Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Reviewing documentation


    Answer:
    Only if your organization make any changes. Please check the meaning of “review” in ISO 9000:2015, definition 3.11.2. The review is not necessarily about changes but also about evaluating the suitability, adequacy or effectiveness”

    2. How many NC category-1 are allowed in ISO audit to avoid reaudit or audit failure?

    Answer:
    Organizations should avoid major nonconformities during audits. Normally, major nonconformities during certification audits can imply re-audit. Sometimes, if an organization can show evidence that the major nonconformity was corrected, and an acceptable corrective action was implemented and effective a re-audit can be avoided.

    The following material will provide you information about audits:
    - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Risk assessment for ISO 22301


    Answer:

    Risk assessment for BCM must identify risks that can cause disruption of business operations and services, so together with Business Impact analysis you can more easily identify which risks to business you have to handle.

    Considering you already have a function responsible for risk management and risk data, you should verify if the existing Risk Register can help you.

    If at this moment the Risk Register can not help you, then you should talk to the responsible for risk management about ISO 22301 requirements and ask him for support to perform a risk assessment for the BCM. Since ISO 22301 does not prescribe any appro ach to perform risk management, you can adopt the current approach without compromising ISO 22301 requirements.
    This article will provide you further explanation about risk management for business continuity:
    - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

    This material will also help you regarding risk management for business continuity:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Drawing control


    Answer:
    Yes, drawings that describe parts to be manufactured are very important specifications used for production and control. Also, due to design changes, after sales services normally, have to use simultaneously several different versions of drawings because different customers bought different versions of the same product.

    The following material will provide you information about documentation:
    - Although it is not about ISO 9001 this article seems useful - Understanding configuration management in AS9100 Rev D - https://advisera.com/9100academy/blog/2017/05/08/understanding-configuration-management-in-as9100-rev-d/
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/ urse/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Integrating management systems


    Answer:
    You can compare management systems standards and realize that they have a common structure with a lot of similar clauses. When I implement integrated management systems, I describe the organization as a set of processes that deliver the purpose, the mission of the organization. Then, after an initial environmental assessment, for example, I determine what processes or activities must be improved or standardized in order to eliminate or minimize significant environmental impacts. That translates into making changes in some of the processes. Concerning top management, the policy, objectives, context, interested parties and part of the risks are common.

    The following materials will provide you more information about integrating management systems:
    - Article - How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
    - How to implement integrated managem ent systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
    - Free webinar on demand – How to integrate ISO 9001:2015 and ISO 14001:2015 - https://advisera.com/9001academy/webinar/how-to-integrate-iso-90012015-and-iso-140012015-free-webinar-on-demand/
    - Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Mandatory procedures and content


    Answer:
    No. ISO 9001:2015 has no requirement for mandatory procedures.

    2. For instance, we have documented that we conduct internal audits as per the audit schedule and notification of Internal Audits shall be given to the relevant parties with defined audit scope, identification of Auditor/s. Apart from this much information documented in our procedure, do we require to document each and every step on how the internal audits are carried out and what will be the timelines to complete corrective actions and etc.?”

    Answer:
    No. Your organization has all the freedom to define which procedures are needed and what degree of content should they include.

    3. My main focus is: do we need to document the steps that we follow to carry out any particular activity such as the activity mentioned in the example mentioned above?

    Answer:
    No. For example, in many procedures in different organizations, I just use flowcharts ins tead of written text.

    The following material will provide you information about documentation:
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Clause 4.4.2 and processes


    Answer:
    Clause 4.4.2 a) is about all processes included in the quality management system. Remember that ISO 9001:2015 gives a lot of freedom about considering procedures as necessary or not.

    The following material will provide you information about certification:
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Documentation content

    I couldn't think of a vulnerability, so I assume I should not document this?

    Answer: In your example you have to document the risk because probably it is nearly impossible because of all controls you already have implemented (e.g., badge, security procedures, and authentication methods). These implemented controls should be included in the last column of the Risk Assessment Table.

    Included in your toolkit you have access to a video tutorial that can provide you guidance on hoe to fill in the Risk Assessment Table, using real dat a as examples.

    2. Regarding the tab 'Asset owner' and 'Risk owner' which is important in several documents: Let us take laptops as an example, each employee has received a laptop from the company but the legal owner of this laptop is the organization. Who shall I put as Asset Owner and Risk Owner? Asset Owner: CTO/Employer, Risk Owner: CTO/Employer?

    Answer: For ISO 27001, the asset owner is the person who is responsible for the asset, to ensure it is properly protected, not its legal owner. The risk owner is the person accountable for managing the risk, i.e., to reduce it to acceptable levels. In your example the asset owner can be the the employee responsible for the laptop, while the risk owner can be the CTO.

    3. Control A.12.1.3 Capacity Management, I'm trying to think of a possible risk but I wouldn't know what kind of information security risks there could be. I know that the budget for (potential) IT assets is a part of this control, but as for the rest it's not very clear to me. Could you possibly give me some more information about Capacity Management or at least about possible risks which are related to IT Security?

    Answer: Capacity management is related to planning resources to fulfill demand when required, ensuring agreed service levels, so risks related to capacity management are most related to information not being available when needed, e.g., due to a faulty equipment which has no redundancy, demands above implemented resources (e.g., during Denial Of Service - DOS - attacks), technology obsolescence, etc.

    For further information see:
    - Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/

  • Providing SoA to customers


    Answer:

    In fact customers can ask for your Statement of Applicability to have an overview of your information security posture and approach, but since it contains sensitive information about how you protect information, I'd recommend you to use some cost-benefit method or criteria to identify if providing this document would be worthy, considering the risks to the business regarding the confidentiality of the information provided, and the value of this customer to your business. In case you decide to provide the Statement of Applicability you should ask customer to sign a non disclosure agreement (NDA) before you send such confidential information.

  • ISO 27001 and ITIL


    Answer:
    If you are looking for Information Security implementation only, than ISO 27001 would be better fit. But, if you plan to implement/improve other aspects (organization, functions, processes, management of the services) than ITIL is better. ITIL will give you opportunity to manage various standards and best practices, like ISO 27001, Agile, DevOps, etc.

    Learn more about ITIL and ISO 27001 in the article „Similarities and differences between ISO 27001 and ISO 20000 https://advisera.com/20000academy/blog/2018/05/09/similarities-and-differences-between-iso-27001-and-iso-20000/“. It relates ISO 27001 and ISO 20000, which is ISO standard for IT Service Management.

  • Relationship between activities and stakeholders


    Answer:
    ISO 9001:2015 no longer require mandatory procedures. That does not mean that procedures are forbidden. So, if your organization want to use procedures they are allowed. These activities will not make part of the QMS Scope document. These activities can be related to relevant stakeholders through:
    -Procedures;
    -Flowcharts;
    -Job descriptions;
    -Templates;
    -Training records

    The following material will provide you information about certification:
    - ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
    - Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 592-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +