Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Changing AS9100 Scope for new products

    We're manufacturing another product which is not covered under this certification. We're in the pipeline of implementing the requirements of the AS standard for this product. Can the new product be brought within the already available certification or else we've start afresh?

    Answer:
    You certainly do not need to start over. What you need to do is to discuss with your certification body the fact that you need to change the scope of your QMS to include this new product. They will discuss with you how to change your scope and what auditing they will need to do to update your scope on your certificate. Before they can perform any required auditing for this product you will need to apply the rules for the AS 9100 QMS this product, but make sure that you do n ot claim that this product is part of your scope until you have changed your scope within your QMS and with your certification body so that they can issue your new certification with the changed scope on it.

    These changes may also affect your quality policy with the change is scope. For more on the quality policy for AS9100 RevD, see this article: How to write the AS9100D Quality Policy, https://advisera.com/9100academy/blog/2018/07/09/how-to-write-the-as9100d-quality-policy/

  • Metodología para abordar riesgos


    Respuesta:

    Mi recomendación es realizar el análisis de la identificación de los riesgos y las oportunidades de la manera más sencilla posible. Por ejemplo, organizando una reunión con los cargos más relevantes dentro de la empresa, llevar a cabo una tormenta de ideas para completar una matriz DAFO (debilidades, amenazas, fortalezas y oportunidades). Es conveniente centrarse en aquellos procesos más significativos de la organización, es decir aquellos que tengan un claro impacto sobre la satisfacción del cliente.

    Una vez identificados los riesgos, debe de determinar las acciones que se llevarán a cabo para abordar dichos riesgos. Esto lo puede detallar en un documento. Y más tarde valorar la eficacia de las acciones tomadas en la revisión por la dirección.

    Para más información sobre como abordar riesgos y oportunidades puede ver los siguientes materiales:

    - Artículo - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Webinar - Cómo implementar la gestión de riesgos en ISO 9001:2015: https://advisera.com/9001academy/es/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso - Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Event Management


    Answer:
    While implementing Event Management you have to be aware of the following:
    1. Event Management process efficiency depends on the tools you have. Some devices have
    monitoring tools built in, and for some, you'll need to implement additional tool(s)
    2. Event Management process does not involve many people (unless you are a huge organization).
    But, you need to clearly define the role(s) (most probably one person responsible for the process) and related responsibilities. Maybe, in large organizations – you'll have several people, but mainly you need to make an interface to the Incident Management process and most of the activities will take place in the scope of that process.

    Here are the articles that can help:
    -ITIL Event Management – Entry point of Service Operation https://advisera.com/20000academy/blog/2015/03/10/itil-event-management-entry-point-of-service-operation/
    -Eve nts – a flood or mountain creek https://advisera.com/20000academy/blog/2013/07/02/events-flood-mountain-creek/

  • ISO 9001 and the retail business


    Answer:
    Yes ISO 9001 is applicable to all kinds of organizations, private, public, governmental, profitable or non-profitable.

    2. “I read How ISO 9001:2015 can improve your supply chain performance in the retail sector - https://advisera.com/9001academy/blog/2016/03/08/how-iso-90012015-can-improve-your-supply-chain-performance-in-the-retail-sector/, can it go beyond supply chain?”

    Answer:
    Yes. Consider a retail business. Consider how the process approach can help a sector with so much turnover, with a lack of internal standards, with lack of lead indicators, with a lack of trained professionals in contact with customers. For the retail business implementing an ISO 9001 QMS is more important or useful than certification.

    The following material will provide you information about improvement:
    - ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
    - Benefits of ISO 9001 implementation for small businesses - https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Where to start


    Answer:
    When you start reading about the topic quality, in general, you will most likely find the PDCA cycle, something that stands for https://www.screencast.com/t/z2D8iAvLumfq

    According to this cycle, we start by planning our objective and then work towards attaining it.

    After years of using this approach, I found a better one, less known, developed by a Japanese, something like this: https://www.screencast.com/t/JJQxfx7S6

    We start in the Control Cycle. We have a standard (written or not), we work according to the standard, we check the results and we act, we decide what to do. If performance is OK we continue within the Control Cycle. If performance is not OK, or if we wa nt to improve current performance, our decision is to leave the Control Cycle and join the Improvement Cycle. We start with the problem, or challenge at hand, we plan a way to solve it or meet the target, we try an experiment (DO), we check the results, if the results are not OK our action, our decision is to plan another experiment. If the results are OK, our action is to set the experimental conditions as our new standard and we are back to the control cycle.

    So, I would recommend to first define clearly your problem, why it is a problem, and what will be the success criteria for that problem.

    The following material will provide you information about improvement:
    - ISO 9001 – How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
    - Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Normative reference


    Answer:
    According to ISO Technical Committee 207, a normative reference is a reference to another document that is indispensable for the application of the standard. If a document is normatively referenced, an organization must conform to it in order to conform with the standard. In the case of ISO 14001:2015 it is a standalone document that can be applied without reference to any other documents.

    The following material will provide you information about the assessment of environmental interactions:

    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - Free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - Book - THE I SO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Templates content


    Answer: ISO 2701 clause 9.1 Monitoring, measurement, analysis and evaluation requires documented information as evidence of the monitoring and measurement results, and one way to ensure that is by using the Measurement Report. Of, course, if your organization already has another records you can use to fulfill this clause, this report is not needed.

    For further information, please read:
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

    2. Unauthorized use of printers, photocopiers, scanners and other shared equipment for copying Dell S2825CDN in the office at the headquarters is prevented by [specify how – e.g. by locking the facility, use of PIN numbers, access cards, etc.]. All the employees are authorized to use the printer/photocopier/scanner. Is it okay to wri te it like that?

    Answer: First it is important to note that any ISO 27001 control must be implemented only if you have unacceptable risks, legal requirements, or top management decisions demanding a control to be implemented.

    Considering that, if at least one of the previous circumstances applies to employees, you have to evaluate if this implementation will decrease risks to acceptable levels, or fulfill legal requirements. On the other hand, if you do not have any of the previous circumstances, you do not need to implement access control.

    Second, unauthorized use refers not only to employees, but to all people that can have access to the equipment (e.g., visitors, contractors, etc.). So, you also have to consider these personnel regarding risks, legal requirements, and top management decisions, to define if any control is needed regarding them.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    3. The IT Security Policy and Security Procedures for IT Department document have a section at the end which is called "Managing records kept on the basis of this document". I could not find any templates for these records, but I do have an idea what I could write at some of these documents but it wouldn't be that much, ex. I hereby state that ______________ may take organizational assets off-site. The employee is fully responsible to take the necessary care while the assets are off-site. (at the bottom of the document a place where employer and employee both could sign). However for records such as "Security features and level of expected service for network services" I wouldn't know what to write. Do you possibly have examples for the records or something else so I can get a better picture of what I exactly have to write?

    Answer: A good example for "Security features and level of expected service for network services" would be a Specification of Information System Requirements, and you can find this template on folder 08 Annex A Security Controls = =A.14 System Acquisition Development and Maintenance

    For other records, in many cases organizations already have versions of them on their own operation, in paper form (corrective action record) or in information systems ( e.g. the logs of your backup system. ), that's why we do not provide them (it would be infeasible to create a template to cover all possible possibilities). In these cases we recommend customers to evaluate if their current records already comply with information required by policies and procedures. If yes, you can use them. If not, you can make a list of needed records and schedule a meeting with one of our experts, so he can guide you on how to develop such records.

    You can schedule a meeting at this link: https://advisera.com/27001academy/consultation/

  • 3rd party risk management


    Answer:

    Considering ISO 27001 requirements, 3rd party risk management is not much different from performing risk management on your own environment:
    - Define risk assessment methodology
    - Perform risk assessment
    - Perform risk treatment
    - Elaborate ISMS Risk Assessment Report
    - Elaborate Statement of Applicability
    - Define Risk Treatment Plan

    The main difference is that you have to formally define the risk assessment and treatment methodology with the third-party, e.g., by means of a contract, and define clear roles and responsibilities for each part (e.g., the third party will identify and analyze risks while your organization will evaluate them during the risk assessment implementation).

    These articles will provide you further explanation about risk assessment and treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to w rite ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    These materials will also help you regarding risk assessment and treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Documentation requirements

    >1 - One of the mandatory documents in the list in the toolkit is “Operating Procedures for IT Management”, is this not the same as an SOP?

    Answer: I'm assuming you are referring to the "Security Procedures for IT Department" template, located on folder 08 Annex A Security Controls ==> A.12 Operations Security

    Considering that, you can call this document a SOP, because it defines activities and responsibilities to ensure correct and secure functioning of information and communication technology.

    >2 - Sorry if I may have missed your point but does this mean that an Operating Procedure is only required for specific controls within our ISMS, such as backup procedures and SIEM tools etc?

    Answer: Your understanding is correct. Documents such as policies and procedures are required only when related controls identified as applicable in your Statement of Applicability demand documentation. Examples are controls A.9.1.1 Access control policy, and A.12.1.1 Documented operating procedures. Regarding backup, control A.12.3.1 Information backup does not require procedures to be documented, only that backup copies are taken and tested regularly (in this case documentation is more a question of good practice).

  • ISO 27001 for datacenters


    Answer:

    ISO 27001 can be used to certify organizations of any industry or size regarding how they protect information (by using a risk management approach to identify and treat relevant risks), so you can use it to certify a data center.

    We are not experts on countries local regulations or practices, so we cannot inform you if other countries or organizations apply the same approach as you described for the Australia Federal Government, but what we can say is that, in the case of Australia Federal Government, ISO 27001 can help you identify the requirements you need to fulfill for the classification level you want to apply to, and select, implement and manage the proper controls to h andle relevant risks.

    For example, if for T4 level cryptographic controls are required, ISO 27001 can provide guidance on this by means of controls A.10.1.1 Policy on the use of cryptographic controls and A.10.1.2 Key management.

    These articles will provide you further explanation about ISO 27001:
    - ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 594-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +