Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Wording in ISO 9001


    Answer:

    You are correct, depending on the wording used documented information is mandatory or not mandatory. These are the words used in ISO (International Standard Organization) and their definitions:

    - "shall" indicates a requirement
    - "should" indicates a recommendation
    - "may" is used to indicate that something is permitted
    - "can" is used to indicate that something is possible, for example, that an organization or individual is able to do something

    For more information about mandatory documentation in ISO 9001:2015, see these materials:
    - Article - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Free on line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Relationship between QMS and Risk Management


    Answer:
    Following ISO 9001:2015, I recommend determining risks about:
    the overall intended results for the QMS;
    products and services provided by the organization; and
    management system processes.
    Once determined the risks, risk management includes analyzing and evaluating those risks, determining the most relevant and deciding about what actions to develop in order to manage (control, eliminate, reduce, …) those risks. This way Risk Management allows an organization to focus on problematic areas and improve a QMS performance and outcomes. For example, an organization can decide where to perform quality control or where to use Standard Operating Procedures, to minimize certain risks from happening.

    How should two departments QMS and Risk Management work together?

    Answer:
    Risk Management Department can monitor risks and their classification and work with the Quality Department in defining and implementing action plans the relevant risks
    The following material will p rovide you information about competence:
    - Article – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
    - ISO 9001 document template: Procedure for Addressing Risks and Opportunities - https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 45001:2018 implementation


    Answer:
    The easiest way to implement your occupational health & safety management system (OHSMS) is to perform a gap analysis of what you already do against the requirements of the standard and then to put in place those things which you are missing. Every ‘shall’ requirement from the standard (anywhere that the work shall is used) represents something that you need to do in your OHSMS.
    If you are starting from having nothing in place, the order of the standard is also very useful to follow as it mostly walks you through what needs to be put in place in the order that you might need to do so (for example, it starts with identifying what you organization is so that you can define the scope well). Unfortunately, there is no short cut to implementing the processes that you do not already have other than getting a helpful toolkit that will assist in documenting the processes.
    After implementation, you will need to use your processes and then review and correct them as time goes on.
    For a graphical representation of the ISO 45001:2018 implementation steps, see: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

  • ISO 27001 consultant's questions


    Answer: For ISO 27001 self-assessment, you can suggest your customers to use our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    It has a simple question-and-answer format that allows your customers to visualize which specific elements of a information security management system they’ve already implemented, and what they still need to do.

    2. Would it be possible to obtain just the flowchart diagram without reference to the source?

    Answer: It is not clear to which flowchart diagram you are referring to, but each time you quote or use part of material from an ISO standard, or from Advisera website, you need to refer to the source.

  • Monitoring a QMS


    Answer:
    You have a QMS with:
    * overall desired results (quality objectives); and
    * a set of processes (each process with one or more performance indicators).

    So, an organization can develop a QMS monitoring tool based on a scorecard with those topics:
    * what to measure;
    * target;
    * current performance;
    * monitoring frequency.

    The following material will provide you more information about QMS monitoring:
    - Article – Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment on BCP


    1. Write the methodology (EBIOS: 2010 complying with ISO 27005)
    2. Prepare Metrics (confidentiality, Integrity, Availability, Impact, Likelihood, risk apetite, maturity of controls...)
    3. Risk management criterias
    4. Essential Assets (Process)
    5. Support Asset (Hardware, Software, network Links, persons, papers..)
    6. Link between Essential assets and support assets
    7. threat sources (humans, non humans ..)
    8. Feared events (concerning the essential assets)
    9. Threats scenarios (concerning the support assets)
    10. Risk analysis (Impact, Likelihood, risk level, existing controls, Annex A, Prevention, protection, recovery, maturity, Action Plan , and recalcul Impact, Likelihood, Residual risk level, and acceptance of residual risk)

    Is this methodology correct ? And what is next to do for continuing the implementation of BCP? I know I'm using the ISMS risk management methodology, is this right ?

    Answer:

    First it is important to note that risk a ssessment is mostly related to Business impact analysis (BIA), when you define which business processes and services are more critical, not Business Impact Plan (BCP), when you define actions to handle a disaster situation.

    Considering that, ISO 22301 does not prescribe which risk methodology approach to use, only that risk assessment must be performed, so you can adopt any methodology you see fit for your organization, and the risk assessment and treatment methodology for an ISO 27001 ISMS can be adopted.

    The single point of attention is that for business risk analysis you have to consider additional criteria than only confidentiality, integrity and availability (e.g., financial, environmental, etc.), so I'd suggest you to also consult ISO 31000 as reference, since it can provide additional criteria.

    These articles will provide you further explanation about BIA, BCP and ISO 31000:
    - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/ (the concepts on this article can also be applied to ISO 22301).

  • Audit results


    Answer:

    Once surveillance audit is concluded the auditor must hold an audit closure meeting, informing among other things the results of the audit:
    - any non-conformities (minor and/or major), opportunities for improvement, and observations identified
    - his recommendation for the certification body (certification maintenance, certification maintenance after presentation of action plan to handle minor conformities, or certification on hold until major nonconformites are handled)

    After the audit closure meeting the auditor must deliver a copy of the audit rep ort and, in case there are nonconformities to be handled, define a deadline for the deliver of the action plan / solving of major nonconformities.

  • Practice for collection of evidence


    Answer:

    ISO 27001 does not prescribe specific rules for evidence collection, and this is not a commonly used procedure, so we do not have an specific template, but these are good references you can look for to develop rules to your organization:
    - SANS Digital Forensics and Incident Response Blog: https://digital-forensics.sans.org/blog/2009/09/12/best-practices-in-digital-evidence-collection/
    - NIST Guide to Integrating Forensic Techniques into Incident Response: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

  • ISO 22301 continuity analysis and ISO 27001


    Answer:

    I'm assuming you are referring to Business Impact Analysis (BIA). Considering that, ISO 27001 is not required to implement requirements of ISO 22301, so you do not need to apply ISO 27001 to carry out business impact analysis compliant with ISO 22301

    These articles will provide you further explanation about ISO 22301 and ISO 22301:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  • Tool for carrying out security vulnerability assessment


    Answer:

    It's our policy not to make recommendations about specific tools, since the selection of a tool will depend on specific requirements and needs of each organization. Some features you can use to help you select a tool are:
    - Capability to work with multiple operational systems
    - Approach used to identify vulnerabilities (e.g., signatures database, heuristics, etc.)
    - Reporting generator module.
Page 564-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +