Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and ISO 22301
Answer:
Business continuity in ISO 27001 covers only the continuity of the information security management and the continuity of information security.
2. What is the basic difference in business continuity in ISO 27001 and ISO 22301?
Answer:
While ISO 27001 covers the continuity of the information security management (e.g. information security chain of command and communication processes) and the continuity of information security (i.e., operation of security controls, like access control and change management), ISO 22301 covers the continuity of the delivery of products and services, as well as the continuity of critical business operations.
These articles will provide you further explanation about ISO 22301 and ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
The se materials will also help you regarding ISO 22301 and ISO 27001:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001, ITIL and ISO 20000
Answer:
ISO 20000 and ITIL focus on IT services, and one aspect of IT services is the protection of the information that is transmitted, stored and/or processed by information systems, and that is the point where you can use ISO 27001, the management standard which handles information security. On the opposite direction, ISO 27001 handles the protection of information regardless of its format and where it is, and when dealing with information on information systems you can use ISO 20000 and ITIL to support the planning, implementation, operation, control, and improvement of IT related security controls.
These materials will provide you further explanation about ISO 27001, IITL and ISO 20000:
- ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/ t/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/ -
Risk assessment methodologies
Answer:
Besides asset-based methodology you also can use process-based methodology and scenario-based methodology. For additional information about risk assessment approaches I suggest you to take a look at ISO 31010, the ISO standard for risk management techniques. You can buy this standard at this link: https://www.iso.org/standard/51073.html
This article will provide you further explanation about alternative risk assessment approaches:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
BCP measures for Natural disasters
Answer:
I'm assuming that by unplanned you mean unpredictable, since that if something is unplanned then you did not devise any action to be performed, while by unpredictable some aspects of a situation are unknown (e.g., what will happen, when it will happen, the magnitude, etc.).
Considering that, and the fact that you mentioned natural disasters, bcp measures to be considered are implementing your continuity operations in a local that is far from the area hit by the event. For example if historically earth quakes have a 50km radius of impact, then your secondary operations should be in a distance longer than that. Another issue to be considered are the continuity of your supplies (e.g., regular suppliers have secondary locations or you can hire new suppliers).
These articles will provide you further explanation about BCP measures:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-r ecovery-site-what-is-the-ideal-distance-from-primary-site/
- ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
These materials will also help you regarding BCP measures:
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27001 controls
I think you are referring to ISO 27002, which provides details and guidance on the implementation of ISO 27001 Annex A controls. ISO 27005 provides orientation for information security risk assessment, the main pillar of ISO 27001.
Regarding materials about ISO 27001 Annex A controls, you can find several articles on our site such as:
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
For specific controls of Annex A, we have articles like:
- 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-accordin g-to-iso-27001/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
For more articles about controls you can use the number of the control or the main key words of the control (e.g., information classification, etc.) in the search tool on our pages.
This material will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Documentation use and variability
Answer:
Normally, organizations want to reduce variability, they want to provide the same outcome independently of who performs it. We don’t want to go to a restaurant, for example, and like or dislike the same dish according to who is in the kitchen. A plant manager doesn’t want to have products coming out of the production line according to who is working. Organizations want, and customers expect, consistency.
Using the same documentation in an organization promotes internal standardization, internal consistency. Besides using the same documentation, it is important to control that documentation to ensure that it is updated, and it is distributed to those that need it. For example, person A has a Work Instruction about how to package a product. That person goes on holydays and when returns continues to follow the Work Instruction. In the meantime, the Work Instruction was updated, everybody is packaging the products according to the new version , but person A, due to lack of document control, is still using the outdated version and packaging the old way. Now, imagine that packaging instructions were changed due to a new customer requirement. The organization is going to receive a complaint.
The following materials will provide you more information about document control:
- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Use of ISO 31000 for risk management
Answer:
Yes, you can use ISO 31000 (principles and guidelines for Risk Management (RM)) as an aid in developing the risk management process. This standard gives an structure of the best practices for risk management. The objective of ISO 31000 is to empower all the strategic tasks, management and operations of a company through functions, projects and processes aligned to a common set of goals on risk management.
These materials can help you to better understand risk management using ISO 31000:
- Article: Similarities and differences in risk management in ISO 9001, ISO 31000 and ISO 27001: https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
- Webinar - How to implement risk management in ISO 9001:2015: https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- Book - Discover ISO 9001: 2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Organizational chart in the Quality Manual
Answer:
ISO 9001:2015 does not require organizational charts, however the standard states that authorities need to be defined. Many organizations use organizational charts as a way to determine authorities, because they show the authorities in a clear manner. Therefore, using organizational charts where you add names and job titles could be a good way to comply with the requirement. You will also need to update those organizational charts regularly.
Also, keep in mind that the quality manual is not mandatory anymore in the new ISO 9001, so you can decide if using an organizational chart and in that case include it or not in a manual.
These materials can help you the quality manual and the need of an organizational chart:
- Article - How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- Book - Discover ISO 9001:2015 through p ractical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on line ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Procedure for non conformity and corrective action
Answer:
You can follow the steps below:
1) Stablish how to report the non conforming product or service and determine who will consider it
2) Determine what to do with the non conforming product or service, such as marking or storage it.
3) Set how to deal with the non conforming outputs using different methods like correction, return, reuse, etc.
4) Determine the criteria to decide if a corrective action is appropriate
5) Implement the corrective action
You can download a free preview of a Procedure for management of non conformities and corrective actions here: https://advisera.com/9001academy/documentation/procedure-control-non-conforming-products/
These materials can help you to create a procedure for non conformities and corrective actions:
- Article - How to write a good ISO 9001 audit non conformity: https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- Article - Five steps for ISO 9001 nonconforming products: https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
- Article - How to use root cause analysis to support corrective actions in your QMS: https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on line ISO 9001:2015 Foundations course: https://advisera.com/training/iso-9001-foundations-course/ -
Documented information in ISO
Answer:
A procedure is the specified way to carry out activities making up a process, while an instruction describes the sequence of steps to conduct the tasks making up an activity.
Regarding the documented information, the standard differences between documented information to be maintained, commonly known as procedures, and documented information to be retained, known as records.
I relation to the structure of the documentation, although it is not mandatory you can follow this documentation hierarcy represented in a pyramid: 1) manual, 2) policy, 3) procedures, 4)work instructions, 5) records.
These materials can help you to learn more about documented information :
- Article: How to structure quality management system documentation; https://advisera.com/ 001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Article - New approach to document and record control i ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/