Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Product life-cycle and nonconformity
Answer:
The best way to address this nonconformity is to conduct analysis of your product life-cycle in therms of environmental aspects in order to identify environmental aspects related to each phase of the product life-cycle, evaluate them, determine significant ones and apply operational controls to decrease the adverse impact on the environment.
For more information, see this article:
- 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ -
The risk assessment and ISO 27001
Answer:
ISO 27001 defines that you need a methodology for the risk assessment (is a requirement), but does not defines what methodology you need to use, so you can use the methodology that you want. Generally most of the methodologies are based on assets, and it is our recommendation. If you want, you can develop your own methodology, and for this you can read this article “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
By the way, our methodology is also based on assets, so maybe can be interesting for you to see a free version here clicking on “Free demo” tab “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Finally, we also have an online course that can help you to understand the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Implementing ISO 9001:2015 in schools
Answer:
The process of implementation is the same for every company regardless of the type of business and processes.
First, you need to have the top management on board for this project, because without their support it would be impossible to implement the standard. Next step is to perform a GAP analysis in order to determine to which level your company is already compliant with the standard and what needs to be done to achieve the full compliance.
Then, it is the best to set up the implementation as a project, to clearly define all the tasks and responsibilities for the tasks as well as the deadlines. Once you create all necessary documents and implement the changes in your processes, you can conduct the internal audit and management review and then your company will be ready for certification audit.
For more information, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/ -
Implementing ISO 9001:2015 in educational institution
Answer:
Since the organization is already ISO 9001:2008 certified, it doesn't need to implement the standard from scratch, it only need to make transition to the new version of the standard.
The transition process is the same for any kind of organization, since the standard itself if applicable to any type of organization. First step in transition is to perform a GAP analysis an determine to which level the organization is already compliant with a new version of the standard. The next step is to define all activities necessary to achieve the full compliance with ISO 9001:2015. Those activities include creation of documents, making changes to existing documents and processes and establishing new processes. Once every defined activity is executed, the organization need to conduct internal audit and management review and than the organization is ready for certification audit.
For more information, see: How to make the transition fro m ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Using HIRARC method for addressing risks in QMS
Answer:
The FMEA is not the only method for identification and evaluation of risks in QMS, there are a lot of methods for risk assessment available, some of them are described in ISO 31010. There is no one single method that would fit all organizations and all issues related to the context of the organization, every methodology has it own limitations.
HIRARC is used in determining occupational health and safety risks, so the scope of the method is far from the requirements of the standard and that is to address risks and opportunities emerging form context of the organization that can affect ability of the QMS to achieve intended results, to enhance desirable results, prevent undesired effect and achieve the improvement. The only way to use this methodology is to modify it in a way that addresses the requirements of the standard.
Choosing the risk assessment methodology needs to be done carefully, because most of the methodolog ies do not identify opportunities which is also a requirement of the standard. Another important thing is that the standard does not require the methodology, so the process of addressing risks and opportunities can be done in much simpler manner that will ensure covering both risks and opportunities, for example using SWOT or PEST analysis.
For more information, take a look at this free webinar:
How to implement risk management in ISO 9001:2015 https://advisera.com/9001academy/binar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ -
Coding the documents during transition to ISO 9001:2015
Yes, exactly and also you need to add new management review inputs, such as :
- changes in external and internal issues that are relevant to the quality management system;
- the effectiveness of actions taken to address risks and opportunities -
Changes in ISO 27001:2013 related to the scope, the context and the SOA
Answer:
To give you more specific help we would need more information about these NCs, anyway the main change, related to the scope, the context and the SOA in the new ISO 27001:2013, is the interested parties and the internal and external issues (basically there are no changes related to the scope and the SOA in the new version of the standard).
For more information about the interested parties, you can read this article “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And related to the internal and external issues, this article can be also interesting for you “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organiza tion)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
And for more information about changes between ISO 27001:2005 and ISO 27001:2013 I recommend you this article “How to make a transition from ISO 27001 2015 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Evaluate the risk owner?
Answer:
I am sorry but I am not sure if I have understood your questions. You do not need to evaluate the risk owner, you simply need to identify the risk owner for each risk. This risk owner can be a person or entity with the accountability and authority to manage a risk. This article can help you to understand who can be a risk owner “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
By the way, the risk owner can also participate in the evaluation of risks, but can participate also others. And the formula for the calculation of the risk depends of the methodology of the risk management, but an example can be: Risk = Consequences + Likelihood. For more information about this, this free webinar can be interesting for you “The basics of risk assessment and treatment ac cording to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Maybe can be also interesting for you our methodology, so this article can be interesting for you "How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment for all functional units
Answer:
Generally in the methodologies of risk assessment the identification and treatment of risks are made in the same way for all functional units. This is the easiest way and our recommendation, furthermore from my point of view perform a different risk assessment for different functional units has little sense, because all steps can be always the same: identity assets, identify threats/vulnerabilities, identify risks, etc
Remember that ISO 27001 has many security controls that are not directly related to IT, and this standard have been developed for the management of information security including the protection of information in Human resource, compliance, supplier relationships, etc.
So, can be interesting for you our methodology, you can see a free version clicking on “Free Demo” here “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
If you want, you can also write your own methodology, so this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, maybe our online course can be also interesting for you, because provides guidelines on how to peform the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Structure and communication between IS, Risks and IT
Answer:
I am sorry but I am not sure if I have understood your question. Anyway, if we see Information Security, Risks and IT as different process, from my point of view Risks and IT give support to Information Security, I mean, Risks and IT give information to Information Security (without this information the Information Security management is not possible).
With this structure, I think that the communication between these process is easy: Information Security requests information about risks, Risks identifies information security risks and the security controls that are necessary (this information can be coordinated directly with IT), Information Security receives the information and request IT for the implementation of information security controls.
Risks and IT can also give information to others process, for example Business Continuity Management, Quality Management, etc.
By the way, maybe our online course can be intere sting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Finally, you can find in our Free Download section the white paper "Integration of Information Security, IT and Corporate Governance", that I think can be interesting for you : https://advisera.com/27001academy/free-downloads/