Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Conducting OHSAS audit

    The ISO 45001 standard does not dictate who is responsible for conducting the OHSAS audits, but rather clause 9.2.2 gives directions to ensure audits are done objectively and independently by auditors. Who the auditor are, and how their competency is determined, are up to the organization.

    For more information on the ISO recommendation for audit, see the whitepaper: How to perform an internal audit using ISO 19011, https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

  • Business continuity plan

    AS9100 Rev D does not specifically address a business continuity plan, in general this is covered in ISO 22301, Societal security – Business continuity management systems – Requirements. Business continuity management is about the plans in place to ensure that if a disaster or major problem occurs your business can still function. This is not included in the AS9100 standard, which is why it has not been addressed in any AS9100 certification audits. Often Iso 22301 is partnered with IT management per ISO 27001 as IT catastrophes can lead to business continuity problems.

    By comparison, contingency planning is having a plan in place for a disruption, often less catastrophic than the disasters mentioned above. Having a plan to address your factory being destroyed by an earthquake is business continuity planning, having a back-up supplier in case you have a disrupted supply chain is contingency planning.

    You can find out more about ISO 22301 in our 27001Academy whitepaper: Clause-by-clause explanation of ISO 22301, https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008

  • Covid-19 cut off date extension

    With regards to a delay in the implementation timeline of ISO 45001:2018 due to the Covid-19 crisis around the world, any delay in transition from OHSAS 18001 does not seem to have come from ISO as it I not recorded on their information page (https://www.iso.org/iso-45001-occupational-health-and-safety.html). However, it does appear that the International Accreditation Forum (IAF) has allowed an extension for 6 months (to September 2021, Question 15 on their FAQ, https://iaffaq.com/), and this has been repeated by one of their member accreditation bodies, the United Kingdom Accreditation Service (UKAS, https://www.ukas.com/news/technical-bulletin-extension-of-migration-period-for-iso-45001/) and several of their certification bodies.

    Note, this extension is applicable to companies that are transitioning from OHSAS 18001 to ISO 45001, this does not mean that that new certifications to the OHSAS 18001 standard are being done and a new OHSMS should be implemented to the ISO 45001 standard. Another note, this extension is by the IAF, and would only be applicable to accreditation bodies under their jurisdiction, and the certification bodies that are accredited by these accreditation bodies. It is important to check with your certification body to find out what directives they have from their accreditation body.

    For a bit more on how the certification audit works, see our whitepaper on: What to expect at the ISO certification audit, https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

  • ISO 22301 Business Impact Analysis Toolkit content

    Please note that our toolkits do not contain material related to the legislation of any country.

    Our templates are fully compliant with the standard and are made in such a way to comply with most of the regulations in major countries. So far, we did not receive any complaints from our UK customers with regard to compliance with local regulations.

    For a reference about some legal requirements, please access this link: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/ 

  • Information classification and Labeling

    1 - As part of the ISO 27001 Certification Audit, when we classify the information in the Company, do we have to classify the info just related to ISMS(for example Advisera Toolkit Docs) or all projects related info’s?

    ISO 27001 does not prescribe which information to classify, so you can choose what you want to classify - this can be only the ISMS documentation, all documentation, or any other combination.

    For further information, see:

    2 - And does each and every Information Processing Asset (Laptop, Server, Printer) of the Organization needs to be labeled? If yes, can you suggest the way of labeling?

    ISO 27001 does not prescribe which assets must be labeled, so organizations can label then as they see fit.

     For laptops and servers, a good way of labeling is by including classification labels in the operational system's login screen, and in every information system screen accessed through that asset.

    In the case of printers, it makes more sense to label the documents they print. In case they are used only to print sensitive information, a better approach would be to install the printer in a local with controlled access (e.g., a restricted room).

  • Clarification on Scope of Work

    1. What should be important considerations while defining Out of Scope in Statement of applicability?

    I'm assuming that by "Out of Scope" you are meaning controls that are not applicable.

    Considering that, for a control to be considered not applicable in the Statement of applicability you have to be sure that:

    • there are no relevant risks you decided to treat that need this particular control to become acceptable risks
    • there are no legal requirements (e.g., laws, regulations, or contracts) that require this particular to be implemented

    For further information, see:

    2. If I have some systems which are currently running on obsolete technology or not in support technology, what does that mean for my ISO 27001 Stage 2 assessment and what impact it can have on certification?

    If the information security risks related to these systems running in this situation are identified and evaluated as acceptable by your organization, then this situation won't have an impact in your certification process, because you performed the risk assessment and risk treatment required by the standard (ISO 27001 does  not require you to treat all risks, only those considered unacceptable)

    On the other hand, if you consider the risks related to this technology as not acceptable, you will have to implement applicable controls (safeguards) before going to the Stage 2 certification audit.

    These articles will provide you a further explanation about the certification audit:

  • IATF 16949 6.1.2.3

    The control of records must satisfy statutory, regulatory, organizational, and customer requirements.

    If there is no such requirement, the organization must establish its record retention periods. My advice is the periodic testing or simulation test records should keep between 3 and 5 years. 

  • Strategic direction in the context of ISO 9001

    ISO 9001:2015 mentions "strategic direction" in clauses 4.1, 5.1.1b), 5.2.1 a) and 9.3.1.

    ISO 9000:2015 defines strategy as "plan to achieve a long-term or overall objective".

    Strategy is about establishing a set of consistent rules about what to do and whom to serve, and about what not to do and whom not to serve. Adopting and following those rules sets a path, an orientation, a direction: the strategic direction.

    For example, if an organization decides to serve customers that value the lowest price above all, it has to concentrate on efficiency, on volume, on big orders, and look for process innovations that reinforce those topics. Another organization, in the same economic sector, may decide to serve customers that value premium-service. These organizations are different, require different processes or are managed with different priorities in mind. Just compare the profiles, priorities, and processes of a low-cost carrier with a top of the line carrier.

    Please check these two free webinars on-demand where we relate quality policy and indicators

    The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
     

    The following material will provide you information about strategic orientation:

  • ISO 27001 Certification

    We are not experts in FedRAMP, SOC2, and NITS, but this situation is more like "adjustment" than "transition" because the safeguards required/used by the frameworks you mentioned can be used for ISO 27001 implementation (some of them can be linked to controls form the standard's Annex A). Your main concern should be compliance with the main clauses of the standard.

    These articles will provide you a further explanation about the implementation of ISO 27001 and use of NIST framework:

    These materials will also help you regarding ISO 27001 implementation:

  • Risk treatment plan

    ISO 27001 does not prescribe the content of the risk treatment plan, but as good practice, it should consider at least:

    • which security controls you need to implement
    • who is responsible for them
    • what are the deadlines
    • which resources (i.e. financial and human)

    To see how a risk treatment plan looks like, please access the free demo of our Risk Treatment Plan at this link: https://advisera.com/27001academy/documentation/risk-treatment-plan/

    This article will provide you further explanation about the risk treatment plan:
Page 406-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +