies because all the products they sell are coming from head office. -
ISO 14001 vs ISO 9001 challenges in the transition
•Documenting the QMS (what is new about this?)
•Auditing according to the new version (what are main points to include?)
Answer:
If we compare transition processes for ISO 9001 and ISO 14001 there is no much difference between them. The key changes are pretty much the same. The requirements for documents and records are now changed into requirements for documented information and in that sense the ISO 9001 suffered more changes because there are no longer mandatory procedures and quality manual, so in that sense the ISO 9001 will suffer more changes than ISO 14001 management system. For more information, see:
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- List of mandatory documents required by ISO 140 01:2015 https://advisera.com/14001academy/blog/2015/10/12/list-of-mandatory-documents-required-by-iso-140012015/ -
THIN CLIENTS VS. DESKTOPS
From the point of view of security, an environment with thin-clients can be equal to an environment with desktops, because basically, both are composed by devices that you use to access to information (locally o remotely), and the key is : how to protect the information and how to access to the information?
With thin-clients you can access to the information remotely, so in this case, it will be important to protect the channel of communication. With desktops, if you access to information remotely, it is also important to protect the channel of communication in the same way.
So, from my point of view the most important thing should be how to protect and how to access the information, independently of the devices or the environment. Keep also in mind that for the protection of the information – in accordance with ISO 27001- you need to perform a risk assessment & treatment, so maybe this article can be interesting for you - “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ c-steps/
And our online course can be also interesting for you, because we give more information about the risk assessment & treatment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Replication of site A
Our goal is to get ISO27001 certification for Site A including the core systems and the supporting IT infrastructure ( the AD domain controllers and e-mail servers, network devices ). Could you please tell me how to deal with the replication servers of core system, AD domain controllers and backup server for e-mail services in Site B and C ?
Answer:
I am not sure if I have understood your question, but you can implement and certify ISO 27001 in your site A without problems, where core systems are. Regarding the backup systems, you can use them for the Disaster Recovery Plan, I mean, if the core systems of the Site A fails, systems of site B and/or C can continue providing all services related to domain controller and email.
So, for this scenario you can use the security controls o f A.17 Information security aspects of business continuity management, of the Annex A of ISO 27001:2013, and for this, our template can be useful for you “Disaster Recovery Plan” (you can see a free version clicking on “Free Demo” tab) : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
By the way, this article about the distance between sites can be also interesting for you “Disaster Recovery site – What is the ideal distance from primary site?” : https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/
Finally, our free online course can be also interesting for you, because we talk more in detail about the business continuity “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
How to make ISO 9001:2015 procedures
Answer:
There is no predefined style or form for withing procedures that you need to follow in order to be compliant with ISO 9001:2015. This gives you the freedom to develop the procedures in a way that suits the best to your organization and the employees who will be executing them.
Keep in mind the purpose of the procedure and that is to provide enough information so the activity or the process will be carried out as planned. However, you don't have to write information that employees are supposed to know,, for example you wouldn't write a procedure on how to drive a car to a taxi driver, he already proved that he is competent by having driving licence. You only need to document activites that are specific for the process and where is a chance that nonconformities can emerge.
Of course, it is good to develop some structure that every procedure will have to some extent. Our usual structure contains the purpose, scope and users, reference documents, the pro cess explanation and at the end the records kept according the procedure.
For more information, see:
- 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
- ISO 9001:2015 process vs. procedure – Some practical examples https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/ -
QMS Core Team Performance Measuring
Answer:
The best way to decide how to measure performance of the QMS Core Team or any other part or roles in the QMS is to set up the criteria or performance indicator that is directly related to the responsibilities of the team. For instance, if the team responsibility is to plan, develop and maintain documentation, the KPI would be the number of outdated documents in use. Or if they are in charge of performing QMS awareness sessions, the KPI would be the
percentage of the employees who attended the awareness sessions during one year.
For more information, see:
- How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/