Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Third-party risk assessment questionnaire

    Risk assessment for third-parties is not different from the risk assessment performed for your own organization, so you can use the same templates included in this ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    The templates included in this toolkit will help you implement risk assessment and treatment compliant with ISO 27001 & ISO 22301:

    • Risk Assessment and Risk Treatment Methodology
    • Risk Assessment Table
    • Risk Treatment Table
    • Risk Assessment and Treatment Report
    • Statement of Applicability
    • Risk Treatment Plan

    These materials will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Finance Dept documents that need to be controlled

    You should include in document and record control of your Quality Management System only those financial/accounting documents and records that are related to fulfilling customer and third parties requirements or conformity to product requirements. 

    For instance, certain procedures such as accounts receivable procedure which describes the credit check process and the sales order approval process; work instructions for those positios that are related to customer/suppliers (e.g. Sales Order Entry, Purchase Order Entry, etc); documents related to inventory control or budget allocation; etc

    You can also see these materials to help you with the document and record control of finance department:

    - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Lead Auditor and implementer consultant

    It is possible to accumulate the Lead Auditor and Lead Implementer competences.

    In fact, a consultant who knows both how to implement the standard, and the criteria and methods by which the certification auditor will perform the audit can better guide an organization on its Implementation and certification process, adapting policies, procedures, and controls in a better way.

    These articles will provide you further explanation about lead Auditor and implementer:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  • Certifying ISO 270001 & 9001

    ISO 9001 mandatory documents that are not part of ISO 27001 certification are:
    - Scope of the QMS (clause 4.3)
    - Quality policy (clause 5.2)
    - Quality objectives (clause 6.2)
    - Criteria for evaluation and selection of suppliers (clause 8.4.1)

    And these are the mandatory records for ISO 9001 that are not part of ISO 27001 certification
    - Monitoring and measuring equipment calibration records* (clause 7.1.5.1)
    - Product/service requirements review records (clause 8.2.3.2)
    - Record about design and development outputs review* (clause 8.3.2)
    - Records about design and development inputs* (clause 8.3.3)
    - Records of design and development controls* (clause 8.3.4)
    - Records of design and development outputs *(clause 8.3.5)
    - Design and development changes records* (clause 8.3.6)
    - Characteristics of product to be produced and service to be provided (clause 8.5.1)
    - Records about customer property (clause 8.5.3)
    - Production/service provision change control records (clause 8.5.6)
    - Record of conformity of product/service with acceptance criteria (clause 8.6)
    - Record of nonconforming outputs (clause 8.7.2)

    Please note that there also other documents that are not mandatory for ISO 9001, but are commonly used (again here are only those not also used for ISO 27001):
    - Procedure for addressing risks and opportunities (clause 6.1)
    - Procedure for competence, training, and awareness (clauses 7.1.2, 7.2 and 7.3)
    - Procedure for equipment maintenance and measuring equipment (clause 7.1.5)
    - Sales procedure (clause 8.2)
    - Procedure for design and development (clause 8.3)
    - Procedure for production and service provision (clause 8.5)
    - Warehousing procedure (clause 8.5.4)
    - Procedure for monitoring customer satisfaction (clause 9.1.2)

    For more information, please see:
    - List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

  • Updating documentation

    No, you do not need to update all technical file documents to new version. You just mark changed documents to v 2.1, and the rest of the documents that did not change you can leave in version 2.0. 

  • Difference between word needs and word expectations

    What you have is good, as long as it gives you enough information going forward.

    One interesting thing about this clause fo the standard is that it does not require doucmented information, so any documentation you keep on the needs and expectations of interested parties is in addition to what the standard requires, so just make sure that it has enough informaiton for you and yoru managmeent team to be able to assess that they understand the need as they review it in an ongoing basis.

  • Risk assessment and treatment and business continuity plan

    Considering the scenario where you consider your likelihood scale ok, you have these alternatives to justify not creating a BCP for flood:

    • Top management accepts the risk as it is (this is one acceptable alternative always available to the organization for any risk it identifies), based on the knowledge that treatment cost is equal or greater than the impact of the risk occurring
    • Implement some other controls (e.g., backup, protection of facilities, etc.) to minimize the impact, and then accept the residual risk (even if it is higher than your acceptance criteria)
    • Transfer the risk (e.g., by buying insurance), and then accept the residual risk (even if it is higher than your acceptance criteria)

    Please note that the easiest way still is adjusting your likelihood scale so flood likelihood is smaller than fire likelihood. For example, you could use a scale like:
    5 - likely to happen within 1 month
    4 - likely to happen within 1 year
    3 - likely to happen within 3 years
    2 - likely to happen within 5 years
    1 - likely to happen after 5 years

  • Filling template List of Legal, Regulatory, Contractual and Other Requirements

    ISO 22301 does not prescribe any format as the input source of legal, contractual and other requirements, so it is acceptable to use the transcript of questionnaires or interviews where they are mentioned. However, it is important to note that if they are related to provided products or services, instead of using the transcript as register, you should consider writing them on formal documents like contracts or service agreements, considering the potential use of legal disputes or actions.

    Finally, all such requirements (no matter in which form are they expressed) have to be listed in List of legal, regulatory and contractual requirements.

  • Templates content

    It is not clear which policy you are talking about, but the information you mention can be found on the following:
    - Document retention: Each policy and procedure has a section called "Managing records kept on the basis of this document" where you define topics for document retention, such as retention time and disposal method
    - Individual user agreement: this information can be found in these templates: Confidentiality statement (https://advisera.com/27001academy/documentation/confidentiality-statement/), and Security Clauses for Partners and Suppliers (https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/) which can also be used for employment contracts
    - Reporting InfoSec Weaknesses and Events: this information can be found in template Incident management procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/
    - Responding to InfoSec Reports: I'm assuming that by this one you are referring to response to information security incidents. In this case this information can also be found in template Incident management procedure
    - Rules for use of e-mail can be found on template IT security policy: https://advisera.com/27001academy/documentation/it-security-policy/

  • Become ISO 14001 auditor

    I will consider three levels: 

    • Internal auditor;
    • External auditor;
    • Lead auditor.
       

    Each organization has the authority to determine the competency requirements for its internal auditors. As a minimum an internal auditor should have knowledge of ISO 14001 and knowledge of good auditing practices. Someone wanting to become an internal auditor can start with this course: ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/

    After that course the new internal auditor can start performing internal audits. Starting in a known environment and with known auditees helps a lot in the first audits. Smaller audits can be done, frequent audits can be done, several techniques can be tested, and helps build trust in own capabilities as time and stress manager.

    After several internal audits you can start trying a new environment, performing internal audits as an external auditor. That will test your ability to audit with different people, with different operations and with different cultures. 

    Whenever you think you are prepared to become a lead auditor you can start a course like this one: ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/

    After that course you can contact several certification bodies and give them your CV stressing your experience and qualifications.

    Complement your training with reading whatever you can find about preparing, performing and reporting an audit. I find it useful to discover new tools to use during an audit and learn what other professionals think. You can start with these articles and book:
Page 497-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +