Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk and opportunity assessment

    What is the best time interval to assess/re-assess the risk and opportunity?

    Answer:

    It is difficult to give a straight answer. That will depend on your organization’s context and interested parties. For example, in my country, last December a lot of organizations updated their risks and opportunities register. Then, February and March came, and coronavirus’s lockdowns freeze economies and outdated all those registers.

    So, set a frequency that could match your context and interested parties. For example, technological organizations working at the edge, may need to use shorter intervals. You can set a yearly deep assess/re-assess exercise followed my monthly or quarterly lighter exercises together with monitoring and analysis of performance.

    Do I need to have operational and strategic risk and opportunity assessments separately?

    Answer.

    Technical answer: No, you don’t. It is your organization’s call.

    Experience-based answer: It is better to separate strategic and operational risk and opportunity assessments. That way, participants could work at different abstraction levels without having to continuously change from one to another. Ideally, I recommend an iterative approach to avoid daydreaming and losing contact with the ground.

    • Start with strategic level
    • Use strategic level as an input to the operational level
    • Use the operational level as an input to fine tune the strategic level

    Perhaps the following information about risk and ISO 9001 could be useful for you:

  • ISO 27001 Control

    1. I wanted to know how we can measure the maturity of an ISO control when trying to assess its maturity level with something like CMMI.

    First is important for you to understand the criteria levels adopted, so you can define how you can evidence the control has achieved them. For example, using  the model defined by ISO/IEC 15504:

    • Level 0 – Incomplete: No process implemented or little/no evidence of any systematic achievement of the process purpose (control not implemented/control does not deliver expected results most part of the time)
    • Level 1 – Performed: The process achieves its expected purpose (control deliver expected results most part of the time)
    • Level 3 – Established: The process is implemented using a defined (standard) process that is capable of achieving the expected outcomes (control deliver expected results most part of the time and is performed in a similar way in all places where it is applied )
    • Level 4 – Predictable: The process operates within defined limits to achieve its expected outcomes (control deliver expected results with optimized resources)

    This article will provide you a further explanation about maturity models and ISO 27001:

    2. How can we measure how effective is a control and how mature? Any resources that can help?

    The effectiveness and maturity of control can be measured against business-related objectives and KPIs (e.g., reduced incidents, through incident management, increasing customer satisfaction) and the costs related to its operation (the lower the better).

    This article will provide you a further explanation about ISO 27001 KPIs:

  • Audit checklist

    In case you are preparing for a certification audit, then you need to complete all items related to mandatory requirements (from sections 4 to 10) and all items related to applicable controls defined in the SoA.

    You can sample the checklist when you are preparing for a surveillance audit, because, in this case, you can focus on the items that will be audited.

    This article will provide you a further explanation about certification and surveillance audit:

    This material will also help you regarding audits:

  • Using ISO 27001 and 27017 to get GDPR compliance

    It is possible to use ISO 27001 to cover the requirements of GDPR Article 32 (ISO 27017 is not required unless you have specific requirements demanding controls from this standard). For the remaining requirements of GDPR, you should define additional approaches.

    This article will provide you a further explanation about ISO 27001 and GDPR:

    This material will also help you regarding ISO 27001 and GDPR:

  • Management review after audit

    Yes, it makes sense to carry out the management review meeting after the internal audit has been carried out. The internal audit captures relevant information that does not come from the simple analysis of the process indicators.

    That way, one of the decisions of the management review meeting may be the decision to go to certification.

    How long, after the internal audit, should a management review meeting be being held?

    Some organizations decide to do it right away, one week or so after the internal audit, they believe that top management can infuse direction and pressure to close any nonconformities.

    Other organizations decide to give a one month interval between internal audit and management review meeting because they want to present a picture of what was found and what was done to close any nonconformity. 

    So, it is up to your organization to decide what kind of interval will be more useful.

    Perhaps the following information could be useful for your organization:

  • ISO representative responsabilities

    ISO 9001:2015 no longer makes mandatory the existence of an ISO representative function. So, organizations are free to decide to keep that function, and are free to decide what are their responsibilities and authorities. This is the technical answer.

    The practical answer, based on my experience, is that an ISO representative can be a Project Sponsor or a Project Manager. As Project Manager an ISO representative coordinates a Project Team. Members of that Project Team should work together with people from each department to question the organization’s status quo, think about improvements and develop work procedures.

    Putting an ISO representative as the sole writer of work procedures will delay the project implementation, will fuel resistance to change and will be far from effective to improve an organization’s performance.

    Perhaps the following information could be useful for you:

  • ISO27001 for a Cloud Service Provider

    First is important to note that ISO 27001 is not applied to services, but to the process they rely on.

    The second issue is, I'm assuming your question is about if the approach to a cloud services provider is similar to a data center provider.

    Considering that, the general approach is the same:

    • identify relevant requirements (e.g., business, customers, legal, etc.)
    • identify and treat relevant risks
    • operate, evaluate and improve the controls and processes

    The difference will be on the application of controls related to the type of provided cloud service. For example:

    • for IaaS, the controls applied by the provider will be limited to physical infrastructure and virtual machines
    • for PaaS, the controls applied by the provider will also cover virtual servers, and, to some degree, applications
    • For SaaS, the controls applied by the provider will cover datacenter facilities’ physical location, hardware, and software

    For a data center provider, the provider will have to consider applying controls to datacenter facilities’ physical location, hardware, software, and data.

    This article will provide you a further explanation about ISMS scope for cloud services

    These materials will also help you regarding ISO 27001:

  • Difference in between ISO 9001 and ITAF 16949

    ISO 9001 sets the base requirements of a quality management system. It is a generic standard, that means that can be used in any kind of organization. The IATF 16949 standard is a supplemental standard and is used in conjunction with ISO 9001 in the automotive sector.

    Without any doubt ISO 9001 is easier and most appropriate for a small business company. I would only recommend IATF 16949 if your company is operating in the automotive sector and if any major customer requires its use.

    You can find more information about ISO 9001 below:

  • GDPR and ISMS

    I'm assuming that you already have knowledge about GDPR requirements related to information security.

    Considering that, the proper course will depend on your objective:

    This article will provide you a further explanation about ISO 27001 and GDPR:

    This material will provide you a further explanation about ISO 27001 and GDPR:

  • Hand sanitizers under ISO 13485

    According to the ISO 13485:2016, device that can be considered as medical devices is disinfectant substances. Here is the differentiation between similar products: sanitizers reduce bacteria on a surface by at least 99.9%, disinfectants kill a wider range of microorganisms (than sanitizers), and cleaners simply remove dirt, soils, and impurities from surfaces. 

    So, if you declare that your hand sanitizer KILLS microorganisms, that it is disinfectant and is defined as a medical device that needs to be manufactured under ISO 13485:2016. If this is not your statement, then it is most probable that your product is a cosmetic product and needs to be produced in compliance with ISO 22716:2007 Cosmetics — Good Manufacturing Practices (GMP) — Guidelines on Good Manufacturing Practices.

    For more information read the following article: 

    In case you decide to implement ISO 13485:2016, following link can help to see which documentation is necessary: 

Page 393-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +