Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing ISO 9001:2015 in educational institution
Answer:
Since the organization is already ISO 9001:2008 certified, it doesn't need to implement the standard from scratch, it only need to make transition to the new version of the standard.
The transition process is the same for any kind of organization, since the standard itself if applicable to any type of organization. First step in transition is to perform a GAP analysis an determine to which level the organization is already compliant with a new version of the standard. The next step is to define all activities necessary to achieve the full compliance with ISO 9001:2015. Those activities include creation of documents, making changes to existing documents and processes and establishing new processes. Once every defined activity is executed, the organization need to conduct internal audit and management review and than the organization is ready for certification audit.
For more information, see: How to make the transition fro m ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Using HIRARC method for addressing risks in QMS
Answer:
The FMEA is not the only method for identification and evaluation of risks in QMS, there are a lot of methods for risk assessment available, some of them are described in ISO 31010. There is no one single method that would fit all organizations and all issues related to the context of the organization, every methodology has it own limitations.
HIRARC is used in determining occupational health and safety risks, so the scope of the method is far from the requirements of the standard and that is to address risks and opportunities emerging form context of the organization that can affect ability of the QMS to achieve intended results, to enhance desirable results, prevent undesired effect and achieve the improvement. The only way to use this methodology is to modify it in a way that addresses the requirements of the standard.
Choosing the risk assessment methodology needs to be done carefully, because most of the methodolog ies do not identify opportunities which is also a requirement of the standard. Another important thing is that the standard does not require the methodology, so the process of addressing risks and opportunities can be done in much simpler manner that will ensure covering both risks and opportunities, for example using SWOT or PEST analysis.
For more information, take a look at this free webinar:
How to implement risk management in ISO 9001:2015 https://advisera.com/9001academy/binar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ -
Coding the documents during transition to ISO 9001:2015
Yes, exactly and also you need to add new management review inputs, such as :
- changes in external and internal issues that are relevant to the quality management system;
- the effectiveness of actions taken to address risks and opportunities -
Changes in ISO 27001:2013 related to the scope, the context and the SOA
Answer:
To give you more specific help we would need more information about these NCs, anyway the main change, related to the scope, the context and the SOA in the new ISO 27001:2013, is the interested parties and the internal and external issues (basically there are no changes related to the scope and the SOA in the new version of the standard).
For more information about the interested parties, you can read this article “How to identify interested parties according to ISO 27001 and ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
And related to the internal and external issues, this article can be also interesting for you “Explanation of ISO 27001:2013 clause 4.1 (Understanding the organiza tion)” : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
And for more information about changes between ISO 27001:2005 and ISO 27001:2013 I recommend you this article “How to make a transition from ISO 27001 2015 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Finally, maybe our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Evaluate the risk owner?
Answer:
I am sorry but I am not sure if I have understood your questions. You do not need to evaluate the risk owner, you simply need to identify the risk owner for each risk. This risk owner can be a person or entity with the accountability and authority to manage a risk. This article can help you to understand who can be a risk owner “Risk owners vs. Asset owners in ISO 27001:2013” : https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
By the way, the risk owner can also participate in the evaluation of risks, but can participate also others. And the formula for the calculation of the risk depends of the methodology of the risk management, but an example can be: Risk = Consequences + Likelihood. For more information about this, this free webinar can be interesting for you “The basics of risk assessment and treatment ac cording to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Maybe can be also interesting for you our methodology, so this article can be interesting for you "How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment for all functional units
Answer:
Generally in the methodologies of risk assessment the identification and treatment of risks are made in the same way for all functional units. This is the easiest way and our recommendation, furthermore from my point of view perform a different risk assessment for different functional units has little sense, because all steps can be always the same: identity assets, identify threats/vulnerabilities, identify risks, etc
Remember that ISO 27001 has many security controls that are not directly related to IT, and this standard have been developed for the management of information security including the protection of information in Human resource, compliance, supplier relationships, etc.
So, can be interesting for you our methodology, you can see a free version clicking on “Free Demo” here “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
If you want, you can also write your own methodology, so this article can be interesting for you “How to write ISO 27001 risk assessment methodology” : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Finally, maybe our online course can be also interesting for you, because provides guidelines on how to peform the risk assessment “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Structure and communication between IS, Risks and IT
Answer:
I am sorry but I am not sure if I have understood your question. Anyway, if we see Information Security, Risks and IT as different process, from my point of view Risks and IT give support to Information Security, I mean, Risks and IT give information to Information Security (without this information the Information Security management is not possible).
With this structure, I think that the communication between these process is easy: Information Security requests information about risks, Risks identifies information security risks and the security controls that are necessary (this information can be coordinated directly with IT), Information Security receives the information and request IT for the implementation of information security controls.
Risks and IT can also give information to others process, for example Business Continuity Management, Quality Management, etc.
By the way, maybe our online course can be intere sting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Finally, you can find in our Free Download section the white paper "Integration of Information Security, IT and Corporate Governance", that I think can be interesting for you : https://advisera.com/27001academy/free-downloads/ -
How cloud risks are mitigated
Cloud-16 Do you have a document available to tenants describing your Information Security Management Program (ISMP) which addresses how cloud risks are mitigated (e.g. multi-tenancy, network segregation, entitlement)?
I can't seem to find this term in the context of 27001. Any idea what they might mean by this? This can't simply be the Information Security Policy, could it?
Answer:
You are right, the specific term “Information Security Management Program (ISMP)” is not used in ISO 27001 (neither ISO 27002), and without more specific information about the context or your situation is difficult for me give you more information.
Anyway, in your question I can read “how cloud risks are mitigated…”, and for the mitigation of any type of risks you need a methodology of risk management, so if you do not have this, I recommend you to try our toolkit “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
With the methodology you can have a defined process for the management of risks, so basically you can identify risks and reduce, or mitigate, them with the implementation of security controls.
By the way, ISO 270017 is a code of practice for information security controls based on ISO 27002 for cloud services, and ISO 27018 is also a code of practice but for the protection of personally identifiable information in public clouds, so maybe can be interesting for you to read both standards. These articles can be also interesting for you:
"ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
"ISO 27001 vs . ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Mandatory documents and records according to ISO 9001:2015
Answer:
Most common types of documents which are required in order to be compliant with ISO 9001:2015 standard (and other ISO standards) are policies,various procedures and records.
ISO 9001:2015 requires some mandatory documents, such as quality policy, document about the scope of QMS and quality objectives and over 20 mandatory records.
Some of the documents are not mandatory by the standard itself, but your organization company may define them as necessary for effective QMS (additional process procedures, work instruction and records) and they all should be implemented and maintained in order to comply with the ISO 9001:2015.
For more information about mandatory and non mandatory documents please see this article:
- List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
Examples of our documents for ISO 9001:2015 you can see on this link https://advisera.com/9001academy/iso-9001-documentation-toolkit/ -
Numeric identifier for ISMS documents
Answer:
ISO 27001 does not require you to add a numeric identifier to each ISMS document, neither is this something that the certification auditor would look for. Therefore, it is really up to you, to decide what is more common/more useful for your company - very often smaller companies have only the title.