Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 and ITIL


    Answer:
    If you are looking for Information Security implementation only, than ISO 27001 would be better fit. But, if you plan to implement/improve other aspects (organization, functions, processes, management of the services) than ITIL is better. ITIL will give you opportunity to manage various standards and best practices, like ISO 27001, Agile, DevOps, etc.

    Learn more about ITIL and ISO 27001 in the article „Similarities and differences between ISO 27001 and ISO 20000 https://advisera.com/20000academy/blog/2018/05/09/similarities-and-differences-between-iso-27001-and-iso-20000/“. It relates ISO 27001 and ISO 20000, which is ISO standard for IT Service Management.

  • Relationship between activities and stakeholders


    Answer:
    ISO 9001:2015 no longer require mandatory procedures. That does not mean that procedures are forbidden. So, if your organization want to use procedures they are allowed. These activities will not make part of the QMS Scope document. These activities can be related to relevant stakeholders through:
    -Procedures;
    -Flowcharts;
    -Job descriptions;
    -Templates;
    -Training records

    The following material will provide you information about certification:
    - ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO45001:2018 vs HSG65


    Answer:
    While I am not an expert on HSG65, both ISO 45001:2018 and HSG65 both seem to be Occupational Health & Safety Management System (OHSMS) requirements that can be implemented in a company. Both requirements follow the Plan-Do-Check-Act methodology, and include auditing to maintain the standard. One difference seems to be that ISO 45001 focuses on worker consultation and participation in the OHSMS, where I do not see this in HSG65. There may be some differences within the standards, but the biggest difference I can see is that ISO 45001 is an internationally recognized standard, where as HSG65 is only recognized in the UK. If you are looking at an international market for your customers, this could be a determining factor.
    One thing to remember is that ISO 45001:2018 also does not require certification if the const of cer tification is the driving factor to not implement this standard. The standard does give you the option to implement all aspects of the standard and then be able to claim compliance to ISO 45001:2018 (as opposed to “certification to ISO 45001:2018”). So, if the only drawback to ISO 45001 is the certification, you could compare the 2 standards to see which would be a better fit for your organization. Both will have implementation costs, and both will give you a working OHSMS, but which one will benefit you in the long term. With ISO 45001, even if you do not certify right away, you also have the choice of certifying in the future if this becomes something that will be useful to you. You will not have this choice with HSG65.
    For more information on the benefits of ISO 45001:2018, see the article: 4 key benefits of ISO 45001 for your business, https://advisera.com/45001academy/blog/2015/09/30/4-key-benefits-of-iso-45001-for-your-business/

  • Business continuity plan


    Answer:

    Once you have identified the disruptive scenarios you have to handle, broadly speaking, the development of a continuity plan based on ISO 22301: 2012 requires the development of:
    - incident response plans, with emergency actions to be performed right after the disruption being identified;
    - continuity actions to bring activities back to minimum agreed levels;
    - recovery actions to bring activities back to normal operations.

    These materials will provide you further explanation about developing a continuity plan:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
    - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webina r/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 9001 applicability


    Answer:
    Yes, your organization can implement a quality management system and certify it. Certification grew precisely with the development of international trade after the ’80s to facilitate it.

    The following material will provide you information about certification:
    - ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    - ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Internal audit frequency


    Answer:

    ISO 27001 does not prescribes frequency to perform internal audits, but requires that audits mus be planned considering the importance of the processes involved and the results of previous audits. For a certified ISO 27001 ISMS you have to ensure all elements in the scope are internally audited at least once during the certification period (three years).

    This article will provide you further explanation about planning internal audits:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding internal audits:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 45001:2018 Opportunities


    Answer:
    OH&S opportunities and other opportunities as per clause 6.1.2.3 is asking you to have a process to assess both of these types of opportunities. OH&S opportunities (clause 6.1.2.3 a) are any opportunities that may exist to improve your OH&S performance within your organization. This could include adapting work to make it safer, organizing work in way that reduces workplace injury or eliminating hazards that may exist in the workplace. An example would be replacing a cleaning chemical that is a known carcinogen with a safer chemical to clean parts in your facility.
    Other opportunities (clause 6.1.2.3 b) come from outside of your organization such as changing legal compliance obligations or changes in external issues. An example of one of these other opportunities could be: if you find out that a supplier will not be able to provide you with a chemical that is critical for your product, and you can’t find the chemical anywhere else. This could be an opportunity to find a safer chemical to replace the chemical that is being made obsolete.
    In both cases, you assess these opportunities to decide which need to be addressed with planning actions (clause 6.1.4).
    For a more thorough discussion of opportunities in ISO 45001:2018, see the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

  • How to get started with the documentation?


    Answer:

    We have a free webinar on how to get started with the documentation: How to use a Documentation Toolkit for the implementation of ISO 13485: https://advisera.com/13485academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-13485-free-webinar/

    The next step would be to gather all your internal documents and information and start to create a quality manual followed by the relevant standard operating procedure (SOP) required by the Standard.

  • Applicability of ISO 13485 for medical device store


    Answer:

    In the context of a medical device store, Good Distribution Practice (country specific regulation) would be more applicable in your case . ISO 13485 is an international standard and guideline to provide medical device companies a framework to establish their Quality Management System (QMS). For the context of a medical device store, your role would be more involved in ensuring that product that does not conform to requirements are identified, segregated, stored appropriately to prevent their unintended use or delivery.

  • Toolkit content


    1. Information Security Policy: Can we summarize a couple of aspects in the concepts of Annex A, such as Organization, HR Security, Asset Management, Access Control, Cryptography, ...

    Answer: The Information Security Policy is a top level document, created before the identification of controls, so we do not recommend such summarize because:
    - It will make the document overly complex and difficult to understand
    - The risk of rework, if after risk assessment you identify there are not relevant risks the can justify the text included in the Information Security Policy like you are proposing

    For further information please read:
    - What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

    2. Inventory of assets: Description of asset: What do we have to write here? Are we supposed to write what this asset is being used for?

    Answer: If ISO 27001 control A.8.1.1 (Inventory of assets) is applicable to your organization you should consider at least the name of the asset, its owner and its classification level. Of course you can add more information to fulfill additional needs from other requirements you have, or you understand it will help you manage the ISMS (e.g., what the asset is being used for).

    This article will provide you further explanation about Inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    3. Inventory of assets: Impact: Which impact do we have to list here in case there are more risks which are related to the specific asset?

    Answer: You have to consider the highest impact identified among the list of risks related to a specific asset.
    For further information, please read:
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    4. Risk Treatment Table: What if there is more than one control which could be bound to a specific risk? Let us say: losing your work laptop is the risk, controls: regarding Mobile Device & Teleworking (A.6) and Business Continuity (A.17), so there is more than one option.

    Answer: ISO 27001 does not prescribe how many controls you need to adopt to treat a risk, so you can adopt as many controls as you see necessary to reduce risks to acceptable levels in a cost effective way.
    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    5. We must be certified by June, is there any advice that you could give me on how to get this sorted out as soon as possible?

    Answer: Without details about your context (e.g., company size, ISMS scope, business objectives, etc.) it is not possible to provide detailed guidance, but in general you should work to maintain top management commitment on the project (to prioritize tasks and resources), and keep controls and documents as simple as possible (you should worry about refinements at a later stage).

    By the way, included in your toolkit you have access to several tutorials that can help you with tasks like filling the risk assessment and risk treatment tables, developing the information security policy, etc.
Page 592-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +