Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SWOT and risk analysis
Answer:
Every issue included in the SWOT matrix can be used to determine risks and opportunities.
Consider, as an example, a small sample of a SWOT matrix of an organization
Remember the ISO 9000:2015 definition of risk - risk as the effect of uncertainty. And then, in a note, the standard states that an effect is a deviation from the expected – positive or negative.
So, consider an overall desired outcome for the quality management system, an expected result: Win more sales from new customers.
Risks will work against meeting that expected a result. Opportunities will work helping in meeting that expected a result.
The organization can match the Opportunity with the Strength at the SWOT matrix above, and raise an opportunity:
Win new customers that were served by the now-closed competitor making use of our fast sampling skills; htt ps://
The organization can match the Threat with the Weakness at the SWOT matrix above, and raise a risk:
Economically weaker subcontractor could no longer be profitable and close without orders from the now-closed competitor. Our orders alone don’t sustain him. Without that subcontractor capacity, we can win orders that we cannot serve due to our assembling capacity shortage
The following material will provide you with information about the risk-based approach:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/
- Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Identifying aspects and impacts
How to identify aspects & impacts department wise. e.g Quality, Purchase, assembly, store etc.
It will be good if you explain through example.”
Answer:
When working with an organization, during the environmental assessment of aspects and impacts I use two ways:
Check the processes; and
Check the locations.
By checking the process, I mean: draw a flowchart of what is being done and start to list aspects first and then potential impacts. To list potential impacts, one has to walk and visit the shop floor because impacts depend on the real situation.
By checking the location, I mean: walk through the installation, walk through the facilities and see what the present condition is, and if there is any situation, independent of processes that can be related with aspects and impacts.
For example, I’m implementing a management system in a company that builds steel structures. An initial flowchart allowed us to draw this first list of aspects.https://
When I went to their warehouse, I saw that there was a leaking water tap, that there were several liquids in drums without prevention against leaks and spills, I saw that different kinds of wastes were being mixed together.
The following material will provide you information about assessment of environmental interactions:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Case studies and quizzes
Answer:
At this moment, you can find simulations on our free courses, which you can see at this link: https://advisera.com/training/
At the end of each module you can find a practice exam about he presented content.
These articles will provide you further explanation on study cases:
- Case study: ISO 27001 implementation in an IT system integrator company https://advisera.com/27001academy/blog/2017/05/08/case-study-iso-27001-implementation-in-an-it-system-integrator-company/
- ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/ -
The Risk Treatment Plan and the Implementation Plan
Answer:
First we apologize for the confusion.
The Risk Treatment Plan and the Implementation Plan are the same thing.
The "Risk Treatment Plan" template on section 10 is more related to the "do" phase of the project, when you are in fact implementing the controls, while the Risk Assessment and Risk Treatment process, which documents are described on section 7 are related to the "planning"phase of the project. That's why these documents are on separated sections.
This article will provide you more information:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment -
Working out the RTO and RPO
Answer:
In your scenario, the RTO refers to the time required to resume an application operation, while the RPO refers to the acceptable data loss on a database.
Considering that, you can establish a single pair of RTO and RPO for the most critical applications and databases in your BIA, and from those you can derive other RTO's and RPO's for specific application and database when needed. For example you can set a RTO of 4h for an application and a RPO of 1 day for a database from your most critical activities, but you can identify that for other activities you can define a RTO of 1 day for applications and a RPO of 5 days for databases. This way you can optimize your resources, allocating them where they are more needed to recover from a disruptive event.
This article will provide you further explanation about RPO and RTO:
- What is the dif ference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
This material will also help you regarding RPO and RTO:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Possible risks found in ICU
Answer:
Some examples of possible events that may happen in a Intensive Care Unit are:
- Failure in ventilator´s alarm
- A patient falls from the bed
- Not following correctly hand washing procedures
Many causes can be associated to the above risks, for instance nursing failure due to fatigue, patient´s sensibility or equipment malfunctioning.
My recommendation is to conduct a FMEA analysis , a technique carried out to better identify and reduce errors. It is a systematic tool used to define, detect, prevent, eliminate or control failures, causes and effects of potential errors.
To learn more about risks in ISO 9001:2015 and FMEA you can see the following materials:
- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Article - Methodology for ISO 9001 risk analysis: https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Processor GDPR Compliance Questionnaire template
Answer:
The GDPR requires controllers only to engage processors that are able to ensure that the personal data passed to them is processed in a secure and lawful manner.
The questionnaire you are asking about is meant to provide some basic information to controllers on the way in which potential or existing processors are handling personal data. So, you can use it as a part of your due diligence process for new processors or you can use it to check on your current processors. -
Asset inventory and risk calculation
Answer:
For detailed information about how to perform asset inventory and risk calculation, I suggest you these articles:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
To see how an asset inventory and risk calculation looks like, I suggest you to look at these free demos:
- Inventory of Assets https://advisera.com/27001academy/documentation/inventory-of-assets/
- Risk Assessment Table https://advisera.com/27001academy/documentation/risk-assessment-table/
These materials will also help you regarding these activities:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
SoA alteration
Answer:
For a small change on the SoA you only have to keep the evidences that the impact of the changes was evaluated (e.g., by means of an additional management review) and that the required changes on implemented controls were properly planned and implemented. These evidences must be presented on the next surveillance audit.
For big changes on SoA, we recommend you to contact your certification body so it can evaluate if an extra surveillance audit is necessary, or if the certification auditor can leave this verification for the scheduled surveillance audit.
This material will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Book Secure & Simp le: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Classification of assets
Answer:
I'm assuming you are referring to ISO 27001. Considering that, assets are classified based on the information they store, transmit or process, which in turn are classified in terms of legal requirements, value to the organization, criticality and sensitivity to unauthorized disclosure or modification.
For example, a storage unit which stores public and confidential information must be classified as confidential, because this is the highest classification of information it handles.
This article will provide you further explanation about asset inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset inventory:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/