Search results

ITIL & ISO 20000 Implementation Steps

Here are few general information about ITIL implementation: „How to implement ITIL“ https://advisera.com/20000academy/knowledgebase/how-to-implement-itil/

Some steps need to be taken care of before the implementation starts, see „ Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

Once you decide to start the implementation, see the article „

Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

„ITIL implementation diagram“ https://info.advisera.com/20000academy/free-download/itil-implementation-diagram is available in our free downloads (https://advisera.com/20000academy/free-downloads/), as well as other useful materials (e.g. Project plan, GAP Analysis tool, etc.).

How do I ensure that I am GDP compliant?

You need to evaluate how the email address is composed. In fact, a general email address like info@... is not considered as personal data, so you can send emails to companies to present your services, while email addresses with name or surname (direct contact) are personal data under GDPR. 

How did you collect emails? Did website users left it to you on your website (maybe filling a form?) In this case check your email notification and be transparent with your visitors by informing them that you will use their email address to send them news about services provided and other great content.

If you collected email on social networks or companies websites, you need to be aware that these contacts are not published to receive advertising or promoting contacts, the person who published it does not attend to receive such email (unless the text around it allow you to believe otherwise) so that it would not be appropriate to contact them. However, if you model your email as a cold email using legitimate interest as a legal ground, you can present your company and the advantages in working with you and underline that you are contacting them because they are looking for a similar profile. This would be in line with GDPR requirements. 

Here you can find more information:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Sheet metal industries (press shop) process validations

  As you know, there are CQI guides which are GM, FORD customer-specific requirements for production process such as heat treatment, casting, welding, molding, coating, etc. For the sheet metal process, there is no special process validation guide like CQI. But if you want, you can prepare a guide by deriving questions from CQIs. Or you can use VDA 6.3 format for production, quality process validation.  

• ISO 9001 Question

  The auditor focused your attention in a particular problem, the non-conformity raised. Developing a corrective action means finding the root cause(s) and eliminate it/them.

  First you have to expand your mind by answering to the question why. Why did this nonconformity occur?

  A team can brainstorm a set of answers. The answers are hypothesis about what can be behind the non-conformity. Hypothesis are theories not the truth. Then, the most promising theories are selected, and information is collected, or tests are made to eliminate the wrong ones and keep the good ones. Now, we know what is behind the non-conformity, we know the root-cause(s). A root cause is something that has a strong impact in the occurrence of the non-conformity, and it is something that can be managed. It is time to develop a solution, something that will remove or reduce the frequency of the non-conformity. More than one solution may be available, normally one is chosen based on cost, or effectiveness, or easiness or resistance.

  For example, during an audit a nonconformity was raised because there were no evidences of performance of a quality control during the night shift.

  Why there was no control at the night shift?

  Because people:

  1. Don’t like to do quality control;
  2. Think quality control is not their job function;
  3. Have no time to do quality control;
  4. Actually, do quality control, but they do not record the results;
  5. Don’t know how to do quality control;
  6. Did not know they are responsible for quality control; 

  After some investigation. For example, what shifts missed the records? Who worked on those shifts? What kind of training did they had? You may realize that they never had training (hypothesis 5 and 2) because they were admitted in a rush to answer to a surge in orders.

  In this article you can find an answer to the question about the difference between a major and a minor non-conformity - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

  The following material will provide you with information about root cause analysis:

  • ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
  • Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• ISO 9001 Successful Implementation

  No, you do not need to memorize the standard for successful ISO9001 implementation. You study the standard and distill requirements to your processes and introduce or improve practices based on those requirements. People doing quality control do nor need to know that they are applying clause 8.6 and they treat non-conformities according to the standard without knowing that it is clause 8.7.

  I think that the process approach can be a great help in doing this because it allows an organization to draw a model of how it works, a model that people can relate to. Then, it is easy to distribute ISO 9001 clauses over the model. The model stands as reference, it is what people know.

  Please check this example:

  

  The following material will provide you more information about the process approach:

  • Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - please check how training can be related with the process approach
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - where I extensively use the process approach.
     

• Update SoA

  To update the SoA considering your stated scenario, you need to:

  • update your risk assessment, to see if new unacceptable risks had arisen or current ones had changed
  • review applicable legal requirements (e.g., laws, regulations, or contracts.), to see if new controls are now applicable
  • adjust your risk treatment according to the updated unacceptable risks and applicable legal requirements

  After approving the updated risk assessment and treatment you can update the SoA accordingly.

  This article will provide you a further explanation about SoA:

  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  For common risks and safeguards related to working remotely, please read:

  • Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home

• Short way to get certified as ISO 27001 and 27002

  First is important to note that only ISO 27001 is a certifiable standard. ISO 27002 is a support standard which provides guidance and recommendations for implementation of controls from ISO 27001 Annex A.

  Considering that, in a general way, after getting support for the certification (through approval of an ISO 27001 certification project plan) and approval of the Procedure for Document and Record Control, you should consider these for implementation:

  1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
  2. development of risk assessment and treatment methodology;
  3. perform a risk assessment and define the risk treatment plan;
  4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
  5. people training and awareness;
  6. controls operation;
  7. performance monitoring and measurement;
  8. perform internal audit;
  9. perform management critical review; and
  10. address nonconformities, corrective actions, and opportunities for improvement.

  This article will provide you a further explanation about ISMS implementation:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  To see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  As for the shortest way to get ISO 27001 certified, it would involve hiring a consultant, because this approach will rapidly provide the knowledge, expertise, and methods to implement the standard, although it is the most expensive approach.

  Other approaches that can be adopted are implementing the standard using your own employees (the cheapest and longest way), and implementing the standard with a DIY approach and using external know-how (a mid-term approach).

  These articles will provide you a further explanation about implementation approaches:

  • 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
  • 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
  • Do you really need a consultant for ISO 27001 / BS 25999 implementation? https://advisera.com/27001academy/blog/2011/12/06/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation/

  These materials will also help you regarding ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

• ISO 14001 New Objectives within a small business

  In environmental management systems I’m always going back to the list of significant environmental aspects and impacts to renew the list of environmental objectives. Also, I try to connect environmental objectives with business objectives. For example, if an organization competes based on price what significant environmental objectives can best contribute to reduce costs?

  Please check this information below with more detailed answers:

  • How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
  • Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• ISMS scope of a digital bank

  You can define the scope in terms of only the part of the organization (i.e. the Database), but in general, for small and mid-sized business, the best approach is to include the entire organization in the ISMS scope, because the effort to separate the scope for such organizations may not be worthy.

  These articles will provide you a further explanation about the scope definition:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  These materials will also help you regarding scope definition:

  • How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/