Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11272 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

External process performance measurements

Let us look into a process:

First, think about the purpose of the process: Why does this process exist? What is the rationale for its existence? Consider a process, any process, for example:
- Manufacture parts.
What can be the purpose of this process?
- Comply with the production plan, without defects and at budgeted cost
How will you know that the purpose is being met?

One way of measuring performance is at a macro level, measuring the purpose effectiveness.

For this particular case indicators can be:
- production plan compliance rate;
- defects rate;
- deviation from budget, or unitary cost.
Another way of measuring process performance is at micro or internal level. Let us zoom and see what is happening inside the “Manufacture parts” process:

Whenever I see a flowchart of a process, I think about possible indicators of process performance, mainly efficiency indicators:
- 1 – output rate (units/hour)
- 2 and 3 – defects rate
Whenever you see a decision box in a flowchart you can check if there are any relevant indicators concerning rates (rate of good over bad, rate of one decision over another decision)

A third kind of indicator is about quantity. For example:
- How many orders were processed?
- How many units were produced?
Please consider our free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/ There one can find the rationale for developing effectiveness indicators and a monitoring plan:

On our free webinar on demand – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ one can find an example of a flowchart that describes the flow of activities.

The following material will provide you information about indicators:
- Article – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
ISO 14001 individual vs consultant implementation

Yes, you can do it yourself. It probably won't be as fast as with a consultant, but it will be more economical.

If you decide to go by yourself Advisera can help you:
- You can enroll for free in our online ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/ - first part is about the ISO 14001:2015 foundations, the second part is about good implementation practices.
- You can develop your own documentation, or you can Advisera’s ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/ - fully customizable and with one-on-one online consultation
- You can access Advisera’s free ISO 14001 materials - https://advisera.com/14001academy/free-downloads/ and our blog with many articles – like these two:
  Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
  Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- You can watch free webinars on demand – ISO 14001Webinars - https://advisera.com/14001academy/webinars/
Probably you will need some help on environmental legislation. Perhaps you can use a economic sector association, or a legal consultant or a environmental legislation software service company.
Adoption of ISO 27001

1. We have been told by a client (a bank) that we need to become ISO27001 accredited as a company to meet their security standards.
But we are only a small organisation and do not have in-house IT people.
Would you recommend we contract an IT consultant for some time and use your framework?

First is important to note that:
- ISO 27001 was designed to be applicable to organizations of any size and industry, so even if you are a small organization ISO 27001 can help you
- Information security goes much beyond the IT environment (you have to handle information security risk related to suppliers, employees, physical documents, etc.)
Regarding the implementation approach, there are three major options:
a) using your own personnel
b) hiring a consultant
c) using a DIY approach with external support

All of them have their advantages and disadvantages, considering time, cost, effort, and preservation of knowledge, and you should consider these factors to decide which approach is best for you.

These articles will provide you further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2. How do you work with clients like us? I’m not sure where to start?

Our ISO 27001 Toolkit follows the "DIY with external support" approach, and by which you stated about your business, it is the right solution for you. The templates in the toolkit are 90% completed and you only have to include the information about your organization and the specifics about the controls that will be used.

The templates have lots of comments that will help you including your information. And if you are stuck at any moment in the process, you can contact us through e-mail (there is no limit for how many emails you can send), or schedule online meetings with one of our experts.
Template content

These are two separate requirements.

The phrase about the e-mail message refers to business messages, sent through approved business channels. The phrase about the message on a message exchange system refers to personal messages posted on non-business channels.

Please note that sometimes, when people know where you work, comments posted on social media can be interpreted by others as your organization's point of view. That's why many organizations have internal rules orienting their employees to not make comments related to work (in most cases if you want to include your organization in your timeline, organizations suggest you share organization's posts). These suggestions are not requirements of ISO 27001, but good practices. You can decide for yourself whether to apply this or not.
Developing documents

To see how documents which cover the requirements you mentioned, considering ISO 27001, looks like, I suggest you to take a look at these free demos:
- Management commitment, roles, responsibilities, and authorities: Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
- Competence and awareness: Training and Awareness Plan https://advisera.com/27001academy/documentation/training-and-awareness-plan/
- Control of documented information: Procedure for Document and Record Control https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/
Please note that ISO 27001 and ISO 22301 does not require Context of organization and Business continuity strategy to be documented, but as a good practice you can use this template for Business continuity strategy:
- Business Continuity Strategy https://advisera.com/27001academy/documentation/business-continuity-strategy/
These articles will provide you further explanation about developing documents:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
Regarding answers to requirements in audits, the documents themselves, and the presentation of any records listed in these templates will help you succeed in the audit.

These articles will provide you information about preparing for audits:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
ISO 20000 vs ISO 9001

A Service Management System (SMS) based on ISO/IEC 20000-1uses more detailed and industry-specific requirement. Yes, we can argue that same requirements are also included in the ISO 9001:2015 QMS - although with a more generic approach i.e. on higher level. So, if you want to manage your services, SMS is right „tool“ for you.

See comparison of both standard sin this free whitepaper (please note, it's written for 2011 revision of the ISO 20000-1 standard – but it will give you good idea): ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrixhttps://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix
Roles and Responsibilities document

Ignore this question, I found the answer here:

https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
BIA and RTO

1. How to determine RTO? It is clear for MTPD.

The RTO is defined after you cross-examine MTPD between different interdependent activities - in some cases, RTO will remain the same as MTDP, and in some cases (where the related activity requires a quicker recovery) it will be lower.

2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?

The RTO is related to business needs, so the responsible for the impacted activity must be the one to define the RTO, but is important that this person consults the responsible for supporting resources, to find the best balance between business needs and available resources (the smaller the ROT, the more resources you will need).

3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

When considering the interdependency of activities, you always need to consider first the RTO related to the business activity. In the example, since the RTO of the critical activity is 4h, this one must be the RTO to be considered (in case you consider the RTO for IT, the critical activity will not be recovered in a proper time).

For more information, please read the following article:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
Procedure for Document and Record Control

If documents created by an employee and sent directly to the client without the approval of another person of the organization is an acceptable risk to your organization, then you can include an "exception" in this section like:

"Except for client project work documents, all other documents regardless of whether they are new documents or new versions of existing documents must be approved by [job title ]. Client project work documents are considered approved by the employee who has created/reviewed it."

Please note that as a good practice for projects, the project manager should review/approve the documents, since they will be sent to the client.
Cyber-attack contingency plan template

Unfortunately, we do not have a specific cyber-attack contingency plan. Our templates are provided as a general basis for the development of specific contingency plan scenarios, so you can use them to define the activities, resources, and responsibilities required to be a contingency for a cyber-attack.

Please take a look at these free demos to see how contingency plan looks like:
- Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
- Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/
This article will provide you further explanation about developing a BCP and a DRP:
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
- How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/