Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementing 2004 before 2015 revision


    Answer:

    I think it is the best to go strait towards ISO 14001:2015 because if you implement the 2004 revision first, you will need to make transition to the 2015 revision until September 2018 and this means you will need additional time and resources for something that you could done at the first time.

    For more information, see:
    - Infographic: ISO 14001:2015 vs. 2004 revision – What has changed? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/infographic-iso-140012015-vs-2004-revision-what-has-changed/

  • Document types to be controlled in QMS


    Answer:

    Actually the new version of the standard does not specify the types of documents like the previous version where you had policies, procedures and records, it only mentions documented information.

    However, this doesn't change much in practice, types of documents to be used and therefore controlled in the QMS are policies, procedures, instructions and records and this is basically their hierarchy. The most important are the policies and the least important are the records.

    Control of documented information or documents and records includes defining a way of creating, updating, distributing, preservation, withdrawal, disposition and retrial.

    For more information, see:
    - New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - How to structure quality ma nagement system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

  • What should be done first in the transition?


    Answer:

    Performing the gap analysis should be the first step in order to determine to what extent you existing QMS is compliant with the requirements of the new version and what needs to be done to achieve the full compliance.

    The next step would be to develop a project plan for the transition, this is not a mandatory step but it will help you to define activities, resources, responsibilities and deadlines and avoid missing something out.

    After developing a project plan, you need to implement the changes, that includes revision of the existing documentation and processing and establishing new process and documents.

    Once the transition is finished, the company must conduct internal audit and management review to ensure that the QMS is compliant with the new version and then you can call certification body to conduct certification audit.

    For more information, see:
    - How to make the transition from ISO 9001:2008 revision to the 2 015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/

  • ISO 9001 in agriculture


    Answer:

    ISO 9001 is applicable to any kind of business including the agriculture, and its benefits can be achieved regardless of the fact that the company is making products or providing a service.

    Here are some articles that might be interesting for you:
    - What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/
    - Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    - ISO 9001: Why it should be viewed as a business management system https://advisera.com/9001academy/blog/2014/06/24/iso-9001-viewed-business-management-system/

  • Analyzing threats

    Ricardo, ISO 27001 does not prescribe how you should combine assets, threats and vulnerabilities, which means you have to use a system that makes most sense for your situation.

    In my view, if there are little risks related to a particular server, then you can view the server as a single asset where hardware, software and data are combined; if there are numerous risks that are related to this server, in such case you can view separately those three assets.

  • Secure Engineering Principles (control A.14.2.5)


    Answer:
    The control A.14.2.5 is related to the large information system design, which also includes the development of software. So, you simply need to design the security into all architecture layers: business, data, application and technology.

    How can you design security during the development of software? With a Secure Development Policy, I mean, with rules that establish how to codifying a secure code, so an auditor could search this document (although is not mandatory to have a document for this).

    So, generally the auditor will search in your organization procedures or technical instructions that you uses for the information systems design: Some examples: Secure Development Policy, Policy of fortification of servers, policy of configuration of data bases, etc.

    Regarding the Secure Development Policy, this template can be useful for you (you can see a free version cl icking on “Free demo” tab) “Secure Development Policy” : https://advisera.com/27001academy/documentation/secure-development-policy/

    By the way, for more information about the security controls, our online course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 20000 / ISO 27001 in pharmaceutical industry


    Answer:
    I think that the solution is (almost) in the middle. Namely, ISO 13485 is based on ISO 9001 and provides good foundation for some parts of the SMS and ISMS. But, majority of work (during implementation and afterwards) should be made by someone involved in respective activities, like you suggested – head of IT. But, all systems should be integrated, so there should be close cooperation between QA and IT.

  • Risk Assessment Table


    You can merge them into a single asset type - as you mentioned "Employee laptops".

    In the video, you also mention that in the merge process, we should choose the highest overall score for each asset listed if there is overlap from many independent assessments done by independent asset owners. This conflicts with my original intuition: If an asset has multiple vulnerabilities, I originally assumed we should include the same asset multiple (potentially many) times in the Risk Assessment table, not just the highest.

    You should include all the threats and vulnerabilities related to these assets that are merged, however for the level of impact and level of likelihood you should take the highest score from all the asset owners - this way you won't lose any information, and you will be aware of the worst case scenario.

  • Documenting clause 4 of ISO 9001:2015


    Answer:

    The clause 4 of ISO 9001:2015 explicitly requires documenting the scope of the Quality Management System.

    However, there are other information that are required, but they don't have to be documented. Such information are regarding internal and external issues and needs and expectations of the interested parties. These information don't have to be documented although it is required that they are "monitored and reviewed" and the best way to do it is by documenting them.

    For more information, see:
    - How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
    - How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015//

  • The same document for different controls


    Answer:
    I am sorry but I am not sure if I have understood your question, but you can use the same document for different controls (and you can include in the document references to all security controls that apply). For example, with our template “Operating Procedures for Information and Communication Technology” you can implement the relevant controls of A.12 (and some others from others clauses of the standard). If you are interested, you can see a free version of this template clicking on “Free demo” here “Operating Procedures for Information and Communication Technology” : https://advisera.com/27001academy/documentation/security-procedures-for-it-department/

    By the way, it is not necessary a document for all security controls, if you want to know the list of mandatory documents, I recommend you this article “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Page 1021-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +