Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Life cycle consideration
I am wondering to what extent we are expected to control/influence these outsourced processes. We ensure any relevant products are CE complaint etc, are transported correctly, and do not contain any banned substances. But what we don't do is control/monitor the processes within their factories to ensure they are environmentally friendly.
I am worried when we get audited the auditor will find some non-conformances because of this. Do you have any advice as to what is expected by this clause for a small business like ourselves? In this scenario would a simple statement be sufficient to explain this and state that we have asked the supplier to consider all environmental impacts it is causing? I would much appreciate any advice?”
Answer:
The life cycle perspective implies consideration of the material life cycle associated with the products and services and does not require a detailed evaluation. Check this ISO text - Life cycle perspective - what ISO 14001 includes - https://committee.iso.org/sites/tc207sc1/home/projects/published/iso-14001---environmental-manage/life-cycle.html
According to your organization’s particular context, you should determine which stages of the lifecycle you can control or influence. Remember that the word used by ISO 14001:2015 is “consideration” not a very strong requirement. Therefore, it is necessary to realistically assess what is actually controllable and what can be influenced and act accordingly.
The following material will provide you with information about the life cycle perspective:
- ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
IATF Internal audit competency
Answer:
Internal audit can be done with internal audit certificate, that certificate is proof of competence for a person to conduct an internal audit.
2. Where could I find info on this matter?
Answer:
Internal audit against requirements of IATF 16949 must be performed by a competent person as defined in chapter 7, 7.2.3 Internal auditor competency. Based on it organization shall retain documented information to demonstrate the trainer's competency with these requirements.
Maintenance and improvement must be verified by:
• Minimum number of audits per year – as defined by the organization
• Maintaining knowledge of the relevant requirements (technology, standards, methods, customer-specific requirements)
So, if internal auditor left the company and wants to do the internal audit as an external party, he can do it if he can prove that he has the minimum number of audits and maintaining knowledge of relevant requirements (especially customer-specific requirements)
Please look at our article on this topic: Requirements for the competence of IATF 16949 internal auditors: https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/
In -
Questions to top management
Or the types of questions to direct to CISO, CIO, or CTO to identify the types of technologies they have implemented to mitigate future cyberattacks.
Answer:
First it is important to understand that in general the C-level will not think directly about risk (neither they have to), so you have to make questions about their concerns regarding the business objectives (which are them, which are the most important, and why) and how information can help achieve these objectives, or prevent these of being achieved. From these answers you will be able to identify their risk posture, the most relevant risks and what you can do to treat them.
Another important issue is that in general these questions are as ked by the responsible for the information security (i.e., the CISO or similar role).
These articles will provide you further explanation about requirements identification:
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- Management’s view of information security https://advisera.com/27001academy/blog/2011/05/16/managements-view-of-information-security/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Information security cloud policy
Answer:
To elaborate an information security security policy which also considers cloud security, I suggest you to take a look at the free demo of these two templates:
- Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
- Cloud Security Policy https://advisera.com/27001academy/documentation/cloud-security-policy/
They can guide you on how to define the purpose, direction, principles and basic rules for information security management, and how to manage the security of cloud environment infrastructure.
This article will provide you further explanation about information security policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/ -
Internal audit and certification
Answer:
You need to perform an internal audit and corrective actions for identified nonconformities before applying for certification so you can provide evidences of audits results required by the standard (e.g., audit report, nonconformities action plans, etc.). Additionally, the results of internal audit are required for the management review, another mandatory requirement for certification.
These articles will provide you further explanation about what expect from certification audit:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Objective and consequence
P – Profit
Q – Quantity
P – Productivity
D – Development
Q – Quality
C – Cost
D – Delivery
M – Morale (including safety, training, attrition, rewards/awards/appreciation)
The very first parameter is not easy to calculate. Pl. suggest”
Answer:
These things are not calculated sequentially but iteratively. I arrange your items according to the figure below in a sort of cause-effect relationship map.
Be aware of which items are critical to winning your target customers. Customers are not all alike, some value innovation and development, others value service and flexibility, and others value price above all. Operational perspective topics should be a function of your target-customers and not a general list.
Personally, I look into profit as a consequence of all other things. Your organization invests in resources and infrastructures, in order to be excellent at the operational perspective, to have results at the customer perspective translated into financial results. Your organization may need a certain level of profit to be sustainable or attractive to investors, you can start with a figure and see what level of sales, costs, and prices you need and evaluate if it is reasonable and attainable. Perhaps your organization concludes that it has to change its strategy in order to meet a certain level of profit.
The following material will provide you with information about quality objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Evidences for competence
Answer:
According ISO 27001, clause 7.2 (Competence), competences are based on appropriate education, training, or experience, which can be evidenced by means of certificates (e.g., ISO 27001 Lead Auditor or ISO 27001 Internal auditor), registered hours of work on specific activities (in this case audits on ISO 27001 or other ISO management systems), and records of attended trainings.
These articles will provide you further explanation about evidencing competencies:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
These materials will also help you with internal audit issues:
- ISO 27001:2013 Internal Auditor Course htt ps://advisera.com/training/iso-27001-internal-auditor-course/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Incident response plan
Answer:
I'm assuming you are referring to the Incident Response Plan mentioned on section 3.4 of the Incident Management Procedure template. Considering that, first is important to note that an Incident Response Plan is needed only if you have an incident where activities are disrupted for a time above which is considered acceptable by business. If you have no situations like that, you do not have to develop an Incident Response Plan.
In case an Incident Response Plan is needed, it must include actions to:
- contain or stop the incident, in case it is still occurring
- minimize the im pacts of the incident
- recover minimal service levels
- recover normal operational conditions
And of course for each activity you have to define who will perform them. -
Filling in the risk assessment table
Answer:
The lists of threats and vulnerabilities provided in the Risk Assessment Table template are to be used only as guidance during the assessment process, so you do not have to repeat all of them for each asset, only the ones which are relevant to each asset.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you to fill in the Risk Assessment Table, using real data as examples. -
Annex A control owners
Answer:
Controls are implemented in terms of policies, procedures and technologies, which many times involve the application of several controls, so it makes more sense to define owners for these elements than for each control of the standard.
In general, Top Management own policies and procedures that are systematically applied to the organization (e.g. Information Security Policy and Information Classification Policy), policies and procedures which focus on people behavior (e.g., Acceptable Use Policy, and Disciplinary Process) are owned by Head of HR, policies, procedures, and technologies which focus on IT-related technologies (e.g., Backup Policy) are owned by Head of IT, policies, procedures, and technologies which focus on physical or non IT-related technologies (e.g., physical access control) are owned by Head of Operations or similar role, and policies and procedures focused on legal compliance are owned by He ad of Legal (e.g. controls from section A.18.1). For small and mid-sized organizations which do not have so many roles the person responsible for information security is the one who owns the controls.