Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 documentation

    ISO 27001 does not prescribe how documentation must be elaborated, so organizations can develop them the way it best suits their needs.

    The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, in this particular case, if your single document does not become too big to use and manage it may be best to merge them, so you have fewer documents to manage in your ISMS.

    These articles will provide you a further explanation about developing policies:

  • ISMS audit results for ISAE 3402 Type II Audit/Report

    We're not experts in this field, but in general ISAE3402 Type II Audit/Report (SOC 2) reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy, and considering the ISMS scope is related to the scope of the ISA3402 report, it seems perfectly possible to use ISMS outputs to your ISA3402 report.

    The ISMS provides a framework for implementation, operation, and improvement of information security, while ISA3402 is a verification that implemented measures are working as expected.

    This information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

  • ISMS operation before certification

    This timing is different from one certification body to another - some certification bodies allow you to go for the certification after you finish the internal audit, management review, and close most of your corrective actions; others require a 3 months period of ISMS operation before you can start the certification process.

    So the point is - you should ask for quotes from a couple of certification bodies, and ask them to specify their requirements.

    These articles will help you:

  • Risk Assessment

    1. We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?

    ISO 27001 does not prescribe how to perform risk assessment, only that it must be performed, so organizations are free to perform it the way it better suits them.

    In fact, grouping assets with similar risks in a single category, as you exemplified, is a common practice, and it is perfectly acceptable by certification auditors.

    Please note that included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment table, presenting examples with real data.

    My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.

    As long as the control is implemented, there is no problem in mentioning it in the existing control column in the risk assessment table, even if it is not documented at the moment the risk assessment was performed.

    Please note that ISO 27001 does not require you to write documents for each and every control. Only some controls will need to be documented later on as part of your ISO 27001 implementation - see the PDF document "List of documents" in the root folder of your toolkit to see which documents (and their related controls) need to be written down.

     For further information, see:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Audit scope

    Having AS9100 scope for one aerospace product line and ISO 9001 scope for other parts of your organization is an acceptable thing to do, and I understand why you would want to do so. Just ensure you talk to your certification body about the scope change.

  • Internal and external factors and risk based thinking

    Examples of internal issues include: organizational structure, strategic direction, capabilities of employees, poor customer satisfaction, obsolete equipment, organizational culture, contractual agreements, loss of key personnel, etc

    Examples of external issues can be: oil price changes, political stability, changes in trade agreements, changes in exchange rates, technology shifts, loss of main supplier, changes in laws and regulations, etc.

    Examples of risks: Key supplier fails because it goes bankupt, limited raw materials available due to natural disaster, employee turnover is high, etc. 

    The following material will provide you more information about the context of the organization and risk based thinking:

    - How to identify the context of the organization in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/                                                                                                                 - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Please check this free webinar on demand - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 9001 in the service industry

    All elements of ISO 9001 are applicable in the service industry. ISO 9001 is written in a language to make it applicable both to product production or to service provision. 

    You can find more information about ISO 9001 implementation in the following links:

    - What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    - Managing Production and Service Provision using ISO 9001 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
    - Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 13485 query

    Can you please advise what does a face mask with CE 0197 and ISO 13485 carries what correspondent to what BFC etc?

  • Standard making process

    You can find the story of ISO 9001 in this article - The history and future of the ISO 9000 series of standards - https://advisera.com/9001academy/blog/2019/04/15/history-of-the-iso-9000-series-of-standards-and-what-to-expect-next/ and the process of developing ISO standards in this article from ISO - Stages and Resources for Standards Development - https://www.iso.org/stages-and-resources-for-standards-development.html

  • Product safety

    If after deep analysis of your system you haven`t recognized place for Special Characteristics relating to safety, meaning characteristics which can affect safety or compliance with regulations, fit, function, and also customer safety or employee safety in the production area, it is okay to say that you have no Special Characteristics regarding safety. 

    Special Characteristics represent product or process characteristics that can affect safety compliance, regulatory compliance, fit, function, performance, requirements or subsequent processing of the product. Special Characteristics must be documented, in drawings, FMEA analysis, Control Plan, Auto-control Plan, and work instructions. Special Characteristics must be marked in a sense of symbol and definition, and in that way represented to the customer. If there are Special Characteristics, there has to be a strategy for controlling and monitoring, and customer approval.

    If the TIER2, TIER1 or OEM haven`t recognized place for product safety, it is a good sign that there is no need for Special Characteristics, since their requirements are often more strict than the standard IATF 16949 itself.The recommendation is to check your system once again and to do deep analysis, just to be sure you haven’t missed something.

    NOTE: VW AG’s suppliers are required to appoint and employ a product safety representative. These apply both to the OEM directly, and the whole supply chain.

    For more information, please see the following article:

    Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/
Page 440-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +