Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Benefits from the certification of governmental entities
Answer:
Simply implementing the management system should bring benefits for an organization. Giving the extra step and going for certification, even for a governmental entity can bring extra benefits.
* Certification can be a marketing tool to give more trust and better image to citizens.
* Certification can help compliance.
* Certification can be a useful Internal pressure. In some organizations, these kinds of projects will never finish unless there is powerful pressure like a clear deadline. So, if you agree with the certification body on a fixed date for the certification audit, both your management and your employees will have a much stronger sense of urgency for implementation.
* Certification can help in maintaining a continued Discipline. Certification is not an event; it must be maintained with annual audits. For many organizations, those audits represent a press ure to comply with internal procedures and minimize the erosion of discipline.
The following material will provide you information about certification:
- ISO 9001 – Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/
- Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Change control management in Advisera Toolkit
Answer:
Change control management is incorporated into critical procedures in ISO 13485 such as control of documentation, control of design and development changes. You can refer to 06_Procedure_for_Risk_Management as well as 00_Procedure_for_Document_and_Record_Control.
For each procedure in the toolkit, there are details for the company to incorporate their own method of change control. -
Questions about assets
I have couple of questions about inventory of assets.
1. Who is owner of asset “People”. Is it HR Manager or the person with whom the contract is signed?
Answer: ISO 27001 does not prescribe who should be the asset owner, but in general, if by contract you refer to an employment contract with an organization, then the asset owner is his/her superior in the organization. On the other hand, if this contract refers to a hired freelancer, consultant or similar, that will work for the organization only for a defined time, and for a specific work, then the asset owner should be the person with whom the contract is signed.
2. As “Asset Owner” can we use Position Name (like CEO, HR Manager) or it should be personalized (John Smith, CEO)
Answer: ISO 27001 does not prescribe how to name the asset owner, so both approaches are acceptable, but in case you have a significant turnover on personnel related as asset owners then you should consider using roles not personal names, because this will reduce the need to update the inventory every time t he responsible person changes.
3. We are paperless company and all our contracts are in electronic form, which are stored on reputable cloud solution. Should we include all contracts in Inventory of Assets in that case?
Answer: Regardless if your contracts are stored on a third-party cloud solution, the contracts still belong to the organization, and if they are relevant to the ISMS scope then they should be listed on the inventory of assets.
4. If we have cabinets/drawers in the office where we do not store any document, should it be included in Inventory of Assets?
Answer: If an asset is not related to the information you want to protect, then it does not need to be included in the inventory of assets.
5. We rent office in technological hub and we are using theirs printer and scanner. Should we include it in inventory?
Answer: If the printers and scanners are part of the service delivered by the technological hub, and are relevant to the ISMS scope, then they should not be included in the inventory as equipment but as a third-party service (e.g., like a printer service), since these equipment are managed by a third-party.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Is the course enough for certification?
Answer:
I'm not sure to which course you are referring to, but our online courses (e.g. ISO 27001 Foundations Course, Internal Auditor Course, Lead Auditor Course, Lead Implementer Course) give you an overview of all the requirements of the standard + necessary skills for e.g. auditing or implementing.
If you want to get certified as an individual, these courses will be enough for you to get ready for the exam & certification.
If you want to get certified as a company, you will also need the documentation and detailed guide for each of the implementation steps - these items are not included in the course - for that purpose see this ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
See also: ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/ -
Is Inventory of assets a document or a record?
https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/"
Answer:
The purpose of a record is to evidence a previous situation, that an action was performed, and/or a result was achieved, so to be of use it cannot be changed over time (at least it shouldn't). On the other hand a document contains information that can be changed over time, and an inventory of assets is a living document that must be continuously updated to be of value for an organization.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Implementing ISO 14001
Answer:
Once I have no information about your particular industry, I have to be very general in my answer. Start by determining how your organization interacts with the environment, by determining environmental aspects and impacts. Determine interested parties and compliance obligations and your conformance situation. Determine context and risks and opportunities.
With that information you can write an environmental policy, objectives and action plans. Then, monitor implementation, define and monitor performance, perform internal audits and the management review.
The following material will provide you more information about implementing an EMS:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Mission, vision and strategy
Answer:
The mission is about the purpose of an organization, it is about the why an organization exists.
Vision is about the future, it is about an attractive mental image of where an organization will be at some point in the future.
The strategy is about the set of choices that an organization make in order to carve a path from where it is today, to where it wants to be in the future.
The following material will provide you information about the strategic direction:
- ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 45001: Hazard control for Silica Dust
Answer:
The controls for OH&S hazards follow a 5-level hierarchy, and the more hazardous something is, the higher up the hierarchy the control should be. The hierarchy is (most control to least control): elimination, substitution, engineering control, administrative controls and personal protective equipment (PPE).
So, for silica dust the lowest level of control would be providing masks as PPE, but if it is more of a hazard you should look at higher controls such as an engineering control like a dust collection system. It would be better if it was possible to substitute with a less hazardous material, or eliminate the need for the process, but this is often not the case, so the highest level of control is an engineering control that manages the hazard.
For more information on putting controls in place for OH&S hazards, see the article: 5 le vels of hazard controls in ISO 45001 and how they should be applied, https://advisera.com/45001academy/blog/2015/09/02/5-levels-of-hazard-controls-in-iso-45001-and-how-they-should-be-applied/ -
Anonymous data
Answer:
Anonymous data is not subject to the GDPR so there will not be any processing of Personal Data.
If you want to find out more about the applicability of the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//) -
Combining multiple roles
Answer:
There are always risks while combining multiple roles in single person (although, such situation is sometimes inevitable).
In your case I see following risks:
1. Dynamics of activities and approach for Major Incident (as well as all incidents) is quite different than resolving problems or implementing changes
2. People you are working with are different (knowledge, experience...)
3. Incident is trigger for problem management. So, you can see it as “controlling” of the problem management's efficiency
4. Problem management is trigger for change management. So, mentioned in #3 is valid here.
5. Problem management efficiency influences incident management, Same relation is valid for change management – problem management. So, if you have all these processes in one person…
This is the article that can he lp: “
What ITIL roles can be combined in one person?” https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/