Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Management review - how long?
Answer: I do not know the dimension of your organization, but at least half a day seems to be the minimum time to perform an acceptable management review. If attendants study the documentation in advance, the management review timing can be focused on the discussion of topics and making conclusions and decisions.
The following material will provide you information about management review:
- How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
- How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/
- Free online ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2 015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditing the Plant Manager
Answer:
I would concentrate on the interactions of the Plant with the environment:
What are the significant environmental impacts?
What is planned to control or improve those impacts?
Are those action plans being followed?
Are those action plans being effective?
Are procedures and or practices being followed?
Are potential emergency situations being prevented? Are there procedures for answering to those emergency situations? Were those procedures tested?
Is environmental performance improving?
The following material will provide you information about the assessment of environmental interactions:
- Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
- Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
- Free online training ISO 14 001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Scope of clauses
Of courses these clauses are not requirement, but they are still clauses which need accurate information such as operation's address, provision/exclusion and scope of standard.”
Answer:
These clauses are not subjected to audit. If you check the templates that certification bodies use to report an overview of the audit, a number of observations and non-conformities per clause, you will see that clauses 1 to 3 are not included.
The following material will provide you information about ISO 9001:2015:
- Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
- Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Mandatory policies for ISO 27001
Answer:
Regarding the main clauses of ISO 27001, only the Information Security Policy is required (to fulfill clause 5.2). Regarding Annex A controls, you must consider these policies as mandatory if there are risks which would require their implementation (i.e., controls related to these policies are stated as applicable on the Statement of Applicability):
- Access control policy (if clause A.9.1.1 is applicable on SoA)
- Supplier security policy (if clause A.15.1.1 is applicable on SoA)
The document "11.A. 16_Data_Breach_Response_and_Notification_Procedure_Integrated_EN" is in fact a procedure (its ISO 27001 equivalent is the Incident Management Procedure). It is im portant to note that in the context of ISO 27001 the division between policies and procedures is not very important. -
Risk control and risk mitigation
Answer:
These are two terms with the same meaning, referring to the decision about how to treat a risk, and the most common options are:
- Decrease the risk
- Avoid the risk
- Share the risk
- Retain the risk
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Toolkit updates
Answer:
Current customers, within 12 months of purchase, together with any upgraded documents we send information about what was changed and what should be considered when updating your own documents. -
ISO 27001 clause 6.1.2.c.1
6.1.2 The organization shall define and apply an information risk assessment process that: c) identifies the information security risks
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for Information within the scope of the information security management system
This is the only clause in the ISO 27001 which I absolutely do not understand. Could you be so kind and give me a hint or explanation in ‘ human English ‘ 😄. My problem is that, for internal auditing purposes, I want to draft some ‘ audit-questions ' with reference to this clause but as I do not understand that ‘ beyond human imagination english of the ISO-guys ‘ I don’t manage to formulate the right audit question(s) with reference to subclause 6.1.2.c.1.
Answer:
Translating this clause to plain English, what you should question is:
1 - were information security risks identified?; and
2 - are the identified information s ecurity risks related to the information your organization want to protect?
For example:
- if you do not find a Risk Assessment Table, or similar document, then you would have a non-compliance here, since there is no evidence that risks related to the ISMS scope were identified.
- if you find a Risk Assessment Table with risks related to a software development process, and your ISMS scope is about your Customer Management process, then you would have a non-compliance here, since the identified risks are not related to the defined ISMS.
By the way, included in your toolkit there is an Internal Audit Checklist where you can find questions which cover clause 6.1.2.
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Conditions for ISO 27001 implementation
Answer:
First is important to note that depending on your business scenario and information security objectives, an Active directory may not be required for certification. If you want to go for certification you have to fulfill the mandatory requirements of the standard, which can be implemented through these general steps:
- Obtain top management support
- Define and document a scope based on the needs and expectations of interested parties relevant to information security
- Define, document and communicate an information security policy
- Define roles and responsibilities relevant to operation and management of information security
- Define a risk assessment and treatment methodology
- Define and allocate competencies and resources for the operation and management of information security
- Implement risk assessment an d risk treatment (at this point you may or may not identify the Active directory as needed for your ISMS)
- Operate the security controls and generate the necessary records
- Measure, monitor and evaluate the information security performance
- Implement corrections and improvements
These articles will provide you further explanation about implementing ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Changing AS9100 Scope for new products
We're manufacturing another product which is not covered under this certification. We're in the pipeline of implementing the requirements of the AS standard for this product. Can the new product be brought within the already available certification or else we've start afresh?
Answer:
You certainly do not need to start over. What you need to do is to discuss with your certification body the fact that you need to change the scope of your QMS to include this new product. They will discuss with you how to change your scope and what auditing they will need to do to update your scope on your certificate. Before they can perform any required auditing for this product you will need to apply the rules for the AS 9100 QMS this product, but make sure that you do n ot claim that this product is part of your scope until you have changed your scope within your QMS and with your certification body so that they can issue your new certification with the changed scope on it.
These changes may also affect your quality policy with the change is scope. For more on the quality policy for AS9100 RevD, see this article: How to write the AS9100D Quality Policy, https://advisera.com/9100academy/blog/2018/07/09/how-to-write-the-as9100d-quality-policy/ -
Metodología para abordar riesgos
Respuesta:
Mi recomendación es realizar el análisis de la identificación de los riesgos y las oportunidades de la manera más sencilla posible. Por ejemplo, organizando una reunión con los cargos más relevantes dentro de la empresa, llevar a cabo una tormenta de ideas para completar una matriz DAFO (debilidades, amenazas, fortalezas y oportunidades). Es conveniente centrarse en aquellos procesos más significativos de la organización, es decir aquellos que tengan un claro impacto sobre la satisfacción del cliente.
Una vez identificados los riesgos, debe de determinar las acciones que se llevarán a cabo para abordar dichos riesgos. Esto lo puede detallar en un documento. Y más tarde valorar la eficacia de las acciones tomadas en la revisión por la dirección.
Para más información sobre como abordar riesgos y oportunidades puede ver los siguientes materiales:
- Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Webinar - Cómo implementar la gestión de riesgos en ISO 9001:2015: https://advisera.com/9001academy/es/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/