Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Smart objectives

    1. To establish and implement a quality management system.
    2. To allocate appropriate resources, responsibility and authority across the company organization.
    3. To achieve ZERO complaints from our customers.
    4. To deliver ZERO defective products to our customers.
    5. To have proper control over the cost of (poor) quality.
    6. To deliver our products on-time as per the agreed schedule with our customers.
    7. To constantly build competencies to raise our organization’s performance
    Since we need to have a SMART objective, can you advise how I can interpret it to show that we have achieved the objective.

    Answer:

    As you mentioned objectives should be designed to be S.M.A.R.T (specific, measurable, achievable, realistic and time-based), so it is important that you first review them in order to make then trully S.M.A.R.T. For instance:
    - S - Specific - The objective should be focused on only just one thing. For instance, "To have proper control over the cost of (poor) qua lity" is not specific, you should specify for example which processes need to be controlled or what costs.
    - M - Measurable - It should be possible to measure whether or not you achieve the objective. For instance, "deliver our products on-time" is too general, you should specify how much you will improve that delivering, for instance up to 99% in 48 hours delivering.
    - A - Achievable - The objective should be within your capabilities, i.e. is it really achievable that ZERO stated in two of the objectives, maybe you can establish a decreasing %, from 5% to 2%.
    - R - Relevant - The objective should be something of importance. I think your objectives already meet this condition.
    - T - Timed - There should be a timescale or deadline for achievement of the objective. An objective needs to have a time associated with it, for example within the next year.

    Setting this way the objectives you will be able to evaluate if you already have met it or not.

    To learn more about quality objectives, see these materials:
    - Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Effectiveness of actions


    Answer:

    As it is stated in our procedure of Addressing Risks and Opportunities you need to evaluate the actions taken for addressing risks and opportunities. You can monitor and measure the actions analysing and evaluating the data gathered in order to determine their effectiveness. Your organization can use different methods to do that, such as Key Performance indicators, business metrics, internal audits, monitoring of corrective actions and action plans and subsequent reporting into management reviews.

    To learn more about risks and opportunities in ISO 9001:2015 you can use the following materials:
    - Article: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
    - Article: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Documentation update


    Answer:

    The publication of documentation has the purpose to make people who need them aware and able to access it when needed. So, to fulfill requirement 7.5.3 (Control of documented information) every time a policy or procedure is revised/modified, or when a new one is created, it has to be published according defined practices

    This material will also help you regarding document control:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Physical security and human resources policies templates


    Answer:

    Included in your toolkit there is a List of Documents file that correlates each template with clauses and controls of ISO 27001.
    Related to physical security and human resources policies the toolkit has the following templates:
    - Acceptable Use Policy, located on folder 08 Annex A ==A.8 Asset management
    - Clear Desk and Clear Screen Policy, located on folder 08 Annex A ==A.11 Physical and environmental security
    - Disposal and Destruction Policy, located on folder 08 Annex A ==A.11 Physical and environmental security
    - Procedures for Working in Secure Areas, located on folder 08 Annex A ==A.11 Physical and environmental security
    - Supplier Security Policy, located on folder 08 Annex A ==A.15 Supplier relationships

    These templates cover requirements for sections A7 (Human Resource Security) or A.11 (Physical and environmental security), depending on the template purpose.

  • ISO and COBIT


    1- If my company require to follow both standard ISO and COBIT, so what will be affect to the IT Risk Management Process? which standard should I follow for implement IT Risk Management?

    Answer: ISO and COBIT requirements for risk management are very similar (identify, analyse, evaluate and treat the risks), the difference being that for ISO 27001 you have to consider effects of risks on information (in terms of confidentiality, integrity, and availability), while for COBIT you have to consider risks for IT assets (e.g., hardware and software) not related only to information (e.g., risks related to operational performance or cost efficiency). Considering that, if you follow both standards, your IT Risk Management Process will have to include evaluation criteria related to information security and assess and treat risks also considering how the affected IT assets will impact information.

    Regarding implementation, ISO 27001 only requires the definition of a methodolog y, while COBIT also provides details about risk management, so you can use COBIT approach.

    For more information, please read: How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

    2 - I got many assets and applications in my company, I want to do IT risk management on some asset and application by following ISO 27001:2013 and the remain asset and application I will do the IT Risk management later, I wonder that if I do like this the SOA is remain the same or different?

    Answer: The SoA covers the controls applicable to treat risks related to information security, so if the IT risk assessment you perform later does not identify additional risks (please review the previous answer) that can affect information, then the SoA will not change. On the other hand, if a risk affecting an IT asset will also impact information and this one is considered unacceptable and you have to implement a new control, listed or not on ISO 27001 Annex A (e.g., a control required by COBIT), then this situation will require you to change your SoA (you can included on SoA controls not listed on ISO 27001 Annex A if these controls will treat information security related risks).

    For more information, please read: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    3 - Could you please explain and give an example related to Quantitative and Qualitative term of risk assessment?

    Answer: In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.

    In quantitative risk assessment, the focus is on factual and measurable data, with highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms.

    This article will provide you further explanation, and detailed examples about quantitative and qualitative risk assessment:
    - Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

    This material will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • IT strategy


    Answer:

    Neither ISO 27001 nor EU GDPR require the documentation of an IT Strategy, so there is no such template included in the toolkit, so organizations are not overwhelmed by non required documents.

    For your specific need, I suggest you to take a look at the free demo of our Strategy Plan at this link: https://advisera.com/20000academy/blog/2015/05/26/itil-strategy-plan-are-you-sure-you-have-this-document/ />
    This article will provide you further explanation about IT strategy:
    - ITIL Strategy Plan – Are you sure you have this document? https://advisera.com/20000academy/blog/2015/05/26/itil-strategy-plan-are-you-sure-you-have-this-document/

  • Applicable standards to comply

    Service is considered a type of product. Therefore, ISO 13485 would be appropriate for you.

    For further information feel free to look at the following article:
    - Checklist of ISO 13485 implementation and certification steps: https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

  • AS9100 Root Cause & CA


    Answer:
    Giving generic root causes and corrective actions is difficult because when the corrective action process is done well it needs to be very specific for the systematic problem that was faced. For instance, if you were investigating an error in the design of a part you may find that there was a root cause problem with the calculations cause by an input error in the program and the corrective action would be to correct the drawing and put in a better check system for the inputs. However, if you found that the root cause was due to a previously unidentified problem in the calculation system you may need to take action to put in place the temporary check procedures and systems corrections and updates necessary to address this risk which could entail a very lengthy implementation plan.

    For a better understanding of how the corrective action proce ss differs from improvement see this article, “Corrective actions vs. continual improvement in AS9100”, https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/

  • ITGC


    Answer:

    IT General Controls are controls that are common to IT processes, providing stable and effective operation of application controls. They cover fields like creation / acquisition of systems, SDLC Process, access control, back up, change control, etc. ISO 27001 is one way to implement ITGC, providing objectives and, through ISO 27002, detailed implementation guidance.

    For more information, please see: - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    2.What is the difference between external and internal auditors and practically how internal auditor assists external auditor ?

    Answer:

    The internal auditor performs audits on behalf of the organization that owns the management system, while the external auditor performs audits on behalf of an organization's client (second-party auditor) or a certification body (third-party auditor). Norm ally the internal auditor may act as the guide for the external auditor, providing some general orientation for the performing of the external audit.

    These articles will provide you further explanation about auditors:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    - First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/

  • Change policy


    Do you think it is possible to exclude A.12.1.2 for this area from our applicable controls without loosing the certification status?

    Answer:

    If I understood correctly, the only issue in your current change process is about raising the change in advance. Considering that, the standard requires to control the changes, not necessarily to "raise" them in advance, so there is no need to exclude all the control (you can only exclude the "raise" in advance part).
    To exclude a control you have to demonstrate that this exclusion won't arise unacceptable risks, neither will mean not fulfilling contracts, laws or other legal requirements that your organization must be compliant with.

    If you can satisfy these conditions this exclusion will not affect the ISO 27 001 certification (but it does not seem your case).

    This article will provide you further explanation about controls applicability:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Page 645-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +