Search results

22301 implementation with scope of IT department only

Thank you, that is very informative and really helpful.

Internal Audit Report - numbering non-conformities

Please note that the non-conformity information that can be used for traceability in the Internal Audit Report template is the information included in the “Cross-reference to the Corrective Action Form” column, which is suggested to be a number in the comment’s template, which is sufficient to provide the necessary traceability.

Including numbering, or other form of identification besides the one included in the Cross-reference to the Corrective Action Form, would only make the document unnecessarily complex. 

This article will provide you a further explanation about records management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Alternative site for operational continuity

1. I would like to know what are the elements that should be considered when designing the layout of the alternative operational continuity site. 

Answer: Besides the information about the general layout of the chosen alternative site (e.g., single or multiple floors, total area, etc.), the elements to be considered will depend on the results of your Business Impact Assessment (BIA), i.e., the process and services that need to be recovered, and the minimum acceptable performance levels.

The information from BIA will give you an idea of how many personnel, furniture, and equipment you will need to have in the alternative operational continuity site, allowing you to design the layout considering the available space.

For further information, see:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

2. What type of office equipment should be installed at an alternative site for operational continuity?

Answer: This answer also depends on the results of BIA, i.e., the process and services that need to be recovered, and the minimum acceptable performance levels.

3. What do the good practices say regarding the layout design of the alternative site and equipment to be assembled?

Answer: Considering ISO 22301, the leading ISO standard for business continuity, there are no prescriptions about layout design of the alternative site and equipment to be assembled (the standard prescribes the performing of BIA to identify such information).

To provide a more detailed answer we would need information about which processes and services would be involved.

As a starting point, you can consider your current layout, adapting it considering the number of personnel required in the continuity site (e.g., if you need only half the personnel in the continuity site, use as a basis half the layout occupied by all personnel).

This article will provide you a further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

This material will also help you regarding ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Risk assessment

Please note that the results of risk assessment are only one of the justifications for control implementation. Controls also can be identified as needed if:
- there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of a control;
- there is a top management decision to implement a control (e.g., because top management considers the control as a good practice)

Considering that, you can implement a control even though it is not related to any relevant risk.

This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding controls selection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

BCP Plans and procedures

By the phases you mentioned, I´m assuming you are looking for documents for a Business Continuity Management System.

Considering that, to see how a BCP and related procedures compliant with ISO 22301 looks like, I suggest you take a look at these template demos:
- Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
- Incident Response Plan https://advisera.com/27001academy/documentation/incident-response-plan/
- Transportation Plan https://advisera.com/27001academy/documentation/transportation-plan/
- Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/
- Activity Recovery Plan https://advisera.com/27001academy/documentation/activity-recovery-plan/

To make sure you are in the right implementation path, I suggest you to take a look at this article:
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

To see how documents complaint with ISO 22301 looks like, please take a look at the free demo of our ISO 223001 documentation toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

These articles will provide you a further explanation about ISO 22301 and how to develop e BCP and related procedures:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

These materials will also help you regarding ISO 22301:

- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

EMS, OHS, Quality and Food Safety Management System Integration

When I have to integrate several management systems I follow the following path. First, I look for the backbone on which to build the building. Normally, it is ISO 9001. Why? Because organizations exist to serve someone in the outside world, a customer, a client, an interested party. So, based on the process approach I draw the system between clients with needs and expectations and clients served. I draw what I call the “Cristiano Ronaldo of the business” in your case would be something from going from eggs to chicks, from chicks to chickens, from chickens to portions, from orders received to orders delivered. Then I draw all the support processes (related to training, purchasing, maintenance, …)

While serving your clients your organization interacts with the environment. What are your environmental aspects and impacts? What are the compliance obligations? Does your organization need to develop new practices that should be integrated with your working practices?

While serving your clients what are the risks and dangers for your employees? What are the compliance obligations? Does your organization need to develop new practices that should be integrated with your working practices?

While working in your organization people don’t wear four hats according to the mindset (quality hat, environmental hat, health and safety hat, and food safety hat). They do their job, and while doing their job they act according to the different requirements simultaneously.

The following material will provide you information about management systems integration:

• How to integrate ISO 45001 with ISO 9001 and ISO 14001 - https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
• How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
• Free webinar – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/ 

Time-frame to be ISO 27001 compliant

The implementation duration and costs depend on many variables (e.g., size and complexity of the scope, financial resources, and expertise available, etc.), but for very small and small-sized business generally is possible to implement ISO 27001 within 3 months.

For more information about the time needed for the implementation, I suggest you see this article: 

• How long does it take to implement ISO 27001/BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should note that the timing in this article is what is needed for companies that use our toolkit (https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

Regarding costs, what I can tell you are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

These materials can provide you more information:

• How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
• 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
• How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

ISO 27001 Certification for Travel agency

Please note that a travel agency works with several information of customers that need to be protected (e.g.: names and addresses, travel routes, etc.). Criminals with access to this information can use them to perpetrate crimes (house robbery, identity thief, etc.).

Considering that, an ISO 27001 certification can be relevant for a travel agency by potentializing some benefits, such as:

• Enhanced competitive edge
• Reduction on losses due to security incidents
• Reduction on fines due to legal or contractual non-compliance
• Improvement of internal organization

This article will provide you a further explanation about ISO 27001 benefits:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding ISO 27001 benefits:

• ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

ISO 27001 and alignment with other ISO standards

Your assumption is correct. Since 2012 all ISO management systems share the same basic structure, which makes it easier to integrate them.

This article will provide you a further explanation about ISO 27001 structure and integration:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Would medical face mask necessarily need UV radiation sterilization?

No, the medical mask does not require sterilization. It depends on the manufacturer what kind of mask want to put on the market, what are the customer requirements (for example hospitals) and so on. 

Applicable standards for the mask you can find on the following link:

• EU standards for protective equipment – available now for free https://advisera.com/13485academy/blog/2020/04/14/free-access-to-iso-13485/