Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BCP measures for Natural disasters
Answer:
I'm assuming that by unplanned you mean unpredictable, since that if something is unplanned then you did not devise any action to be performed, while by unpredictable some aspects of a situation are unknown (e.g., what will happen, when it will happen, the magnitude, etc.).
Considering that, and the fact that you mentioned natural disasters, bcp measures to be considered are implementing your continuity operations in a local that is far from the area hit by the event. For example if historically earth quakes have a 50km radius of impact, then your secondary operations should be in a distance longer than that. Another issue to be considered are the continuity of your supplies (e.g., regular suppliers have secondary locations or you can hire new suppliers).
These articles will provide you further explanation about BCP measures:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-r ecovery-site-what-is-the-ideal-distance-from-primary-site/
- ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/
These materials will also help you regarding BCP measures:
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISO 27001 controls
I think you are referring to ISO 27002, which provides details and guidance on the implementation of ISO 27001 Annex A controls. ISO 27005 provides orientation for information security risk assessment, the main pillar of ISO 27001.
Regarding materials about ISO 27001 Annex A controls, you can find several articles on our site such as:
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
For specific controls of Annex A, we have articles like:
- 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-accordin g-to-iso-27001/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
For more articles about controls you can use the number of the control or the main key words of the control (e.g., information classification, etc.) in the search tool on our pages.
This material will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Documentation use and variability
Answer:
Normally, organizations want to reduce variability, they want to provide the same outcome independently of who performs it. We don’t want to go to a restaurant, for example, and like or dislike the same dish according to who is in the kitchen. A plant manager doesn’t want to have products coming out of the production line according to who is working. Organizations want, and customers expect, consistency.
Using the same documentation in an organization promotes internal standardization, internal consistency. Besides using the same documentation, it is important to control that documentation to ensure that it is updated, and it is distributed to those that need it. For example, person A has a Work Instruction about how to package a product. That person goes on holydays and when returns continues to follow the Work Instruction. In the meantime, the Work Instruction was updated, everybody is packaging the products according to the new version , but person A, due to lack of document control, is still using the outdated version and packaging the old way. Now, imagine that packaging instructions were changed due to a new customer requirement. The organization is going to receive a complaint.
The following materials will provide you more information about document control:
- Article - New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Use of ISO 31000 for risk management
Answer:
Yes, you can use ISO 31000 (principles and guidelines for Risk Management (RM)) as an aid in developing the risk management process. This standard gives an structure of the best practices for risk management. The objective of ISO 31000 is to empower all the strategic tasks, management and operations of a company through functions, projects and processes aligned to a common set of goals on risk management.
These materials can help you to better understand risk management using ISO 31000:
- Article: Similarities and differences in risk management in ISO 9001, ISO 31000 and ISO 27001: https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
- Webinar - How to implement risk management in ISO 9001:2015: https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
- Book - Discover ISO 9001: 2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Organizational chart in the Quality Manual
Answer:
ISO 9001:2015 does not require organizational charts, however the standard states that authorities need to be defined. Many organizations use organizational charts as a way to determine authorities, because they show the authorities in a clear manner. Therefore, using organizational charts where you add names and job titles could be a good way to comply with the requirement. You will also need to update those organizational charts regularly.
Also, keep in mind that the quality manual is not mandatory anymore in the new ISO 9001, so you can decide if using an organizational chart and in that case include it or not in a manual.
These materials can help you the quality manual and the need of an organizational chart:
- Article - How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- Book - Discover ISO 9001:2015 through p ractical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on line ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Procedure for non conformity and corrective action
Answer:
You can follow the steps below:
1) Stablish how to report the non conforming product or service and determine who will consider it
2) Determine what to do with the non conforming product or service, such as marking or storage it.
3) Set how to deal with the non conforming outputs using different methods like correction, return, reuse, etc.
4) Determine the criteria to decide if a corrective action is appropriate
5) Implement the corrective action
You can download a free preview of a Procedure for management of non conformities and corrective actions here: https://advisera.com/9001academy/documentation/procedure-control-non-conforming-products/
These materials can help you to create a procedure for non conformities and corrective actions:
- Article - How to write a good ISO 9001 audit non conformity: https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- Article - Five steps for ISO 9001 nonconforming products: https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/
- Article - How to use root cause analysis to support corrective actions in your QMS: https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on line ISO 9001:2015 Foundations course: https://advisera.com/training/iso-9001-foundations-course/ -
Documented information in ISO
Answer:
A procedure is the specified way to carry out activities making up a process, while an instruction describes the sequence of steps to conduct the tasks making up an activity.
Regarding the documented information, the standard differences between documented information to be maintained, commonly known as procedures, and documented information to be retained, known as records.
I relation to the structure of the documentation, although it is not mandatory you can follow this documentation hierarcy represented in a pyramid: 1) manual, 2) policy, 3) procedures, 4)work instructions, 5) records.
These materials can help you to learn more about documented information :
- Article: How to structure quality management system documentation; https://advisera.com/ 001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Article - New approach to document and record control i ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book - Managing ISO documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Assets inventory
If we take some examples of the asset list we could easily do a risk assessment of the building or the server room and come to the same risks. f.e. threat: theft and vulnerability: inadequate procedure for protecting the “keys” or threat: interruption of power supply, vulnerability: old “UPS” with no maintenance, etc.
I can come up with many other examples such as air-conditioning, alarm etc. as the risks could be found with other related assets. How should we deal with this ? I suppose it doesn’t matter ? As long as we identify the risks ?
Answer:
The lists provided in the templates are only suggestions for you to use if you can't come up with your own elements, so you can use only your own assets, threats and risks to build you inventory and risk assessment (it seems to me that by your examples you already understood the concepts for performing risk assessment).
It is important to note that you can also group the assets if threats/vulnerabilities are similar.
These articles will provide you further explanation about inventory and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ -
Convincing top management
Answer:
What is your first purpose, it is not clear from the question:
1. Do you need to convince top management that your organization needs to certify?
2. Do you need to convince top management that you are the right person to lead the certification project, already with a go decision?
If your situation is 1, I advise you to tell them about the advantages of certification for the organization. Use their language and motivation: profit, market share, new customers, ...
If your situation is 2, tell them about the advantages of being you the leader of the certification project: your motivation, your knowledge of the organization and its people, your experience, and if you can imagine that they will pont your weak weak points be prepared to presente them a list of actions that you will execute to minimize them.
For both situations you can try to find a sponsor, someone with influence over top management that can be your ally.
The following material will provide you information about convincing top management:
- ISO 9001 – 4 crucial techniques to convince your top management about ISO 9001 implementation - https://advisera.com/9001academy/blog/2017/12/05/4-crucial-techniques-to-convince-your-top-management-about-iso-9001-implementation/
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Compliance obligation in ISO 14001
Answer:
In the courses we talk about compliance obligation refered to these two sections, 6.1.3 (compliance obligation) and 9.1.2 (evaluation of compliance). Environmental obligations and legal requirements will vary depending on the country, state and even local regulations, so it is not feasible to cover this topic in the course. Usually this kind information is available and easy to obtain from your local authorities.
For more information about legal requirements and environmental obligations, see these materials:
- Article: Compliance requirements according to ISO 14001:2015 - what has changed: https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
- ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
- Book - The ISO 14001:2015 Companion: https://advisera.com/books/the-iso-14001-2015-companion/