Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment


    Answer:

    For an asset-threat-vulnerabilty risk assessment approach a reasonable quantity of identified threats will depend on the quantity of identified assets. A good parameter is to consider 5 threats for each asset identified. Less than 5 threats per asset and you may left out a relevant risk related to that asset. More than 5 threats per asset and you will probably have a big number of minor risks that will only make your work unnecessarily complex. It is important to note that a same threat can be associated to different assets, so, for example, for 3 assets you do not need to identify 15 different threats.
    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk as sessment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Risks and opportunities


    In our Integrated Management System we have implemented Risks and we have qualified very well in the audits, but insist that we need to better determine the Opportunities according to this common requirement for the 2 Norms (9001 and 27001).

    Can you guide me to implement in a strategic and simple way this of the Opportunities, to fulfill of a part with the requirement and to qualify in the audits but mainly to administer properly this in our Integrated System of Management.)

    Answer:

    The most straightforward way to fulfill this treatment of opportunities is by means of continual impr ovements implemented to fulfill interested party requirements and achieve the ISMS expected goals. For example, if one of the ISMS's objectives is to increase employees productivity, implementing teleworking may be an opportunity to achieve that.

    This article will provide you further explanation about risks and opportunities:
    - How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/

  • AS9100: Recording dimensional measurements


    Answer:
    AS9100 Rev D does not identify any specifics such as inspection sheets being completed by hand, or filled in by computer; the standard described what processes need to be done, but not how to do each process. The details of the process, such as what is acceptable for dimensional inspection reports, need be identified by the company by taking into account the requirements and needs of customers and other parties. So, if you have a customer or legal requirement that dimensional inspections need to be done by hand, then this needs to be part of your process. On the other hand, if there is no other requirement then the decision is up to you, AS9100 does not specify this in the standard.
    For more information on recording dimensional inspections for the optional first article inspection process, see the article: How does First Article Inspection fit into AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/

  • Various questions regarding toolkit


    Answer: Considering the asset-threat-vulnerabilty approach for risk assessment, the fact that assets have different owners do not influence the risk calculation. So you have to consider only each relation of asset-threat-vulnerabilty to calculate the individual risks.

    By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment and Risk Treatment Table, with examples with real data.

    2. If there is more than 1 control which can be applied to 1 risk, we should evaluate each record separately, right? I mean if the risk after treatment is 1, we must not continue from that point in the next report.

    Answer: If you decide to mitigate a risk by implementing controls you only have to implement controls in a quantity sufficient to reduce the risks to acceptable levels. For example, if you ca n apply 3 controls to treat a risk, but after applying the first, the risk is reduced to acceptable levels, then you do not need to apply additional controls.

    3. Control A.12.6.1 Management of technical vulnerabilities: This control can be applicable to nearly each risk, may we note that this is a management decision at the justification for selection?

    Answer: You can use a management decision as justification for selecting a control, but in case of systemic application as you mentioned, most probably the results of risk assessment will provide a more robust justification.

    4. List of Legal, Regulatory, Contractual and Other Requirements: As for us one of the requirements would be GDPR and interested parties most likely the Data Protection Authority (Privacy Commission in Belgium), but I don't know what to fill in in the 3 tabs in the middle: 'Document stipulating the requirement', 'Person responsible for compliance' and 'Deadlines'. Can you possibly help me with this?

    Answer: In fact the GDPR is the 'Document stipulating the requirement'. The relation between ISO 27001 and GDPR is by means of Article 32 (this is the requirement to be used in this row). As for 'Person responsible for compliance' you have to define who will have the responsibility and authority to implement and enforce compliance with Article 32. Finally, on 'Deadlines'you have to define by when the implementation will be finished (e.g., by end of July 2019).

    5. List of Legal, Regulatory, Contractual and Other Requirements: Does this already have to be filled in at the moment of the audit?

    Answer: This is one of the main documents to define the ISMS, so it has to be filled at the beginning of the ISMS implementation, well before the moment of the audit.

    6. Training and Awareness Plan: Does this already have to be filled in at the moment of the audit?

    Answer: This is also another document important to the ISMS, because it helps to organize the evidences of fulfillment of clauses 7.2 and 7.3, so it has to be filled before the moment of the audit

    7. Measurement Report: Can I just write "Marketing", "Business", "Information Security", or something similar in the "Control / process / department" tab?

    Answer: The recommendation here is to write something that will be easily understood in your organization. So, while "Marketing" and "Information Security" maybe easily understood, "Business" may be too generic and you should consider something more specific.

  • Procedure for waste management


    Answer:

    Procedures are not mandatory in ISO 14001:2015, so it is up to the organization to develop one, and specifically for waste management.

    In my opinion having guidelines for managing environmental aspects and in particular, waste management ,can be very useful for the organization, since it can help to manage waste in a sistematically way

    These materials can help you witih waste management in ISO 14001:2015:

    - Article - 7 steps in handling waste according to ISO 14001: https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/
    - Article - List of procfedures for managing environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-procedures-for-managing-environmental-aspects/
    - Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
    - Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/

  • FMEA standards

    IEC (International Electrotechnical Commission) developed the IEC 60812:2018 standard which is an international standard that explains how failure modes and effects analysis (FMEA), including the failure modes, effects, and criticality analysis (FMECA) variant, is planned, performed, documented and maintained. SAE (Society of Automobile Engineers) also developed the standard for FMEA J1739:2002. This is the version from 2002, IEC version is the new version.
    Both standards explain in details on how to use FMEA.
    For more about FMEA please read the article: What is FMEA and how to apply it in IATF 16949 https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/

  • Time for implementation


    Answer:
    The duration of implementation depends primarily on the size of the organization, for example:
    Smaller organizations (up to 50 employees) usually implement the standard in less than 8 months. 

    Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months. 

    Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months.
    Beware of companies that drag such projects on for too long (e.g., small companies for more than 12 months) usually never finish the project. 


    Start your project with an initial training about ISO 9001:2015, then perform a Gap Analysis in order to determine what needs to be done, with that you can prepare a Project Plan to drive your implementation.

    The following material will provide you information about implementing a QMS:
    - ISO 9001 – How long does it take to implement an ISO 9001-based QMS? - https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
    - Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
    - ISO 9001 Implementation Duration Calculator - https://advisera.com/9001academy/iso-9001-duration-calculator/
    - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 45001 Opportunities and change management

    Answer:
    Clause 6.1.2.3 on the assessment of OH&S opportunities and other opportunities for the OHSMS requires that you have a process in place to identify opportunities to improve the overall OH&S performance (including hazard reduction) and other opportunities to make the OHSMS better. If you are choosing to not have a procedure for this, you can explain your process to the auditors of how you go about assessing opportunities, and give evidence of how you have acted upon your assessment. For instance, you may have taken actions to make an improvement based on an opportunity (per clause 6.1.4 planning action). You action plan and subsequent implementation would be evidence of your opportunity assessment and what you did about it.

    2. Is it mandatory to introduce the format for Management of Change else how to address the clause 8.1.3
    Answer:
    As with clause 6.1.2.3 above, if you are not writing a procedure for clause 8.1 .3 on management of change, then you need to explain the process you have for implementing changes to your OHSMS. The whole idea of this clause is to make you consider the impact of any changes you make on the OH&S performance of your company. When there are new or changed products or services, changes in the work environment, changes in legal requirements, changes in risk knowledge or development of technology what does this mean for the OH&S risks and performance in your organization; also including unintended changes. In short, when you make changes what is your plan to mitigate against any adverse effects to your OH&S performance; how do you make changes safely? The standard doesn’t give one way of doing this change management, but you need to know what your method is.

    For more information the ISO 45001 standard, see the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • AS9100 and the marketing department

    Answer:
    Implementing a QMS using AS9100 REV D including improved reputation for customers, including the ability to bid for contracts in some aerospace industries that would not allow you to do so if you did not have the AS9100 certification in place. In general, having AS9100 implementation for the marketing department means you can promote your company’s business as taking due diligence to improve that products and services you offer, and that you are taking actions to advance the satisfaction of your customers. As with marketing AS9100 implementation to customers, the marketing department can use AS9100 to show potential customers that the company is serious about enhancing quality in the organization.

    For more information on the benefits of AS9100 implementation, see the article: 7 Key benefits of AS9100 implementation, https://advisera.com/9100academy/knowledgebase/7-key-benefits-of-as9100-implementation/

  • AS9100 Rev D Record Retention

    1. What is the record retention period as per AS9100 standard? We got information that in some cases we need to retain documents for 40 years.
    AS9100 Rev D does not specify a record retention time. The requirement in clause 7.5.3.2 is that the organization needs to address the retention and disposition of documented information. This is because the requirements for different records can vary greatly. For the most part, record retention times for production records will come from customer contracts or legal requirements. If the 40 years time is stated in one of these places, then that is the requirement you need to meet.
    2. In case of hard copies of records how should we maintain it?
    Many companies keep hard copy records in file storage boxes is protective spaces where they will not be damaged by fire or water. The standard only states in clause 7.5.3.2 that you need to be able to access, retrieve, and preserve these records including legibility. Again, times for retrieval may come from customer contracts. It is also common to have a supplier company keep hard copy paperwork in a secure location.
    3. What is the other way for retention?
    It is always possible to keep records electronically, and scanning hard copy records would qualify for this. Unless you have customer requirements otherwise, scanning your hard copy records, and adequately maintaining the files in a protected fashion, is an acceptable way to maintain records.

    For more information on document and record control in AS9100 Rev D, see the article:

Page 588-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +