Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Arguments for control adoption
I have a specific reason to want advice. I've bought 4 or 5 items from you guys now and they are all excellent but the reason for looking at this one is because the other staff in the organisation are pushing back on the effects its having on them for convenience reasons. So they are not happy with having to remember their passwords - understandable of course it would be more convenient to rely on a browser remembering them or to use a simple password that doesn't expire etc.
ISO 27001 requires us to have a password policy or access policy which applies risk treatment But I am looking for something to back up my argument that we need real control measures specifically about web browsers storing password information and i was really hoping your standard document would have some kind of concrete best practice for me to produce as a compelling case to do that. Its a very specific question I know and I really appreciate any advice on it.
PS. I must say the Internal Audit Procedure document I downloaded from you guys were the best value. Actually my query was really focused on internet browsers saving passwords – in the free trial version I can’t see whether you guys make reference to that, but perhaps it’s implied by “files containing passwords must be stored separately from the application’s system data” ?
Answer:
To backup your argument about a password policy people that are uncomfortable with you should seek:
- the results of your risk assessment about the impacts of risks related to information compromise by means of weak or misused passwords.
- clauses related to contracts with customers or suppliers demanding the use of a password policy and the consequences of not fulfilling such clauses.
- clauses related to laws or regulations your organization must comply with demanding the use of a password policy and the consequences of not fulfilling such clauses.
With this information you can show them the potential impacts the organization is exposed to if they do not handle passwords properly.
For example, the compromise of customer information due to lack of care with passwords can lead to heavy fines considering EU GDPR (the fine can be up to 4% of the revenue, which might mean millions of dollars). This may be an argument strong enough to support the adoption of a password policy.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Documentation required
Answer:
I believe you are using QMH as Qualitätsmanagementhandbuch. We can start with the mandatory documentation required by ISO 9001:2015 and then, add those other documents that your organization considers useful, although not mandatory. Please consider the information available at List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
If you check ISO 9001:2015 clause 4.4.2 you see that organizations are invited to consider what kind of other documentation they need (procedures, instructions, videos, records, …)
We at Advisera developed a Document Tool Kit that organizations can adapt and use - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ This free webinar – How to use a Documentation Toolkit f or the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/ can be seen as a webinar on demand
Check also this book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Management representative in ISO 14001:2015
Answer:
In the new version of the standard ISO 9001:2015 it is not mandatory to appoint a management representative, instead organizations have different ways to appoint responsibility. Actually, the standard states that the responsibilities can be assigned to an individual, several individuals or a member of top management.
So if you choose to use a management representative, this person needs to have the necessary training and knowledge of the standard and also the ability to coordinate all aspects of the QMS. Therefore if you think the office manager meets these requirements he/she can take up this role.
You can see these materials to help you with the role of the management representative:
- Article – Is the management representative still the best option to coordinate EMS according to ISO 14001:2015?: https://advisera.com/14001academy/blog/2016/02/08/is-the-management-representative-still-the-best-option-to-coordinate-ems-according-to-iso-140012015/
- Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Free on-line training – ISO 14001:2015 Foundations: https://advisera.com/training/iso-14001-internal-auditor-course/ -
Writing a good quality policy and objectives
Answer:
Regarding the quality policy, it should comply with the following statements:
- is appropriate to the purpose and context of the organization
- supports the strategic direction of the organization
- is the basis for establishing quality objectives
- includes a commitment to comply with ISO 9001 requirements
- includes a commitment to continual improvement
You also need to consider that the quality policy needs to be documented and available to the interested parties and also must be understood by the employees so they can apply it.
To learn more about the quality policy see these articles:
- How to write a good quality policy: https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How does the ISO 9001:2015 revision affect the quality policy: https://advisera.com/9001academy/blog/2018/04/10/how-does-the-iso-90012015-revision-affect-the-quality-policy/
When it comes to the quality objectives, make sure they are S.M.A.R.T (specific, measurable, achievable, realistic and time-based) but also that they are relevance at all levels of the organization, that is, each employee should understands the objectives and how their job helps meeting those the Quality Objectives.
To learn more about the quality objectives see these articles:
Article – How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
You can also see these materials to help you with the quality policy and quality objectives:
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
Missing documents from the toolkit
Chapter 5 Information security Policies
Chapter 18 Compliance
Both chapters are missing in the Dutch toolkit and no documents included. Are these missing or are these chapter not obligatory and can I forget these? Will no questions asked about these chapters during an audit?
Answer:
First of all, sorry for this confusion.
The documents from sections A.5 and A.18 are not missing from the toolkit – you can find them here:
- A.5 – all the documents from folder “08 AnnexA” cover the requirements about information security policies (A.5.1.1 and A.5.1.2)
- A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”
Included in the toolkit there is a List of Documents file that shows which documents cover which clauses of the standard. -
Costs and time for certification
Answer:
Without detailed information about the certification scope it is not possible to give you a precise answer.
Regarding costs, what I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
These materials can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
For the duration of the implementation, use this Calculator: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These materials will also help you regarding ISO 27001 project:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Interpretation of audit report
Is the auditor looking for a documented procedure and a record of the type and extent of control?”
Answer:
In my interpretation the auditor is not asking for documented procedures. In my interpretation the auditor is asking for a clear and systematic answer to the questions: Is there any kind of planned control for purchasing? Does your organization control all incoming materials, services and subcontracted processes the same way? For each incoming materials, services and subcontracted processes: What do you control? Who controls? What are the specifications? What are the sampling quantities? Where are results recorded? Do you need to check subcontracted processes? By whom? With what frequency? Where do you record those control activities?
As far as I remember “old” ISO 9001 vocabulary, “special processes”, now in clause 8.5.1 f), need to have some kind of process capacity control. For example, in welding we require welder professional certification, in pasteurization we require temperature and process control. Your organization should require some kind of evidence that special processes such as NDE are done correctly, with people and equipment able to deliver the right results.
The following material will provide you information about purchasing requirements:
- ISO 9001 – How to establish process validation in the QMS - https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/
- How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Becoming an expert in ISO 45001
Answer:
The best way to become more well versed on ISO 45001 is by using it. I would recommend going through the standard and working out for yourself how it would be implemented for an organization. Probably the 2 things that you would need to study for the particular teaching organization that you want to be an expert for are the legal requirements and the OH&S hazard and risk assessment.
Knowing the legal requirements that an organization needs to meet is very often specific to the organization at the location indicated. Likewise, understanding the processes of the organization, as well as the hazards that these different processes can present for workers, is a very specific skill that the OH&S expert in any organization needs to master.
For more on complying with legal requirements, see this article: How to identify and comply with legal requirements in IS O 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/ -
Approaching management
Answer:
For situations like that you have to explain them that the proper approach would be base for their decision on which controls to use as results of risk assessment and legal requirements (e.g., contracts, laws and regulations). This way you can decrease friction, because you would be working only on risks that people consider relevant, or that they have to treat because they have external enforcement to do that (by means of clauses on service agreements, on customer contracts, or on laws/regulations).
This article will provide you further explanation about selecting security controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
For a better commitment you should convince your top management about the benefits of information security - here's the article that will help you: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding selecting controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Documenting risks and opportunities in ISO 9001:2015
Risk & Opportunities - Connected to above internal & external issue as to how we mitigated those risk that's what we need to do correct. Do we need to create a document for that.
Answer:
You need to demonstrate somehow that you are complying with section 6.1, for that you can choose a risk register and a risk assesment document, both commonly used in the implementation of ISO 9001. However, ISO 9001 does not state that you need to document anything related to risks and opportunities, just that you must perform the processes in section 6.1, including:
- identify your risks and opportunities,
- plan a response with the necessary actions,
- integrate those plans into your QMS and
- evaluate its efectiveness.
In addition, the organization must update the risks and opportunities as an outcome of process non-conformities (section 10.2). So the answer i s that according to the standard, although documented information is not mandate, your company may have a different need for documented information and records regarding QMS risks and opportunities, such a risks and opportunities register or a risk assesment document. But this is up to your organization how to do it, for example, you can evaluate your risks at a management meeting and decide what actions to take without having a specific document written and still be compliant with the standard requirements.
You can see a free pre-view of our risk management toolkit here: https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
To learn more about how to document risks and opportunities see these materials:
- Article - Does ISO 9001 require a procesure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001 Foundations course: https://advisera.com/training/iso-9001-foundations-course/