Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit observations
Answer:
I have one problem with your question: What is an audit observation? ISO 19011:2018 does not define what is an audit observation. So, I would ask your certification body how do they define audit observation and what kind of answer do they request, or not. For example, I am reading a certification body audit report where they include this statement in the audit report template: “The Observations are formulated with the purpose of improving the Management System and its effectiveness; do not require a response or notification from the Organization; and will be subject to re-evaluation in the next audit.”
The following material will provide you information about audits:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online tra ining ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 and restaurant
Answer:
If you believe you need ISO 9001 certification, perhaps you could benefit from attending a course about ISO 9001:2015 content, another about implementing a quality management system, and another one about performing internal audits. In my experience with hotels with restaurants, they look for kitchen consistency independently of the shift working.
The following material will provide you information about attending free courses:
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
Filling toolkit templates
Answer:
Labeling can be adapted to organization needs, so you can remove it, but you have to consider that without label the risks may increase, because it will be more difficult for people to identify the sensitivity of information and how to handle them properly. An alternative may be to have only two classification levels and label only the most sensitive information. This way you will reduce the need to label information.
For more information, see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. About document “A.9 access control “ in 08 annex A, can you guide us how to fill user profile section?
Answer:
Here is an example for user profile:
Name of system: Payroll module
User rights: Include records and edit records
Job titles have access rights according to this profile:
• Payroll analyst
Name of system: Payroll module
User rights: Delete records
Job titles have access rights according to this profile:
• Payroll manager
Name of system: Payroll module
User rights: View records
Job titles have access rights according to this profile:
• All employees
Network: Internal network
User rights: Upload and download files
Job titles have access rights according to this profile:
• All employees -
ISO 9001 in hospitals
Answer:
Several studies published in technical magazines show that quality management system implementation, according to the ISO 9001 standard, is useful for the hospitals as it can help to improve the operational efficiencies, to reduce errors, increase patient safety and develop a more preventive approach instead of a reactive environment. Perhaps you can develop a value proposition around these topics:
The following material will provide you more information about ISO 9001 implementation in hospitals:
- ISO 9001 – Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/ ls-benefit-from-iso-9001/
- free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 9001 implementation
Answer:
Three topics: knowledge of ISO 9001, project management skills and leadership skills.
There is no mandatory requirements concerning a particular function in an organization. Anyone can lead an ISO 9001 implementation project as long as he or she have:
- knowledge of ISO 9001 in order to understand what is at stake about each clause;
- project management skills in order to be able to plan, monitor and control a project involving different people with different priorities and motivations, together with scarce resources;
- leadership skills in order to be able to overcome barriers, to handle conflicts, to get resources and get top management attention. The need for these particular skills can be balanced with the existence of a Project Sponsor, someone not directly involved in the project but with authority and influence within the organization that can help the the Project Manager.
The following material will provide you information abo ut implementing ISO 9001:
- ISO 9001 – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
- free online training ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk assessment and information security audit
Answer: The information security risk assessment is about how to identify, analyse and evaluate risks, while the information security audit is about evaluation by which degree requirements are being fulfilled.
The information security audit is one of the means to assess if the information security risk assessment and risk treatment were performed as required (considering the ISO 27001 standard and other non-standard related requirements), and if its results (prioritized risks and implemented treatments) are achieving the expected results regarding the information security and business objectives.
For more information, please read: Risk assessment vs. internal audit in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/
2. What are an advantage and a disadvantage of an external as compared to an internal audit?
Answer: Second party audits (audits performed by ext ernal personnel with non certification purposes) can bring more expertise and unbiased view for the audit process than internal audits, but on the other hand they are more expensive and the lack of internal specific knowledge may let the external auditors miss situations that are clear for internal auditors.
Third party audits (audits performed by certification bodies with certification purposes) can bring independent and word wide recognized confidence that organization fulfils the standard requirements (through certification issuing), which internal audits cannot provide, but it involves costs for certification maintenance.
These articles will provide you further explanation about types of audits:
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/ -
Risk assessment
Answer:
In Advisera's toolkit you purchased you have all templates you need to perform risk assessment according ISO 27001. They are located in folder 05 Risk Assessment and Risk Treatment Methodology:
- Risk_Assessment_and_Risk_Treatment_Methodology
- Appendix_1_Risk_Assessment_Table
- Appendix_2_Risk_Treatment_Table
- Appendix_3_Risk_Assessment_and_Risk_Treatment_Report
Also included in your toolkit you have access to video tutorials that can help you fill in the templates, with real data, and provide training for your team. -
Inventory of assets table
Answer:
In case multiple risks are associated with an asset, then you must use the highest impact level associated to these risks. The purpose of the impact column is to give the organization a compr ehensive view of the most relevant assets of the organization regarding information security. This can help you prioritize and allocate resources to protect information. -
NIST and ISO
Answer:
NIST and ISO frameworks in fact complement each other. While NIST standards provide detailed guidance on controls implementation, ISO management standards provide guidance to ensure the implemented controls support the main organization's objectives, and are periodically reviewed, corrected and improved.
These articles will provide you further explanation about NIST and ISO:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/ -
Security tools
Answer:
It's our policy not to make recommendations about specific tools, since the selection of a tool will depend on specific requirements and needs of each organization.
Regarding steps to protect users accounts, the most important is to establish an access control policy covering among other things:
- Periodic change of passwords
- Periodic review of user's access and activities
- Use of different passwords for each account
These articles will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- How two-factor authentication enables compliance with ISO