Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Checklist for documenting risk analysis
Answer:
The requirement from the clause 6.1 does not have to be documented. However, if you decide to document it, you can create the procedure that will explain the process of addressing risks and opportunities and records where you will have registry of key risks and opportunities in your company and plans for addressing those risks and opportunities.
You can take a look at free preview of our Procedure for Addressing Risks and Opportunities https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/ -
Involve people in update to ISO 9001:2015
Answer:
Engagement of people is crucial for effective quality management system, especially because the new version require higher involvement of the top management for determining context of the organization and addressing risks and opportunities. The second important change is that there is no management representative required any more so the process owners mus be involved in order to have effective QMS.
The only way to achieve higher involvement of the people regarding update to ISO 9001:2015 is to raise awareness about it. You can arrange the awareness raising sessions where you will explain the changes to the people and also the benefits of the new version and overall benefits of ISO 9001.
For more information, see:
- How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- ISO 9001 awareness training material: How to create it, what it should contain https://advisera.com/9001academy/blog/2015/05/19/iso-9001-awareness-training-material-how-to-create-it-what-it-should-contain/
- Using Competence, Training and Awareness to Replace Documentation in your QMS https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/ -
Supplier Evaluation Consultant
Answer:
The real question is, do you need a consultant for evaluation of suppliers. New ISO 9001:2015 is very clear on what needs to be done in order to conduct effective evaluation of suppliers.
First you need to establish criteria for evaluation, selection and monitoring suppliers. This means that you need to determine what is really important to you when it comes to selection of the suppliers, criteria can be the price of products and services to be delivered, the quality, shipment timing, etc. Different criteria can have different importance to you, so you can assign different scale to different criteria to demonstrate their importance and to help you make better selection. Once you define criteria for evaluation, you need to determine criteria for selection, meaning how high on the scale the supplier need to be in order to be selected.
When you determine criteria for evaluation and selection of the suppliers, next step is to conduct t he evaluation and select the suppliers, as a result of this activity you will have a list of approved suppliers, and this evaluation needs to be conducted periodically, usually every year.
Keep in mind that the new version of the standard treats the same the suppliers and outsourcing partners, so you need to include in your evaluation not just the your suppliers but also outsourcing partners.
For more information see:
- How to evaluate supplier performance according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
You can also take a look at a free preview of our Procedure for Purchasing and Evaluation of Suppliers https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/ -
ISO 45001
Some questions regarding the transition from OHSAS 18001 to ISO 45001,
a) When will ISO 45001 be released?
b) Will you advise me to implement OHSAS 18001 now in companies or wait until release of ISO 45001 standard and then implement the new ISO standard?
c) I want to advise my clients properly and not end up costing them unnecessary money by advancing in OHSAS now and later have to be re-certified for ISO 45001,
Answer:
a) ISO 45001 will be released probably in September or October this year, maybe even later but certainly not before.
b) Since the standard will be released so late this year, I would suggest you to implement the OHSAS 18001, also there will be some two or three year transition period so it is safe to go with existing OH&S standard.
c) It all depends how quick they need the OH&S management system, if they can wait until the end of the year that i s fine, but if they need it sooner than they should go with OHSAS 18001. Also the transition period gives them enough time to choose when they want to start with transition.
For more information, see:
- First glance at ISO/DIS 45001 – How different is it from OHSAS 18001? https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/ -
Details about ISO 9001:2015
Answer:
To learn more about ISO 9001:2015, I suggest you to take a look at our free ISO 9001:2015 Foundation online course https://advisera.com/training/iso-9001-foundations-course/
We also have a free webinar that explains differences between old and new version of the standard:
- Free webinar – ISO 9001:2015 vs ISO 9001:2008 – The main changes https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/ -
Definition of an aspect
Answer:
According to ISO 14001:2015 environmental aspect is element of an organization’s activities or products or services that interacts or can interact with the environment and environmental impact is change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization’s environmental aspects.
For example, in the process of car repair, the activity can be change of motor oil, inputs in this activity are man power, working order, new oil filters, motor oil, etc. The output of this activity is waste oil, waste oil filters, working order, etc. When you take a look at the activity and its inputs and outputs, you can see that the aspects are those inputs and outputs that interact with the environment, so it would be motor oil, waste motor oil and waste filters. Environmental impact that those aspect have is on water and soil. If they are proclaimed as significant environm ental aspect than the organization must establish operational controls to decrease their impact.
For more information, see:
- List of procedures for managing environmental aspects https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-procedures-for-managing-environmental-aspects/
- 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- Catalogue of environmental aspects https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/ -
Exclusion vs. Not applicable
Answer:
You are right, according to the new version of the standard, correct term would be "not applicable" rather then "exclusion" as it were in the 2008 revision of the standard. The reason why we continued to use the old term was that the people are more familiar with it and it would be easier for them to understand.
For more information, see:
- What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ -
IT controls in non-IT departments
Answer:
ISO 27001 is not an IT standard - only ca 50% of the controls are IT related, which means that non-IT departments can implement many controls as well - e.g. classification of the information, access control, physical security, etc. After you perform the risk assessment for your department, you will know exactly which controls to implement.
These articles will help you:
- Information security or IT security? https://advisera.com/27001academy/blog/2010/03/01/information-security-or-it-security/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Regarding the risk assessment of contractors and subcontractors, first you have to assess which incidents can happen, and then ask the contractors through the contract to resolve those risks - this article will give you the guidelines: 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
This free ISO 27001 Foundations Online Course will also help you: https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and ISO 27002
I have the standard BS ISO IEC 27002-2005 BS 7799-1-2005, which defines all the risk events and controls for IS. How does this compare with 27001:2013. and which of the new standards also lists the risk events and control?
Answer:
I am sorry but ISO 27002 is not about risks, is only about security controls. You can use these security controls to reduce risks, but the standard that is about information security risks is ISO 27001.
Basically, ISO 27001 provides you tools to identify risks, and ISO 27002 help you to reduce these risks with controls. This article can be interesting for you “ISO 27001 vs. ISO 27002” : https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
By the way, the last version of ISO 27001 and ISO 27002 is from 2013 (ISO 27001:2013 and ISO 27002:2013), and they are the more important ISO standards related to risks and controls, although others standards related to information security risks are ISO 27005 (best practices for the development of the information security risk management) and ISO 31000 (the same that ISO 27005 but for any type of risk), although they are not new. And others new standards related to security controls are ISO 27017 (information security controls for cloud services) and ISO 27018 (protection of the privacy in the cloud).
These articles can be interesting for you:
"ISO 27001 risk assessment & treatment - 6 basic steps" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
"ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, maybe our online course can be interesting for you “ISO 27001: 2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
ISMS for a cloud provider
We're implementing an ISMS for a cloud Provider. Our client provides Housing services (Clients bring their own Device to the Data Center), Hosting services (web hosting, etc), Cloud services (SaaS, IaaS). Virtual machines are managed by the client: they can install whatever they want on the machine even the OS. the problem is while identifying the assets, how do we deal with Virtual machines management? Is the VM owned by the Cloud Provider or the Client.
Answer:
First of all you need to define clearly the scope of the ISMS, because if the scope is limited to the Housing services, maybe there are no assets related to virtual machines. However, if the scope includes the Hosting services and/or Cloud services, from my point of view the virtual machines managed by the client need to be identified as assets in the risk assessment, because there are risks related to them that can affect to the business of the Cloud provider (if the hosting service is provided through virtual machines, and they are stopping, the service cannot be provided).
Anyway, if the virtual machines are not managed by the cloud provider, I recommend you to exclude them from the scope of the ISMS.
This article about the scope can be interesting for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And this article about assets can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
By the way, these articles about ISO 27001 and cloud computing can be also interesting for you:
“ISO 27001 vs. ISO 27017 - Information security for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
“Cloud computing and ISO 27001 / BS 25999” : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/