Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming an expert in ISO 45001
Answer:
The best way to become more well versed on ISO 45001 is by using it. I would recommend going through the standard and working out for yourself how it would be implemented for an organization. Probably the 2 things that you would need to study for the particular teaching organization that you want to be an expert for are the legal requirements and the OH&S hazard and risk assessment.
Knowing the legal requirements that an organization needs to meet is very often specific to the organization at the location indicated. Likewise, understanding the processes of the organization, as well as the hazards that these different processes can present for workers, is a very specific skill that the OH&S expert in any organization needs to master.
For more on complying with legal requirements, see this article: How to identify and comply with legal requirements in IS O 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/ -
Approaching management
Answer:
For situations like that you have to explain them that the proper approach would be base for their decision on which controls to use as results of risk assessment and legal requirements (e.g., contracts, laws and regulations). This way you can decrease friction, because you would be working only on risks that people consider relevant, or that they have to treat because they have external enforcement to do that (by means of clauses on service agreements, on customer contracts, or on laws/regulations).
This article will provide you further explanation about selecting security controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
For a better commitment you should convince your top management about the benefits of information security - here's the article that will help you: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding selecting controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Documenting risks and opportunities in ISO 9001:2015
Risk & Opportunities - Connected to above internal & external issue as to how we mitigated those risk that's what we need to do correct. Do we need to create a document for that.
Answer:
You need to demonstrate somehow that you are complying with section 6.1, for that you can choose a risk register and a risk assesment document, both commonly used in the implementation of ISO 9001. However, ISO 9001 does not state that you need to document anything related to risks and opportunities, just that you must perform the processes in section 6.1, including:
- identify your risks and opportunities,
- plan a response with the necessary actions,
- integrate those plans into your QMS and
- evaluate its efectiveness.
In addition, the organization must update the risks and opportunities as an outcome of process non-conformities (section 10.2). So the answer i s that according to the standard, although documented information is not mandate, your company may have a different need for documented information and records regarding QMS risks and opportunities, such a risks and opportunities register or a risk assesment document. But this is up to your organization how to do it, for example, you can evaluate your risks at a management meeting and decide what actions to take without having a specific document written and still be compliant with the standard requirements.
You can see a free pre-view of our risk management toolkit here: https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
To learn more about how to document risks and opportunities see these materials:
- Article - Does ISO 9001 require a procesure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001 Foundations course: https://advisera.com/training/iso-9001-foundations-course/ -
Performing BIA
Answer:
Considering your need for a DIY BIA, I recommend you to take a look at these articles:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/
I also recommend you to take a look at the free demo of our ISO 22301 Business Impact Analysis Toolkit at this link: https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
In this toolkit you have templates for Business Impact Analysis Methodology, and Business Impac t Analysis Questionnaire, which can help you perform a business impact analysis according ISO 22301, the ISO standard for business continuity.
With this toolkit you also have access to business impact analysis video tutorials that will help you fill the documents and perform the BIA.
This material will also help you regarding business impact analysis:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/ -
Supplier security
Answer:
If this software that serves your prime customer is part of the ISMS scope, then probably these partners of yours will have to fulfill security requirements related to ISO 27001 Annex A, as result of risk assessment, or by means of security clauses included in contracts or service agreements.
These articles will provide you further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Templates content
1. User Registration and De-registration Policy
2. User Registration and De-registration Register
Privileged access rights and user access rights
3. Encryption Policy
Encryption to be implemented across the assets of the organization including personal devices. New employees are to be provided with company assets that will ensure consistency of security.
Encryption Policy to be developed that will outline Capen’s approach to use and the lifecycle of Encryption keys across all assets of the business.
4. Information Backup Policy
Outlining the procedures, frequency of backups, logging of backups
5. Event Logging Policy
Outlining the procedures, logging of events subject to the risk to the business and escalation to the Risk Management procedures being adopted by the business.
Answer:
To fulfill your needs, I suggest you to look at the following documents:
1. User Registration and De-registration Policy - Look at the Access C ontrol Policy template: https://advisera.com/27001academy/documentation/access-control-policy/
2. User Registration and De-registration Register - There is no specific template for this register.
3. Encryption Policy - Look at the Policy on the Use of Cryptographic Controls template: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
4. Information Backup Policy - Look at the Backup Policy template: https://advisera.com/27001academy/documentation/backup-policy/
5. Event Logging Policy - Look at the Operating Procedures for Information and Communication Technology template: https://advisera.com/27001academy/documentation/security-procedures-for-it-department/ -
Is it possible to integrate ISO 9001 with other standards?
Answer:
I understand that you want to mean ISO 9001 which is a standard within the ISO 9000 family. ISO 9000 is a series, or family of quality management standards. You can implement ISO 9001 alone or integrate it with other standards, the most common are ISO 14001, ISO 45001 and ISO 27001.
To learn more about integrating ISO 9001 with other standards see the following materials:
- Article - How to integrate ISO 14001 and ISO 9001: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
- Article - How to integrate ISO 9001 and ISO 27001: https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
- Article - How to integrate ISO 45001 with ISO 9001 and ISO 14001: https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training - ISO 9001 Foundations course: https://advisera.com/training/iso-9001-foundations-course/ -
Información sobre la gestión de riesgos
Respuesta:
Los siguientes artículos pueden serle de ayuda para ampliar información sobre la gestión de riesgos en su organización:
- El enfoque basado en riesgos reemplazando las acciones preventivas en la ISO 9001:2015: los beneficios: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/el-enfoque-basado-en-riesgos-reemplazando-las-acciones-preventivas-en-la-iso-90012015-los-beneficios/
- How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Does ISO 9001 require a procedure for addressing riks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
- How to identify risk significance in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
Además puede asistir de forma gratuita a este webinar que será impartido en mayo o descargar el último desde la página web - Cómo implementar la gestión de riesgos en ISO 9001:2015:
https://advisera.com/9001academy/es/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
También están disponibles los siguientes materiales que pueden interesarle:
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
Por otro lado puede descargar una versión gratuita del paquete de documentos para la gestión de riesgos en ISO 9001:2015: https://advisera.com/9001academy/es/paquete-de-gestion-de-riesgos-iso-9001/ -
ISO 27001 Toolkit content
Answer:
First of all, sorry for this confusion.
The documents from sections A.5 and A.18 are not missing from the toolkit – you can find them here:
- A.5 – all the documents from folder “08 AnnexA” cover the requirements about information security policies (A.5.1.1 and A.5.1.2)
- A.18 – these documents are covered in the toolkit in folder "02 Procedure for identification of requirements”
Included in the toolkit there is a List of Documents file that shows which documents cover which clauses of the standard. -
Tratamiento de un producto no conforme
Respuesta:
Con la información que me facilita entiendo que se trata de una no conformidad que ha sido detectada durante el proceso de fabricación del producto u otro proceso. En tal caso es una forma de tratar una salida (producto realizado) no conforme mediante el método de aceptación bajo concesión. Para ello necesita obtener la autorización de una autoridad relevante, por ejemplo un laboratorio que realice el análisis técnico de su producto, y si fuera necesario la aceptación del cliente. Esta concesión debe ser recogida en el registro de no-conformidades.
Puede echar un vistazo a estos materiales que le ayudarán a entender cómo tratar un producto no-conforme:
- Artículo - Understanding dispositions for ISO 9001 non-conforming product: https://advisera.com/9001academy/blog/2014/11/18/understanding-dispositions-iso-9001-nonconforming-product/
- Libro - Discover ISO 9001 :2015 though practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/