Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 45001: SWOT for risks and opportunities
Answer:
A sample SWOT analysis is difficult because this tool is very specific to the organization. The strengths, weaknesses, opportunities and threats change form company to company and industry to industry. Even the format of this tool is not common since it can be a table, or even just a listing for the 4 sections. It is also important to remember that the ISO 45001 standard does not require a SWOT analysis, just an assessment of risks and opportunities. This is only one tool to identify the risks and opportunities for your OHSMS.
So, while you need to decide the information for each section of the analysis for your organization, some examples could include:
Strengths: You have a highly engaged workforce focused on OH&S
Weaknesses: You have a lot of accidents/incidents which you need to work to preventing.
Opportunities: You have a supplier that has developed a new chemical which is less hazardou s, and could be used in your process.
Threats: A supplier is discontinuing a chemical you need, and the easy replacement is more hazardous.
For more on the requirements for risks and opportunities, see this blog post: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ -
Validating product spec
Answer:
If an organization publishes a performance spec for a product it must validate its ability to comply with it. Check ISO 9001:2015 clauses 8.3.3, 8.3.5 and 8.6.
The following material will provide you with information about a performance spec for a product:
- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal Audit
Answer:
Yes, this terminology has to match. For more about internal audit please read article:
Five Main Steps in an IATF 16949:2016 Internal Audit
https://advisera.com/16949academy/knowledgebase/five-main-steps-in-an-iatf-169492016-internal-audit/
If you want to know more about how to make an internal audit checklist for IATF 16949, take a look at this article:
How to make an Internal Audit checklist for IATF 16949:2016
https://advisera.com/16949academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iatf-16949/ -
Assets of IaaS
Answer:
In situations where you cannot change service conditions presented by the provider you should evaluate if your organization can accept the risks not properly covered by the provided service agreement,and if there are alternative providers you can consider. -
Risk assessment and BIA
1. Which one would I do first and why? Answer: Actually, there is no definitive order to perform risk assessment and business impact analysis, and the choice for one or another will depend on your expectations: - By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services. - By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e. the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks. Particularly, we prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the busine ss impact analysis (which focuses on consequences of those incidents). This article will provide you further explanation about BIA and risk assessment: - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ 2. Do I include the BIA risks in my risk register and if yes then do I reference the BC plans for the treatment plan? As an example, would a fire be raised as a risk in the risk register as well as in the the BC plans? Answer: If the risks used to support the BIA process are related to information you want to protect with your ISMS (i.e., risks that impacts information), then you need to include them in the risk register for ISO 27001. These article will provide you further explanation about risk treatment and SoA: - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Grading nonconformities
Answer:
ISO 9001:2015 does not mention audit findings categorization. ISO 19011:2018 in clause 6.4.8 states that nonconformities can be classified according to the context of the organization and its risks. This classification can be quantitative (e.g. 1 to 5) or qualitative (e.g. minor, major). Grading nonconformities (as separate categories) is generally used only in certification audits (not so often in internal audits).
About your concerns with subjectivity, remember that this grading is based on the auditor’s judgment and experience.
Minor nonconformity – a nonconformity that does not affect the capability of the management system to achieve the intended results.
Major nonconformity – a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a proce ss has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.
The following material will provide you information about audits:
- Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- Book – ISO Internal Audit: A Plain English Guide – https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Toolkit content
Answer: You can describe only services in your scope, but it is not recommended, since services are delivered by processes, and you cannot define location in the scope without considering the processes related to the services. For example, in your case, the central processing of a service is performed in the datacenter, while employees interact with the service in rooms and offices outside the datacenter, and these rooms and offices also must be include as locations in your scope, so all environments where the service runs are protected by the ISMS.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2. ISMS Scope Document, Locations: The office is in Belgium and the datacenter is in The Netherlands. Is this a fine way how to write how they are separated?
Answer: If only your datacenter is in the scope, there is no need to include the location of the office. You must specify means of separation only when elements that are inside and outside of the scope are in the same location (for example, the datacenter is in the same building but is located on a separated floor).
3. Which fields are obligatory in the Risk Treatment Plan?
Answer: ISO 27001 does not prescribe the content of a risk treatment plan, but all fields defined in the Risk Treatment Plan template must be filled because they will help you not only to ensure controls are implemented (by means of Description of activities, Responsible person, Start and completion deadlines, and Status) but will also help you evidence fulfillment of standards clauses (Necessary financial and other resources for clause 7.1, Training and awareness programs for clause 7.2, and Method for evaluation of results for clause 9.1)
This article will provide you further explanation about evidencing resources:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
4. Inventory of assets: If we choose not to do asset labeling, then I assume we only have 2 obligatory fields which are Asset Owner and Asset Name right?
Answer: ISO 27001 does not prescribe which details must be listed in the asset inventory, so you can list only the asset name and its owner, but you should also consider to fill the other fields, because they will be useful for managing the assets.
This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
5. A.7.2.3 Disciplinary process: Can this be really basic defined or do you have any examples of how it could be defined?
Answer: ISO 27001 does not prescribe which details must be included in the disciplinary process, so an organization is free to define it the way it better suits them (you can use the disciplinary process you already have in your own organization).
6. Training and Awareness Plan: Is reading the established policies also a way of training?
Answer: Reading policies can be considered a way of awareness and training, to ensure a person knows a policy exists and what it is about. But for some policies you also have to consider that the person must practice to perform properly which is required by the policy.
These articles will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/ -
Data subject rights under the EU GDPR
Answer:
You should file a complaint to the local Supervisory Authority. You can find a list of Supervisory Authorities at https://edpb.europa.eu/about-edpb/board/members_en .
If you want to find out more about your rights, check out this free webinar Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ ) -
Data subject
Answer:
It is the company`s concern to get the employees to delete their accounts where they have used the work email address. From your perspective the request must come from the data subject. -
Processing special categories of data
Answer:
Depends on what you collect as part of the employment process. Usually for employment purposes, if special category data is collected from the employee, this is because it is a legal requirement usually under either Labor Law or laws related to health and safety in the workplace.
So, I genuinely think that you should rely on legal obligation and not consent for any processing of special category data.