Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cumplir con el contexto de la organización
Respuesta:
La norma no exige ningún tipo de formato, es más no respecto al Contexto de la organización no requiere conservar ningún registro o documento. Dicho esto, le aconsejo que al menos guarde un acta de reunión donde se lleve a cabo algún análisis para determinar el contexto de la organización , como el análisis DOFA (debilidades, oportunidades, fortalezas y amenazas). También puede desarrollar un procedimiento para definir de manera sistemática cómo se aborda el contexto de la organización, aquí puede ver un ejemplo - Procedimiento para determinar el contexto de la organización y partes interesadas: https://advisera.com/9001academy/es/documentation/procedimiento-para-determinar-el-contexto-de-la-organizacion-y-partes-interesadas/
Estos materiales pueden ayudarle a entender el contexto de la organización:
- Artículo - Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Continual improvement programs
Answer:
CI program you have established can fulfill the first part of 10.3.1 clause because of performance indicators and their effectiveness, as Kaizen events and Just Do It initiatives, are typical Lean methods that lead to the increase of process effectiveness.
Also, consider Improvements in the manufacturing process to reduce process variation. This can be achieved by using Six Sigma as methodology as it is the methodology used for reducing variation in the process.
This clause additionally refers to risk analysis (such as FMEA) so please consider article: “What is FMEA and How to apply it in IATF 16949” https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/ -
Service Desk Manager
Answer:
Service Desk is related to many activities in scope of the organizations' ITSM (see the article about SD types: "ITIL Service Desk types" https://advisera.com/20000academy/blog/2014/05/06/itil-service-desk-types/).
Therefore, you as a Service Manager have to consider services, people involved in SD activities, customers/users, internal organization, processes, tools in use, etc. So, as you can see, many (sometimes different) areas have influence on your activities. You can find more details in following articles:
"Service Desk: Single point of contact" https://advisera.com/20000academy/knowledgebase/service-desk-single-point-contact/
"What is the job of the Service Desk Manager?" https://advisera.com/20000academy/blog/2016/09/20/what-is-the-job-of-the-service-desk-manager/ e-job-of-the-service-desk-manager/
"Service Desk staff – a window to the IT organization" https://advisera.com/20000academy/blog/2014/02/18/service-desk-staff-window-organization/ -
ISO 27001 implementation
Answer:
Although knowledge on PM and BA can make easier the ISO 27001 implementation, this knowledge is not mandatory, because there are at least three approaches for an ISMS implementation:
- Use your own staff to implement the ISMS (this is the case where knowledge on PM and BA is most needed)
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them has their advantages and disadvantages. For more information, I suggest you the following ma terials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Information Security Objectives
Answer:
ISO 27001 does not prescribe a minimum amount of information security objectives, so each organization can define as many objectives as they see fit for their business. Normally 3 to 4 objectives allow an ISMS to support properly the business (e.g., one operational objective, one financial objective, one business objective, and one compliance objective).
This article will provide you further explanation about information security objectives:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Toolkit content
Answer: This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts requirements defined by the ISO 27001:2013, so the need for updating the toolkit is not necessary.
This article will provide you further information:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/
2. In particular, I miss, of course, Chapter 18 of Appendix 27002.
In addition I miss further documents, which are requested in the appendix of the ISO, as example fall to me ad hoc first:
· Contact with authorities
· Contact with special interest groups
I will continue to look at the package. Maybe then I have more questions.
Answer: First of all, sorry for this confusion.
The documents from section A.18 are not missing from the toolkit – you can find them here:
- A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”
Every control does not need to be documented, and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.
In the root folder of the toolkit you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.
In case your implementation requires the mentioned controls, or other controls not covered by the toolkit, you can contact us by email or schedule a meeting and we can provide the support to develop these documents -
Objectives, risks and opportunities and the HR department
Answer:
1. What kind of outcomes does your organization’s top management expect from the HR department? This will most likely depend on your context. I can imagine things like:
No problems with compliance obligations;
Ability to find skilled candidates;
Contract people that will stay with the organization;
Contract a diversified set of persons;
Provide timely and effective training;
Promote the right people;
Getting a certain people turnover;
…
Now you can choose which topics are more relevant and translate them into objectives that could be used to monitor and evaluate HR department performance.
2. Risk is about possible conditions that can affect an organization’s ability to meet expected, desired results or that can promote undesirable results.
Picking the list of desired outcomes above what can happen that affect, positively or negatively each one?
Insufficient awareness of compliance obligations changes;
A strong economy is starving the number of skilled candidates;
A good reputation can help find skilled candidates;
Using the lowest price as criteria to contract trainers can affect training effectiveness rate;
…
The following material will provide you more information about quality objectives and risks and opportunities:
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- White paper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISMS
(The IT mission of a company is managed (development, operations, support) by a third party, for which this operation means 90% of its business. The decision has been taken to acquire that company, which is certified ISO 27001. The main company has its own ISMS, but with different criteria, methodologies, procedures. It is necessary to "keep" the current certificate. What could be the alternatives to adopt / adjust / integrate the ISMS? Which may require less effort? Which could be less ris ky (lose the certificate)?)
Answer:
First it is important to note that if both, the main organization and the acquired organization are ISO 27001 certified, then in the first moment the best strategy is to keep both certificates (i.e., work with two separated scopes), not to affect your current operation during transition period.
Considering a second moment, the solution which requires the less effort regarding risk management is for you to identify how risks from one methodology can be translated to the other, so you can have comparable results. For example, if for methodology 1 the risks are valued from 1 to 3 and for methodology 2 they are valuated from 1 to 5, the risks identified by methodology 1 must be divided by 0.6 (3/5) to be compared to risks identified by methodology 2. For the reverse path the risks identified by methodology 2 must be multiplied by 0.6 (3/5) to be compared to risks identified by methodology 1.
This way you do not need to change anything on existent frameworks, but the trade-off is that you will have more administrative effort to keep managing two different risk methodologies. You can adopt this alternative until you define a single approach for all risks (i.e., methodology and criteria).
As for procedures, at a first moment you can keep all procedure and define a schedule to evaluate similar procedures and how to integrate them.
You also should consult with your certification body(s) about how to integrate the ISMS from the certification perspective. -
Handling nonconformities
Answer: I'm assuming you are referring to control A.6.1.5 - Information security in project management.
First it is important to note that there are many similarities with implementing an ISMS in an organisation that you can use to drive the implementation of this control in a specific project:
1 – You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restricted to the scope of the project
2 – You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other business processes, to identify necessary controls
3 – You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing)
In short, you can think the inclusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and will be proportional to the project's lifetime and budget.
Considering these, you would be using the same documents you use for an ISM applied to your organization (there is no need for documents specific for managing information security in a project) , and for any non conformity related to ISO 27001 you can use a document called Corrective Action Form, which describes the non-conformity, its cause, defines corrective / preventive actions and verification method of their implementation.
To see how this document looks like, I suggest you to take a look at this free demo: https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/
This article will provide you further explanation about non conformities:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
ISO 45001 implementation and integration
Answer:
Implementing ISO 45001:2018 follows a fairly simple path, common to all ISO management system implementations, where you identify the requirements that need to be put in place (including Iso 45001 as well as legal and other requirements), then you identify how you will satisfy these requirements for the organization. Using this information, you put in place the policies, processes and procedures needed to meet all requirements, use the processes to gather records, and monitor and improve the management system through internal audit, management review and corrective action. Finally, you will have auditors from a certification body come to verify that your processes meet the requirements of ISO 45001.
A more thorough diagram of this implementation process can be found here: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process
As for incorporating ISO 45001 into an IMS, this is certainly possible and often preferred. Both standards now follow the same document structure so it is easy to see what is common, such as internal audit, control of documented information and management review. In this way you can even use the same processes and procedures for these common elements and ensure that you cover both aspects of the processes.
You may find it helpful to read the free whitepaper: How to integrate ISO 45001 with ISO 9001 and ISO 14001, https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/