Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Australian version of ISO 27001
We've received additional questions:
>1. In such situation, would organisations need to implement ISMS based on ISO version or nationalized version?
Answer: This decision will depend mostly if you have contracts, laws or regulations demanding the implementation of the nationalized version. If not the best course of action would be to go for the ISO version.
>2. Is nationalized version only to understand the standard and not for accreditation?
Answer: The nationalized version is as good for certification as the ISO version, with the limitation that it will be recognized only in the country that released it. Sometimes the nationalized version includes additional requirements for a specific country, but these are not in conflict with the ISO version requirements. -
What is ISO 9001?
Answer:
The most important standard about quality management systems is ISO 9001 together with ISO 9000.
The following material will provide you information about ISO 9001 :
Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Document for compliance
4.4. Quality Management System and its processes
Our company has established and implemented the QMS, which is maintained and continually improved according to the requirements of the IATF 16949:2016 standard and customer-specific requirements, including processes needed and their interactions.
We have determined the processes needed for the QMS and their application through the organization. Also, we have determined required inputs and desired outputs of the processes, criteria, and methods needed for effective operation and control of these processes, as well as resources needed and responsibilities and authorities for processes in the Quality Plan. Sequences and interactions between the processes are described in Figure 2: Process Map.
*Rules regarding product and process conformity to statutory, regulatory, and customer requirements are defined in [document name], including outsourced processes and service parts.*
Answer:
It is common practice that an organization has a list of laws and other legislation that is impacting the organization. In this list, the organization needs to answer if it complies with legislative in the operating country, or if it needs to apply measures in the future in order to be fully compiled. Also, this can be outsourced to other organization specialized in legislative.
This requirement is typical for all management systems and when it comes to IATF 16949 it can be more difficult if you are working in more than one country.
Document from the toolkit named “Appendix 1 – List of Interested Parties and Customer Specific Requirements“, in the folder: 04_Procedure_for_Determining_Context_of_the_Organization_and_Intereste d_Parties or https://advisera.com/16949academy/documentation/list-of-interested-parties-and-customer-specific-requirements/ can be used by identify Government as interested parties and fill all the legislative they must comply with. You can also add the level of compliance and action plan.
For more information, take a look at this article:
https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/ -
Lead implementer and lead auditor
Answer: These are the main differences:
- ISO 27001 Lead Implementer course – teaches how to implement the standard.
- ISO 27001 Lead Auditor course – teaches how to audit an ISMS against ISO 27001 requirements.
These articles will provide you further explanation about ISO 27001 courses:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Here are the courses that are provided by Advisera:
- ISO 27001:2013 LEAD AUDITOR COURSE https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 LEAD IMPLEMENTER COURSE https://advisera.com/training/iso-27001-lead-implementer-course/ -
Implementing business continuity
in order to implement iso 22301 do we need to have a BIA, BCP, test, etc.. for each of these functions as processes or how it works?
your assistance and help will be reflected on my understanding on how to implement.
Answer: According to ISO 22301 you have to consider BCP, test and other elements of business continuity only for process that if disrupted for a certain time can cause irreversible damage to the organization.
To identify such processes you have to perform a business impact analysis to understand how disaster ca affect your operations.
These articles will provide you further explanation about business continuity management:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com /27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
These materials will also help you regarding business continuity management:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Legal requirements for Business Continuity
https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Answer:
Typical legal requirements for business continuity are contracts and service agreements with customers and suppliers (in you have to look for requirements that specify the speed of response, availability and similar.), as well as laws and regulations applicable to the locals where you operate (as well locations to where you provide services). Common topics for laws and regulations are related to continuity of IT infrastructure and the infrastructure of public related services
Unfortunately, the list in the article you've mentioned does not cover all countries nor is fully up-to-date because it depends on voluntary contributions from our reade rs. To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser. -
Implementation approaches
Answer:
To start the implementation of an ISMS complaint with ISO 27001, you should consider these steps:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk tent plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use you own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/ -
Certifications on risk
I'm not currently doing a IT Risk job,what you tube material would you recommend to help me improve my skills.
Answer:
For a general approach for risk management you should consider an ISO 31000 certification:
- https://pecb.com/en/education-and-certification-for-individuals/iso-31000
- https://www.certifiedinfosec.com/iso-31000-certification/introduction
For information security risk management you should consider an ISO 27005 certification:: - https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27005/iso-iec-27005-risk-manager -
Compiling an ISO 9001 QMS file
Answer:
By QMS file I believe you mean knowing what documents and records are required. Also important to understand ISO 9001 structure and read something about the PDCA cycle and the process approach.
You can find more information below:
- Article – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- Checklist of Mandatory Documentation Required by ISO 9001:2015 - https://info.advisera.com/9001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-90012015
- ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
- Plan-Do-Check-Act in the ISO 9001 Standard - https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/
- Free webinar on demand – The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Product Tour: ISO 9001 Documentation Toolkits - https://advisera.com/9001academy/product-tour/
- Free ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Context of the company - examples
Answer:
An organization is an open system that interacts with the outside world. For example, new technology can make the product or the production process obsolete. For example, legislation can imply changes in the way a product is manufactured or is sold on the market. For example, political changes can support or hinder exports for your organization’s main market.
An organization has also its own inside world that can affect its performance like, for example: difficulties in finding new employees; outdated manufacturing equipment that does not allow efficiency levels required by the competition prices; lack of know-how about selling online.
The free webinar below has several examples and makes the relationship between context, SWOT analysis, and risks.
You can find more information about context determination:
- Article - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/ wledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Article - ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/