Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Management and "Asset value" & Asset Criticality

    1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.

    ISO 27001 and ISO 27005 do not prescribe the use of the asset value for risk assessment, so organizations are free to use any approach they see fit to their needs.

    For further information, see:

    2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process

    ISO 27001 requires only that risks are evaluated, so you can either obtain this value as a result of asset valuation, or any other risk management related process or from direct input from the personnel involved in the risk assessment process. Please note that in either case, the responsibility for the value is from the personnel involved in the risk assessment process, but you, as Risk Manager, must ensure the processes are performed in the right way, and with the proper personnel.

    3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.

    Criticality analysis is a systemic approach to identify how critical an asset is to the business, to support the evaluation of potential risks, and highlight any business impacts associated with such risks. Considering that, for this approach, you do not need the asset value, but only the identification of the asset itself (in this case, you need to evaluate the impact caused by the lack or failure of the asset).

    4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

    Since ISO 27005 is a supporting standard for ISO 27001 implementation, we did not develop a book covering this specific standard but used its guidance and recommendations to develop the ISO 27001 Risk Management in Plain English.

  • Inquiry about Gap Analysis

    Please note that the article states that "you don't need" to perform gap analysis for clauses of the main part of the standard, not that it cannot be performed.

    The provided tool in our website has a different purpose than help verify the fulfillment of a standard's requirement: it can be used by organizations in order they get an overall and general feeling of where they are in the current moment, and to find out which resources they may need to employ in order to implement ISO 27001 before any real action or project is developed and implemented.

  • Underscores in a file name

    The underscore is used instead of spaces because some old operational systems and applications have problems handling spaces and other special characters. Since we do not know if our customers may have issues regarding these situations we make use of underscore in toolkits name files.

    The use of underscore may turn filenames difficult to read by persons, so you need to verify in your own context the need or not for the use of underscore in file names.

  • ITIL & ISO 20000 Implementation Steps

    Here are few general information about ITIL implementation: „How to implement ITIL“ https://advisera.com/20000academy/knowledgebase/how-to-implement-itil/

     

    Some steps need to be taken care of before the implementation starts, see „ Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

    Once you decide to start the implementation, see the article „

    Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

    „ITIL implementation diagram“ https://info.advisera.com/20000academy/free-download/itil-implementation-diagram is available in our free downloads (https://advisera.com/20000academy/free-downloads/), as well as other useful materials (e.g. Project plan, GAP Analysis tool, etc.).

     

  • How do I ensure that I am GDP compliant?

    You need to evaluate how the email address is composed. In fact, a general email address like info@... is not considered as personal data, so you can send emails to companies to present your services, while email addresses with name or surname (direct contact) are personal data under GDPR. 

    How did you collect emails? Did website users left it to you on your website (maybe filling a form?) In this case check your email notification and be transparent with your visitors by informing them that you will use their email address to send them news about services provided and other great content.

    If you collected email on social networks or companies websites, you need to be aware that these contacts are not published to receive advertising or promoting contacts, the person who published it does not attend to receive such email (unless the text around it allow you to believe otherwise) so that it would not be appropriate to contact them. However, if you model your email as a cold email using legitimate interest as a legal ground, you can present your company and the advantages in working with you and underline that you are contacting them because they are looking for a similar profile. This would be in line with GDPR requirements. 

    Here you can find more information:

    You can consider enrolling in our free EU GDPR Foundations Course

    • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • Sheet metal industries (press shop) process validations

      As you know, there are CQI guides which are GM, FORD customer-specific requirements for production process such as heat treatment, casting, welding, molding, coating, etc. For the sheet metal process, there is no special process validation guide like CQI. But if you want, you can prepare a guide by deriving questions from CQIs. Or you can use VDA 6.3 format for production, quality process validation.  

    • ISO 9001 Question

      The auditor focused your attention in a particular problem, the non-conformity raised. Developing a corrective action means finding the root cause(s) and eliminate it/them.

      First you have to expand your mind by answering to the question why. Why did this nonconformity occur?

      A team can brainstorm a set of answers. The answers are hypothesis about what can be behind the non-conformity. Hypothesis are theories not the truth. Then, the most promising theories are selected, and information is collected, or tests are made to eliminate the wrong ones and keep the good ones. Now, we know what is behind the non-conformity, we know the root-cause(s). A root cause is something that has a strong impact in the occurrence of the non-conformity, and it is something that can be managed. It is time to develop a solution, something that will remove or reduce the frequency of the non-conformity. More than one solution may be available, normally one is chosen based on cost, or effectiveness, or easiness or resistance.

      For example, during an audit a nonconformity was raised because there were no evidences of performance of a quality control during the night shift.

      Why there was no control at the night shift?

      Because people:

      1. Don’t like to do quality control;
      2. Think quality control is not their job function;
      3. Have no time to do quality control;
      4. Actually, do quality control, but they do not record the results;
      5. Don’t know how to do quality control;
      6. Did not know they are responsible for quality control; 

      After some investigation. For example, what shifts missed the records? Who worked on those shifts? What kind of training did they had? You may realize that they never had training (hypothesis 5 and 2) because they were admitted in a rush to answer to a surge in orders.

      In this article you can find an answer to the question about the difference between a major and a minor non-conformity - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

      The following material will provide you with information about root cause analysis:

    • ISO 9001 Successful Implementation

      No, you do not need to memorize the standard for successful ISO9001 implementation. You study the standard and distill requirements to your processes and introduce or improve practices based on those requirements. People doing quality control do nor need to know that they are applying clause 8.6 and they treat non-conformities according to the standard without knowing that it is clause 8.7.

      I think that the process approach can be a great help in doing this because it allows an organization to draw a model of how it works, a model that people can relate to. Then, it is easy to distribute ISO 9001 clauses over the model. The model stands as reference, it is what people know.

      Please check this example:

      https://www.screencast.com/users/ccruz5284/folders/Default/media/e5b64496-b3b3-4ef6-8ba3-af6d81514ea8

      The following material will provide you more information about the process approach:
Page 305-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +