Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • What does ISO 45001 add to SAMTRAC

    2. Do I need to do it or is Samtrac and Safety management enough?
    Answers:
    1. The ISO 45001:2018 standard is an internationally recognized standard that includes all of the processes which are agreed to be necessary for a comprehensive system to manage and improve OH&S performance in the workplace. The standard goes beyond simply meeting legal requirements and managing risk, but also includes the need to improve the processes and OH&S performance over time. This improvement focus, along with the need to integrate OH&S processes into the business processes, is an addition to the ISO 45001 standard which goes beyond just managing safety and OH&S risk. This being said, ISO 45001:2018 is a document which contains the requirements for an organization to implement, and is not something that an individual is certified to. An individual can only understand how to implement the standard, and be trained to implement and audit the requirements.
    2. This depends on what you wish to do. SAMTRAC deals with occupational risk management, and fits in very well with the overall safety management processes. Using the ISO 45001:2018 standard to understand all of the requirements of a world-recognized OH&S management system can help you to understand how safety and risk management integrate into the processes of the company, which could be very useful for anyone you are going to consult.
    For more information on understanding the ISO 45001 clauses, see this whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • ISO 45001 Risk and opportunity process

    Answer:
    The ISO 45001:2018 standard does not require any specific method for identifying and assessing risks and opportunities. Many companies will do this by brainstorming the risks and opportunities that they know exist for the OHSMS, and then determining if they need to do something, and if so what those actions will be. For most companies this will be the easiest and most effective process to start with, and they may adapt their risk and opportunity assessment as they find improvements.
    For more information on the risk & opportunity requirements, see this article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

  • Academe's suppliers


    Answer:
    Yes, criteria for evaluation and selection of suppliers (clause 8.4.1) is a mandatory document. If you consider graduated students as your school products, we can see your system as https://www.screencast.com/t/k3w9PTsAYciK

    We can ask what products or services the school use as inputs to perform its services. Once I helped a school at implementing its quality management system and I remember that they considered as suppliers:
    * Transportation services;
    * Canteen services;
    * Cleaning services;
    * Accommodation services;
    * Maintenance services;

    Perhaps you can find these examples as an inspiration to your case.

    The following material will provide you more information:
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Should unive rsities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
    - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Application of control A.17.2.1


    Answer:

    Reference to Recovery strategy for IT infrastructure in the Statement of Applicability is needed only for companies that want to be compliant with ISO 22301 together with ISO 27001. If you are going for ISO 27001 only, we do not recommend you to do the Recovery strategy for IT infrastructure because it will complicate the whole process - instead, for the control A.17.2.1 we recommend that you refer to Disaster Recovery Plan - you can find it in your toolkit in the folder 08 Annex A - A.17 Business continuity..

    If you decide to go for Recovery strategy for IT infrastructure, you can find the template here: https://advisera.com/27001academy/documentation/business-continuity-strategy/

  • Risk management


    Answer: Risk management means polices, procedures, and practices for identifying, analyzing, evaluating, and treating risks, and this can be done through different approaches (e.g., ISO 27005 - a supporting standard for ISO 27001, ISO 31000, NIST Cyber Security Framework, etc.). Considering that, you should evaluate the approaches used on what you call usual Risk management and third party risk management to see if they are in fact different.

    For example, if usual Risk management is based on ISO 27005 and third party risk management is based on ISO 31000 then they are very similar. In the other hand, if usual Risk management is based on ISO 27005 and third party risk management is based on NIST CSF, they have considerable differences.

    These articles will provide you more information:
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
    - Which one to go with – Cybersecurity Framework or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/

    2 - And how about taking a job in Risk management and taking a job of being an IT auditor, when you have these two offers in hand, what do you think which one to go with as per your advise?

    About me -- I have 4 years experience in ITGC and SOX implementation and monitoring. Currently looking for better opportunities which help me in exploring myself into Cyber security domain.

    Answer: Your choice will depend on your professional objectives. If you want to work establishing a secure environment, you should consider the risk management offer. On the other hand, if you want to work to ensure implemented controls are properly implemented and bringing expected results, then you should consider the IT auditor offer. Your background allows you to choose both ways.

    This article will provide you further explanation about becoming an auditor:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

    This material will also help you regarding becoming an auditor:
    - ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

  • ISO 27001 in software development


    Answer:

    First it is important to note that ISO 27001 requirements and controls are not intended for products, but for the processes involved in their development. Considering that, you can apply ISO 27001 to your software development and maintenance processes, in the following way:
    - Identification of security requirements and specifications your software must fulfill
    - Definition of general and specific rules for secure software development and testing
    - Change control
    - Proper use of outsourced development
    - Protection of testing data

    These materials will provide you further explanation about securing software development:
    - How to integrate ISO 27001 A.14 c ontrols into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • List of Legal, Regulatory, Contractual and Other Requirements


    Answer:

    The "List of Legal, Regulatory, Contractual and Other Requirements" template is a form where you can fill in the legal, regulatory, contractual and other requirements that are relevant to your ISMS, so it does not contain any information about specific requirements.

    In the following article you can find a list of some laws and regulations required on United Kingdom:
    - Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

    Unfortunately, this list is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations related to United Kingdom are listed (most of the mentioned ones are not sector-related, and those which are sector-related cover electroni cs and communication sectors). To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser.

  • ISO 20000:2011 -> ISO 20000:2018 transition


    Answer:
    First of all, investment made in ISO 20000 (according to 2011 revision of the standard) is not vested effort. Many elements are "recyclable". There are some parts that are simplified but there are also some new requirements.
    First of all - new revision follows High Level Structure (HLS), so if you have any other management system in place, it will be very usable in ISO 20000 transition.
    Documentation requirements are less than in 2011 revision. But, most of the documents can be reused although not directly required (e.g. Capacity Plan - it's not required to document it but you need to plan it).
    Few new requirements (e.g. Context of the organization or Knowledge Management) will need to be addressed but experience with other management systems helps.
    Process requirements - many of the m are simplified. That leaves more space for the implementation according to your own organizational setup (or some see it as - lowering bureaucracy).
    Note that there are some items that are renamed, like CMDB - focus is on Configuration information.
    You will also need to split some processes, like Incident and Service Request Management.

    So, yes there are changes but nothing you that invincible.

  • ISO 13485 for small companies


    Answer:

    The Standard is applicable to any companies dealing with medical devices. It does not take into account the size of the organization. For the case of smaller companies, it is very common for the founder and director to assume many roles in the QMS such as Management Representative and process owner. Your company is dealing with Medical Image management, there might be some clauses that can be not applicable to your case making it simpler for you to adopt the ISO.

    For more information, please refer to:

    Diagram of ISO 13485:2016 Implementation Process
    https://info.advisera.com/13485academy/free-download/diagram-of-iso-134852016-implementation-process

    List of mandatory documents require d by ISO 13485:2016
    https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

  • Design and development topics


    Answer:
    I like to see design and development as a journey. https://www.screencast.com/t/reXnDk1dzHK

    At the beginning of that journey, your organization at step 1 collects all the requirements that a new product or service must comply with. These requirements can be performance specifications; compliance specifications; timing specifications; production or provision constraints, …

    During step 3 your organization creates the product or service prototype, or the first samples. With that prototype or samples, a verification is made by comparing actual performance with all the constraints and performance established as inputs at step 4.

    At step 5 the product or service is tested by the customer to val idate its performance in real life conditions.

    Remember that in the end, your organization should have:

    Product or service specifications;
    Production process or service provision specifications and instructions;
    Purchasing specifications; and
    Documented information specifications.

    The following material will provide you with more information about design and development:
    - How to deal with design and development changes in the technology sector using ISO 9001 - https://advisera.com/9001academy/blog/2017/02/28/how-to-deal-with-design-and-development-changes-in-the-technology-sector-using-iso-9001/
    - Specific use of ISO 9001 design and development in the machining process - https://advisera.com/9001academy/blog/2017/03/14/specific-use-of-iso-9001-design-and-development-in-the-machining-process/
    - The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
    - About records required by ISO 9001 about design and development consider - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - About conducting design and development reviews consider - ISO9001 Design Verification vs Design Validation - https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
    - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
Page 620-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +