Search results

ISO 20000 implementation benefits

Usually, implementing anything without control lead, sooner or later, into waste of time and money.

IT projects (including ITIL/ISO 20000 implementation) usually require interfacing between systems (i.e. technological solution, as a basis for IT services), processes, roles, etc. Without a decent plan and management, implemented solutions will run in isolation without expected benefits. Additionally, maintenance will be complex, data will be duplicated, processes will be chaotic…

Here are few articles that can give you more information:

Ready, steady… go – Starting ITIL implementation https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

ITIL and ISO 20000 – What does Project Management have to do with it? https://advisera.com/20000academy/blog/2015/03/31/itil-and-iso-20000-what-does-project-management-have-to-do-with-it/

How to use ITIL to avoid 50% of IT project failures https://advisera.com/20000academy/blog/2015/05/12/how-to-use-itil-to-avoid-50-of-it-project-failures/

Approach to build a quality management system

The main steps for implementing a quality management system are the same. However, the larger an organization, the more complex, the more vertical it is. So, normally, larger organizations require more formalization and more training. For example, a larger organization may need documented procedures for some activities that another smaller organization, in the same economic sector, may decide to not formalize in a documented procedure. A smaller organization may use a All-Hands Meeting to communicate a message to everybody, a larger organization may need to use a newsletter, a video or other scalable option.

About implementing ISO 9001:2015 perhaps this free webinar on demand, articles and book can help you:

• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Standard Operation Procedure SOP

Protocols are a set of  rules and standards stablished by an external regulating body, whereas SOPs, are the methods used to achieve or comply with those protocols. Protocols do not necessary have an SOP and also, you can develop a SOP regardless of whether there is a protocol that needs to be complied. In addition, protocols are  goal-oriented or problem-oriented, since they describe what has to be achieved while SOPs are the practical instructions that an individual needs to follow to achieve that goal. For instance, a protocol may indicate the accuracy that a process requires, meanwhile the SOP is the  procedure a lab uses to conduct the process.

For more information about protocols and SOPs see the following materials: 

- Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Comprometiendo la alta Dirección a cumplir con los requisitos de una Norma de Calidad

Para que la alta dirección se comprometa con cumplir los requisitos de ISO 9001:2015 le recomiendo que por un lado presente los beneficios que brinda la implementación de ISO 9001:2015 a la organización y por otro que hable el lenguaje que entiende la alta dirección. 

Puede traducir los requisitos de ISO 9001 a un lenguaje más sencillo que contenga un sesgo más empresarial. Por ejemplo, en vez de hablar de documentos obsoletos, hable a la dirección de pérdida de reputación que podría producirse si la organización emplea documentos que no están actualizados. O en vez de hablar de no conformidades dentro del control de calidad, se hable de pérdida de dinero. 

Aunque el dinero se trata de un lenguaje poderoso en la alta dirección también les interesa temas como la participación del mercado, los clientes ganados o perdidos, el margen de beneficios, la diferenciación de la competencia así como los riesgos a evitar y las oportunidades a aprovechar.

Para más información como sobre comprometer a la alta dirección vea los siguientes materiales:

- Seis beneficios clave de la implemenntación de ISO 9001: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/seis-beneficios-clave-de-la-implementacion-de-iso-9001/

- To what extent should top management be involved in your QMS: https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/

- ISO 9001 top management audit: how to perform it successfully: https://advisera.com/9001academy/blog/2019/05/15/iso-9001-top-management-audit-how-to-perform-it-successfully/

- Presentación - Why ISO 9001:2015 awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation

- Curso gratuito en línea - Curso de Fundamentos ISO 9001:2015  - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 Process Description

ISO 27001 certificate

1 - Can we take the ISO 27001 certificate with a master's degree in general management in organizational strategy and 4 months of experience as a business intelligence consultant?

ISO certifications for persons do not require previous competences or experiences, so it is possible to take them with this current background.

There are several different ISO 27001 personal certifications available, and you have to choose what is most appropriate for you:

• ISO 27001 Foundations Course - this is where you learn the basics of the standard, probably the best way to start as a beginner
• ISO 27001 Internal Auditor Course - this is for becoming the internal auditor
• ISO 27001 Lead Auditor Course - this is for becoming the certification auditor
• ISO 27001 Lead Implementer Course - this is for becoming a consultant or an implementer in your own company.

These materials will help you:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

2 - Can we work remotely as an aid in audit or iso 27000 implementation projects under these conditions?

Remote work is possible for audit and implementation projects, depending on the scope (some activities like audit or implementation of some physical controls only can be made in loco). You should define these situations with your customers.

Regarding consultancy services, besides information security-related certifications, you also need to consider competencies related to project management, and accumulate experience, either working with another consultant or performing activities in the information security field for a company. You also should consider the Lead Implementer certification. 

For more information, see:

• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

ISMS Scope - remote working

1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations.

For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data.

Your assumption is correct. Regarding remote workers, normally you do not control the environment where they are, so these are kept out of the scope.

These articles will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system.  Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home.

Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate.

In such cases with remote workers, you treat remote access as a risk in your assessment, and treat the unacceptable risks by means of controls from section A.15 - Supplier relationships (e.g., by using contracts and terms of service to enforce security practices).

This article will provide you a further explanation about the scope definition and supplier management:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/