Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
The Risk Treatment Plan and the Implementation Plan
Answer:
First we apologize for the confusion.
The Risk Treatment Plan and the Implementation Plan are the same thing.
The "Risk Treatment Plan" template on section 10 is more related to the "do" phase of the project, when you are in fact implementing the controls, while the Risk Assessment and Risk Treatment process, which documents are described on section 7 are related to the "planning"phase of the project. That's why these documents are on separated sections.
This article will provide you more information:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Working out the RTO and RPO
Answer:
In your scenario, the RTO refers to the time required to resume an application operation, while the RPO refers to the acceptable data loss on a database.
Considering that, you can establish a single pair of RTO and RPO for the most critical applications and databases in your BIA, and from those you can derive other RTO's and RPO's for specific application and database when needed. For example you can set a RTO of 4h for an application and a RPO of 1 day for a database from your most critical activities, but you can identify that for other activities you can define a RTO of 1 day for applications and a RPO of 5 days for databases. This way you can optimize your resources, allocating them where they are more needed to recover from a disruptive event.
This article will provide you further explanation about RPO and RTO:
- What is the dif ference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
This material will also help you regarding RPO and RTO:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Possible risks found in ICU
Answer:
Some examples of possible events that may happen in a Intensive Care Unit are:
- Failure in ventilator´s alarm
- A patient falls from the bed
- Not following correctly hand washing procedures
Many causes can be associated to the above risks, for instance nursing failure due to fatigue, patient´s sensibility or equipment malfunctioning.
My recommendation is to conduct a FMEA analysis , a technique carried out to better identify and reduce errors. It is a systematic tool used to define, detect, prevent, eliminate or control failures, causes and effects of potential errors.
To learn more about risks in ISO 9001:2015 and FMEA you can see the following materials:
- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Article - Methodology for ISO 9001 risk analysis: https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Processor GDPR Compliance Questionnaire template
Answer:
The GDPR requires controllers only to engage processors that are able to ensure that the personal data passed to them is processed in a secure and lawful manner.
The questionnaire you are asking about is meant to provide some basic information to controllers on the way in which potential or existing processors are handling personal data. So, you can use it as a part of your due diligence process for new processors or you can use it to check on your current processors. -
Asset inventory and risk calculation
Answer:
For detailed information about how to perform asset inventory and risk calculation, I suggest you these articles:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
To see how an asset inventory and risk calculation looks like, I suggest you to look at these free demos:
- Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/
- Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
These materials will also help you regarding these activities:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
SoA alteration
Answer:
For a small change on the SoA you only have to keep the evidences that the impact of the changes was evaluated (e.g., by means of an additional management review) and that the required changes on implemented controls were properly planned and implemented. These evidences must be presented on the next surveillance audit.
For big changes on SoA, we recommend you to contact your certification body so it can evaluate if an extra surveillance audit is necessary, or if the certification auditor can leave this verification for the scheduled surveillance audit.
This material will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Book Secure & Simp le: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Classification of assets
Answer:
I'm assuming you are referring to ISO 27001. Considering that, assets are classified based on the information they store, transmit or process, which in turn are classified in terms of legal requirements, value to the organization, criticality and sensitivity to unauthorized disclosure or modification.
For example, a storage unit which stores public and confidential information must be classified as confidential, because this is the highest classification of information it handles.
This article will provide you further explanation about asset inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset inventory:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk mitigation as quality objectives
Answer:
Particular cases of risk mitigation can be taken as quality objectives, as long as the particular topic is in line with the quality policy. For example, one quality objective can be reducing the defect rate from a production line. When analyzing the production process the defects occurrence could have been identified as a critical risk.
The following material will provide you information about risks and quality objectives:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Targets in ISO 45001
Answer:
Setting OH&S objectives per section 6.2.1, and the targets for these objectives, are intended to be improvement activities for the organization, and not necessarily related to individual sections of the standard. In short, it is about what you as an organization feel the need to improve, and then planning for that improvement.
That being said, the internal and external issues that you have identified as part of clause 4.1 could be an indicator of an improvement that is needed. For instance, you might identify that a certain chemical that is required for your product has a negative OH&S risk (an internal issue) and you could make the decision to set an objective to reduce the amount of this chemical needed in your product by finding a replacement. You target would then be a reduced amount of the chemical used.
For m ore information on OH&S objectives, see the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/ -
Changing quality objectives
Answer:
Normally, organizations change or update quality objectives during or following-up a management review. However, an organization can follow another approach, as long as quality objectives are approved by authorized person.
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/