Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Integrating ISO 14001 & ISO 45001 into ISO 9001


    Answer:
    As you have indicated, many of the processes are similar between the three standards, such as internal audit and management review, so creating an integrated management system does not add three times the work. The main processes to add onto the ISO 9001:2015 QMS would be:
    For ISO 14001:2015 EMS, environmental aspect and impact assessment (how the company interacts and affects the environment), determining environmental legal requirements and compliance and preparation for emergency response.
    For ISO 45001:2018 OHSMS, consultation and participation of workers, hazard identification and assessment, OH&S determining legal requirements and compliance, elimination of hazards, preparation for emergency response and the addition of incident investigation into the corrective action process.

    For a better understanding of how to integrate these standards, see the whitepaper: How to integr ate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

  • ISO 45001: Support, Operation and Performance


    Answer:
    The first thing to note, is that Iso 45001:2018 does not require an OH&S manual, but you can choose to write one if you find this useful to collect your information. So, it is not a requirement to go through everything in the standard and say how you do it. The three main topics you are asking about cover the following sub-clauses in the standard:
    Support – This clause talks about how you identify resources for the OHSMS, define and ensure competence for activities, raise awareness of the OHSMS, communicate both internally and externally and how you manage your documents and records.
    Operation – This clause talks about controlling your operations through hazard elimination and reducing risks, managing change and ensuring that necessary OH&S information is part of your procurement activities. Further you need to plan for potential emergencies.
    Performance evaluation – This clause talks about how you monitor a nd measure processes, perform internal audit, and conduct management review of the OHSMS.

    For a better understanding of the clauses of ISO 45001:2018, see the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • Risk and asset owner


    camara y videograbador de CCTV
    propietario del riesgo: el responsable de mantenimiento
    propietario del activo: el responsable de IT
    Pero: queremos transferir el riesgo a una empresa externa que sera ademas, la responsable del mantenimiento diario y aplicaremos los controles posteriores.

    Me puedes confirmar si es posible realizarlo de esta forma con algunos activos?

    (Hello, I have a doubt in the risk analysis. Can I have 1 asset, with 1 owner of the risk, other than the owner of the asset and then also transfer the risk of this asset, to a third party? for example:

    CCTV camera and video recorder
    risk owner: the person responsible for maintenance
    asset owner: the IT manager
    But: we want to transfer the risk to an external company that will also be responsible for daily maintenance and we will apply the subsequent c ontrols.

    Can you confirm if it is possible to do it this way with some assets?)

    Answer:

    Your assumption is correct. You can have the risk owner as a different person from the asset owner and transfer the risk is an acceptable risk treatment option

    These articles will provide you further explanation about asset and risk owner and risk treatment option:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • Defining ISMS scope and access profiles


    Bien, en nuestra empresa tenemos aplicaciones propias y externas alojadas en nuestro CPD, pero también utilizamos otras como servicios en la nube, mi duda es ¿Estas aplicaciones en la nube utilizadas como servicios entran dentro del alcance del SGSI? Yo creo que sí porque están involucradas en los procesos de la compañía pero necesito de su opinión.

    Otra duda: en la política de control de acceso en el apartado 3 ustedes han establecido en la planti lla perfiles de usuario y derechos:

    ¿Estos sistemas son todas y cada una de las aplicaciones dentro del alcance del SGSI o son procesos (donde puede haber más de una aplicación que se use)?

    (Before I ask you a question, I put you in a situation: My company previously carried out a risk analysis for which we have said analysis and the declaration of applicability (apply everything), to advance in the objective of obtaining the ISO 27001 certification, it was incorporated into Our company a responsible for legal compliance and has taken the lead to achieve this certification, analyzed the data mentioned above and asked IT for security policies (this is the reason for the acquisition of the templates: the creation of our policies in base to these templates)

    1 - Well, in our company we have our own and external applications hosted in our CPD, but we also use others as cloud services, my question is: Are these cloud applications used as services within the scope of the ISMS? I think so because they are involved in the company's processes but I need your opinion.

    Answer:

    If these cloud applications store or process information you want the ISMS to protect, then you have to include them in the ISMS scope.

    For further information, please see:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    - How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

    2 - Another question: in the access control policy in section 3 you have established in the template user profiles and rights: Are these systems each and every application within the scope of the ISMS or are they processes (where there may be more than one application used)?)

    Answer:

    The access profiles refer not only to systems, but also to networks, and facilities, included in the ISMS scope. Please note that you should consider each profile covering as much elements as possible so you do not finish with a great number of profiles to manage.

  • ISO 27001 Objective measurement document

    Hi  @PiersAnderson , I have sent you more information about the upgrade options directly at your email address. Thank you.

  • Compras y evaluación de proveedores


    Respuesta:

    Efectivamente en ese caso no se necesitaría hacer una evaluación de ese proveedor. Sin embargo, debe también pensar en otro tipo de proveedores que tiene su empresa si el alcance del sistema de gestión afecta a toda la organización. Por ejemplo, proveedores de servicios de entrega, proveedores de materiales de oficina, proveedores relacionados con software y hadware, etc. También estarían incluidas subcontratas que realiza su empresa, por ejemplo una compañ ía de RRHH para selección de personal, una empresa para realizar el diseño de su página web o que la gestione, etc. Así que muy probablemente sí que necesite este documento de evaluación de proveedores.

    Para más información sobre la evaluación de proveedores puede ver los siguientes materiales:
    - Artículo - How to evaluate supploer performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • ISO 20000 certification


    Answer:
    I assume you'd like to know how does certification process look like. Here is the article which explains certification process:
    "Process to obtain ISO/IEC 20000 certification: Companies and individuals" https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/

    This book can help you further:
    PREPARING FOR ISO CERTIFICATION AUDIT: A PLAIN ENGLISH GUIDE https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

    and this webinar (applicable also to ISO 20000 implementation):
    ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

  • Document control


    Answer: ISO requirements for document control refer to:
    - documented information required by the Standard (e.g., results of risk assessment and treatment, internal audit program and reports, etc.)
    - documented information determined by the organization as necessary for the ISMS

    Considering that, for organization's documents you must include only those related to the ISMS scope, i.e., those information you want to protect, and this most likely won't mean all information, either because it would be too expensive to protect all of them, or because the different values they have to the business.
    This article will provide you further explanation about document control:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
    This material will also help you regarding document control:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Hybrid approach for risk assessment


    Answer: ISO 27001 does not prescribe any approach for risk assessment, so you can adopt the one that better suits your organization, even a hybrid one. The same applies for the process/methodology. You can create your own, provided this one fulfills the requirements from the standard.

    But please note that you have to verify if the benefits of adopting a hybrid approach will be greater than the complexity required to perform it.

    For information about alternative approaches for risk identification, please read:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

  • ISO 27001 implementation case studies


    Answer: For case studies I suggest you these articles:
    - ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
    - A success story about implementation of ISO 27001 and 9001: How online platform Doccle did it https://advisera.com/27001academy/blog/2019/04/08/a-success-story-about-implementation-of-iso-27001-and-9001-how-online-platform-doccle-did-it/
Page 514-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +