Search results

Preventive measures and Incident report

Incident report can be seen from various perspectives - it could mean report after a major incident or it could mean log of the incident resolution. Or maybe as report, e.g. at the end of the months with incident status and activities.

Here are a few links that can help:

How to measure Incident Management efficiency according to ITIL  https://advisera.com/20000academy/blog/2015/09/08/how-to-measure-incident-management-efficiency-according-to-itil/

Incident Record – you can’t live without it https://advisera.com/20000academy/blog/2014/07/01/incident-record-cant-live-without/

Major Incident Report https://advisera.com/20000academy/documentation/major-incident-report/

Problem management or Continual Service Improvement would be a good fit for Preventive maintenance activities.

These articles provide you with more details:

ITIL Reactive and Proactive Problem Management: Two sides of the same coin https://advisera.com/20000academy/knowledgebase/itil-reactive-proactive-problem-management-two-sides-coin/

ITIL and ISO 20000 Problem Management – Organizing for problem resolution https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/

ITIL Continual Service Improvement – the never-ending story https://advisera.com/20000academy/blog/2013/04/09/itil-continual-service-improvement-never-ending-story/

ISO 9001:2015 versus ISO 13485:2016

ISO 9001:2015 requirements that have been discarded form ISO 13485:2016 are the context of the organization (4.1 Understanding the organization and its context) and interested parties (4.2 Understanding the needs and expectations of interested parties).

Internal Audit - choice of auditor

ISO 27001 does not prescribe who the internal auditor should be, so both approaches for choosing the internal auditor are acceptable.

You can train your employees to get the competence in ISO 27001 internal auditing to perform this job. If this person works in the department that needs to be audited, to avoid conflict of interest you can train the second auditor that will audit only this department where the first auditor performs his/her regular job.

This article will provide you a further explanation about performing an internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding performing internal audit:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Business Continuity Policy 22301

1. I'm reading the Business continuity Policy according to ISO 22301; I Don't understand why it is written, "Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company."
How it can be possible?

I'm assuming you are referring to the article "The purpose of Business continuity policy according to ISO 22301" https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/

Considering that, in the article's context, the statement means that very often executives do not understand the basics of business continuity, and they do not need to, because their jobs are focused on profit, market share, client satisfaction, cost-cutting, business strategy, and business risks, not in understanding disaster recovery site, business continuity plans, etc.

This situation makes the business continuity policy important: it makes executives stop to focus on business continuity, to understand the minimum they need to make proper decisions, and to make a formal and written statement about the importance of business continuity for the organization, how they will handle it (in most cases, by designating a competent staff to do the work).

2. If they are not involved that plant will be closed?

Executives' involvement is essential for business continuity because they are the ones who define priorities and resources, and if they are not involved, or support the business continuity initiative, it will most probably fail, and the plant will be at real risk of closing if a disaster hits it.

For further information, see:

• ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/

8.1 Operational planning and control

In fact, the Project Plan and all templates in the toolkit can be used to fulfill this requirement, since some of them define what must be carried out (e.g., policies and procedures), and others record needed requirements (e.g., Specification of Information System Requirements), performed tasks (e.g., Internal Audit Report) and achieved results (e.g., Management review minutes)

This article will provide you further explanation about document management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding document management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

BCP and DR

BCP is wider than a DR. BCP aims to ensure the business continues to operate after a disruptive event, while the DR aims to handle the impacts at the affected area and bring operations back to normal conditions.

ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a full Business Continuity Plan is not mandatory for this standard, and you will only need the DR template included in your toolkit.

These articles will provide you further explanation about BCPs and DRPs:

• Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
• What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/

Is there any process flow chart available that can be used for an audit process?

Unfortunately, we do not have a flow chart document available for performing an ISO management system audit, but the main steps you should consider are:

• Document review
• Creating the checklist
• Planning the main audit
• Performing the main audit
• Reporting
• Follow up

This article will provide you further explanation about performing an audit:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Questions about risk

Thank you

Product requirement Review record

It is absolutely OK not to make this record until you know that this is a more solid contact with potential customers. With this approach, you will fulfill the necessary requirement and be in compliance with ISO 13485:2016. 

For more details on complying with the latest changes in ISO 13485 clause 7.2.3 Communication, see the following link

Data Integrity

ISO 27001 makes use of a systematic management approach to help organizations:

• identify information security risks that can promise information confidentiality, integrity or availability (based on their context, objectives and interested parties needs)
• define proper controls to treat relevant risks (based on controls from Annex A, as well as from other sources of controls if needed), and expected information security performance results (i.e. information security objectives)
• periodically evaluate information security performance
• implement corrections and/or improvements based on achieved results

Regarding controls specifically related to protection of information integrity, these are some examples:

• A.10.1 Cryptographic controls
• A.12.5.1 Installation of software on operational systems
• A.9.4.4 Use of privileged utility programs 
• A.12.1.2 Change management

These articles will provide you further explanation about ISO 27001:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
•  Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/