Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Filling a SoA template

    thank you for your helpful answer and advise. Beside would you mind answering another question? This would be so kind of you. Now I'm filling the document "Statement of Applicability". I kind of stuck a bit in column "Reason for choosing / Reason for exclusion". I mean I read Dejan's note that this gap is all about the results of the risk assessment and the contractual and legal obligations. But some controls our risk assessment didn't even touch. I know that we have to have a guideline above all. But whats the reason for choosing? (Cause we want to have the certificate. ;)) I wrote for now: "protection of information against internal and external threats, intentional and accidental." Or is it better if you realize the control to write ALWAYS (the same): "based on the results of the risk assessment, the contractual and legal obligations".

    Answer: If your risk assessment does not identify risks that justify the applicability of a control, then you should look for clauses on laws, contracts or standards you have to follow tha t may demand the application of such controls. I this case you may state "control applicable to comply with law/contract XXXX, clause YYYY".

    If you still do not find legal requirements to justify controls applicability, you can state "Control applicable because of a Top Management decision to follow industry/market best practices", or "Control applicable because of a Top Management decision to support a business objective".

    You should note that you will hardly use the last examples (based on top management decision), because generally there will be risks or legal clauses to support a controls applicability.

    This article will provide you further explanation about SOA:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • ISO 19001:2018


    There is also now a need, I imagine, to revise your book to accommodate the publication by ISO of ISO 45001:2018 in March this year, and perhaps other standards mentioned in the content of bibliography?

    Answer: ISO 19011:2018 has just been released and we are already working on our books update.

    The main difference regarding ISO 19011:2018 is the addition of of the risk-based approach to the principles of auditing, to reflect the enhanced focus on risk in both management standards and in the marketplace. But is important to note that the risk-based approach is not mandatory for interna l audits.

    Other modifications refer to minor expansions on guidance related to managing an audit program, conducting an audit, competence requirements for auditors, and auditing concepts.

    Regarding 45001 - it does not have any different requirements from other ISO standards like ISO 9001 or ISO 27001.

  • Implementing ISO 45001 in manpower company


    Answer:

    ISO 45001 can be implemented in any company regardless of the type of business and its size. Implementing the standard in the manpower company would't be much different than in any other company. The only difference is that you need to conduct the hazards assessment based on the activities for which you are providing the manpower to your clients and the type of operational controls you can apply, considering that the employees would be under control of your customers. For example, if the customer has already established the OH&S controls, then your employees should apply those controls, but in case like yours, the customers shoul dn't have much objections o your operational controls (i.e. personal protective equipment, rules for working on heights etc.)

    The rest of the implementation process is the same as for any other type of business.

    For more information on the implementation process, download this free whitepaper: Diagram of ISO 45001 Implementation Process https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

  • ISO 9001, a starting point


    Answer:

    As long as I understand your question, I will tell you how I work when, as a consultant, I have to help an organization from an economic sector I never worked before. Pick a blank sheet of paper. Start with your customers, on the left side put “customers with needs” and in the opposite side put “customers served”. What main stages can you identify between one extreme and the other. With the words that are most applicable to your organization you can write/draw a set of boxes with: Promoting the company -Winning customers or orders -Plan service (people, infrastructures, materials, …) -Provide service -Bill and receive. I call to this central flow “The Ronaldo of the business”. An organization exists for performing this flow, and the more th ey repeat it, the more they earn, the more everybody is happy.

    To support this central flow you can identify other kind of blocks of activities (processes), things like: Buying, Subcontracting, Maintenance, Training, Developing new products/services, even working with other interested parties that can influence customers or the business.

    Now, for each block of activities (process) look for requirements in ISO 9001. For example: Buying is related with clause 8.4; Commercial is related with clause 8.2 and so on

    Did I understand your question? Did I help?

    The following material will provide you information about mapping processes:

    - ISO 9001 – ISO 9001:2015 process vs. procedure – Some practical exemples - https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • AS9100D: Do you need to reject entire lots

    A manufacturer of aerospace parts uses a material to assist in his process. The manufacturer notices a defect in this material. The supplier of the material identifies the defect, quarantines the defective material and issues cause and corrective action report. The manufacturer rightfully rejects the material identified as defective BUT also all material associated with the sale lot number even though the supplier has certified this material as within specification and not defective.
    The bad parts manufacturer claims he MUST reject the entire lot based on AS9100 rules. Do you agree with the manufacturer’s position?

    Answer:
    An interesting question, but not an AS9100 requirement. Section 8.7 of AS9100 Rev D does not state that an entire lot needs to be rejected due to one bad part, and does not preclude sorting out the good parts from the in a lot for use. Section 8.4 on Control of externally provided processes, products and services also does not preclude the use of the acceptable products in a lot, nor does it state that you need to impose full lot acceptability on your suppliers.
    That being said there may be a customer requirement or an internal requirement to this affect, but it is not correct to attribute this strict control on AS9100.
    For some other information on AS9100 Myths see this article: https://advisera.com/9100academy/blog/2017/08/21/6-common-myths-about-as9100-rev-d/

  • AS9100 RevD Process Documentation

    Answer:
    AS9100 Rev D does not specify which operational procedures (section 8.5) need to be documented and which do not so long as the production processes are verified to meet requirements. So, the decision is up to you; if an all-inclusive process will prevent errors and meet requirements then this is acceptable, but if there could be a problem then you should do a separate procedure. This is valid, of course, unless you have a customer requirement that demands that you have a separate procedure.
    For more on what is required for documentation in AS9100 Rev D see this white paper: https://advisera.com/9100academy/knowledgebase/list-of-mandatory-documents-in-as9100-rev-d/

  • SWOT analysis and internal & external issues


    Answer:

    SWOT analysis is not mandatory. SWOT analysis is a tool that an organization can use to assess its situation – either internally, either externally. When working with an organization I help them list internal and external issues. Then, in order to make that information actionable I invite them to distribute those issues among 4 categories: strengths, weaknesses, opportunities and threats. For example, yesterday I worked with a company that assembles a product that legislation and social trends is making demand grow. So, legislation trends are an opportunity. And their difficulty in scaling production is a weakness.

    The following material will provide you information about SWOT and internal and external issues:

    - ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - free online training ISO 9001:2015 Foundat ions Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 27001 & Regulatory laws

    Thx a million !

  • Filling SoA template

    ID: A.6.1.3
    Column: implementation method

    If our company doesn’t implement the operational continuity management and Dejan says: we should mention the person which is responsible for. Is it enough just to fill in the person which is responsible for? Without a plan or guideline where this person is mentioned in?

    Answer: If your company does not implement business continuity, but assigns personnel to contact authorities as required by control A.6.1.3, then you must fill in in the implementation method, not only the responsible person, but also to which authority this person can contact with. For example, Head of Facilities can contact with Policy and Emergency services, CISO can contact with security experts, etc.

  • Information security policies


    Do I understand correctly that for a smaller company (~30) it is sufficient to have one detailed document in form of the Acceptable Use Policy and then it is not necessary anymore to fill out all the smaller ones as mentioned above? Or do you need both? I feel like they are somewhat redundant.

    Thank you very much. Looking forward to your answer to move on quickly.

    Answer: You understanding is correct. If a single Use Acceptance Policy can fulfil your needs you do not need to develop other policies.

    These article will provide you further explanation about policies development:
    - 8 criteria to decide which ISO 27001 policies and procedures to write 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
Page 697-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +