Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information Security Policy and Business Continuity Management Policy
1 - Your Information Security Policy relates to the BCMP, (red below), but can you please advise where is this template?
Answer: You do not have to keep section 4.4 of the Information Security Policy if you don't have business continuity management implemented in your company, or you do not have plans to implement it together with ISO 27001. The Business Continuity Management Policy is not mandatory for ISO 27001 certification (even if controls from section A.17 of Annex A are applicable), so to not increase unnecessarily customers effort on managing the ISMS, this template is not included in the toolkit you bought.
2 - During Certification, we are concerned the Business Recovery Plan may be too simplistic even for our small business. We have reviewed your tutorials, but still remain very unclear. We would appreciate your explana tion here to help us move forward please.
Answer: The Disaster Recovery Plan template included in your toolkit includes all requirements a certification auditor will look for during the certification audit, so if you followed all recommendations in the comments included in the template your document will be fine for the certification audit. In any case, included in your toolkit you have the possibility to send us some of your documents so one of our experts can evaluate them and provide guidance on which adjustments you have to make, if any, so your document is fully compliant with the standard. -
Mandatory documents and production steps
We are having an internal debate here regarding "Work Station Signage" requirements. That is, are assembly technicians "required" to initial & date when they complete a particular manufacturing sequence step? Currently we have not required technician signoffs in the past as it is "fairly" obvious as to whether or not the prior Sequence Step was completed correctly or not. Typically there are about 20-30 sequence steps to assemble the products we sell. At the very end, all products receive a Final Calibration report which basically indicates the product manufactured satisfies performance specifications.
There are a group of individuals here that feel ISO 9001 requires workstation signage and there is a group of individuals her e that is against it. I don't see the harm in having it the signoffs, but I'm not an ISO expert and I'm not able to determine whether this is specifically required or not by the standard. Could you shed some light on this?”
Answer:
The fast answer is: ISO 9001:2015 does not require workstation signage as long as that signage is just a confirmation of work done. If that workstation signage is used in your organization as a kind of quality control then it is required.
The following material will provide you information mandatory documents:
- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditing risks and opportunities
Answer:
You can start by asking if the organization has determined its risks and opportunities. Even if they are not documented, you can check if different people in different places and moments are on the same page about risks and opportunities determination.
Then you can ask how the organization determines which risks and opportunities are relevant and must be treated. Now is the time to request evidence of examples of actions, developed and implemented, to manage relevant risks and opportunities. Were those actions effective?
And how the organization monitors and reviews risks and opportunities?
These are examples of the kind of questions you can ask to audit risks and opportunities.
The following material will provide you with information about risks and opportunities:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- free online training ISO 9001:2015 Foundatio ns Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Strategy Management
Answer:
Developing Service Strategy requires to take various views:
- from business side
- service oriented view
- (internal) organization point of view
That implies that systematic approach needs to be taken. Strategy plan and process description will help you systematize activities. Take a look at free preview of these documents:
Strategy Management for IT Services Process https://advisera.com/20000academy/documentation/strategy-management-for-it-services-process/
Strategy Plan https://advisera.com/20000academy/documentation/strategy-plan/
Also, these articles can give you some hints
ITIL Service Strategy: What and Why of ITSM https://advisera.com/20000academy/knowledgebase/itil-service-strategy-itsm/
ITIL Strategy Plan – Are you sure you have this document? https://advisera.com/20000academy/blog/2015/05/26/itil-strategy-plan-are-you-sure-you-have-this-document/
ITIL strategy – Framing the value of services (part I) https://advisera.com/20000academy/blog/2014/11/11/itil-strategy-framing-the-value-of-services-part-i/
Strategy Management for IT Services – holding your steering wheel https://advisera.com/20000academy/blog/2013/10/22/strategy-management-services-holding-steering-wheel/ -
Is updating mandatory?
Answer:
I will only consider ISO 9001:2015 and ISO 14001:2015 in my answer.
ISO 9001:2015
About being mandatory to update external and internal issues – the last phrase of clause 4.1 and clause 9.3.2 b) consider the principle that changes in the context may occur and that the organization must consider them.
About being mandatory to update risk analysis – clause 6.1.1 say that organizations should consider external and internal issues when determining risks and opportunities. So, if external and internal issues are updated it is plausible to conclude that at least some risks and opportunities can appear/disappear or become more or less critical. Also, clauses 9.3.2 e) and 10.2.1 e ) can be seen as doors to consider the need to update risk analysis. Effective actions, for example, can change the priority of risks and opportunities, and nonconformities can make updating the risk register and risk classification necessary.
ISO 14001:2015
About being mandatory to update external and internal issues – clause 9.3 b) 1) consider the principle that changes in the context may occur and that the organization must consider them.
About being mandatory to update risk analysis – clause 6.1.1 say that organizations should consider environmental aspects, compliance obligations and external and internal issues when determining risks and opportunities. So, if external and internal issues are updated, and if environmental aspects and compliance obligations are updated it is plausible to conclude that at least some risks and opportunities can appear/disappear or become more or less critical. Also, clause 9.3 b) 4) can be seen as a door to consider the need to update risk analysis. Effective actions, for example, can change the priority of risks and opportunities.
About being mandatory to update environmental aspects – Clause 9.3 b) 3) considers the possibility of changes among environmental aspects.
Organizations are not separated from their context they are immersed in it. If the context changes, organizations should update their context analysis and evaluation. Management systems are in part tools to manage risks, opportunities and environmental aspects. An effective management system with their effective actions should, as a consequence, generate the need to update the determination and evaluation of risks, opportunities and aspects.
The following material will provide you information about clause applicability:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- ISO 14001 - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Clause 8.3 applicability and outsourcing
Answer:
Even if your organization is outsourcing the design it will still be responsible for ensuring that a process is followed and that ISO 9001 requirements are met. Outsourced processes are still applicable. But if your organization buys a particular design off the shelf, as finished specifications, non-applicability makes sense.
The following material will provide you with information about clause applicability:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO certifications for cloud computing
I was checking ISO/IEC 27017:2015, and wondering if I'm missing something.
Answer:
There is no specific ISO certifications for cloud computing. What you can consider is the implementation of specific controls of ISO 27017 in an ISMS (ISO 27001 already cover the general controls to also protect cloud services), if you have specific requirements (e.g., laws, regulations or contracts) demanding security controls for cloud environments.
Additionally, I suggest you to consider ISO 27018, ISO standard related to protection of Personal Identifiable Information (PII), to fulfill potential requirements you have regarding the protection of customers privacy.
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Risk assessment and the ISO 27001 Lead Implementer course
Very helpful course -
CE mark and ISO 13485 for medical device in EU
Answer: In the EU context, the CE mark is part of the conformity assessment procedure, therefore, is actually a priority over ISO13485. Having ISO 13485 is more of a benefit.
As a company dealing with medical devices, being ISO13485 certified could provides an added assurance that the company has a quality management system in place that can ensure the quality, safety and performance of the devices as well as open up more opportunity for exporting of the products.
For more information, please refer to :
Six key benefits of ISO 13485 implementation
https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/ -
Template content
Answer:
In the "Necessary manual controls" field you must list all controls identified as applicable that for any reason you cannot integrate in the information system you want to protect. For example, if you cannot perform automated output validation and this is a system security requirement, then you should implement it manually.
It is not mandatory to fill in the "Necessary manual controls" field if all required controls can be automated into the information system.