Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Evaluating opportunities
Answer:
For example, a matrix that relates “Effort” and “Consequences”.
With “Effort” we measure the degree of effort needed to exploit an opportunity. With “Consequences” we measure the degree of return that can give an improvement in productivity, sales or quality performance.
We look for opportunities that with a low effort give a high return, for example.
The following material will provide you information about opportunities classification:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Evidences on organizational knowledge
Answer:
First, what does your organization considers organizational knowledge?
I like to think about organizational knowledge as:
1) what the organization knows it knows
2) what the organization does not know that it knows
This can be handled by human resources and is about training, coaching by experienced workers, and experience.
If an auditor, ask for evidences of this type I would show training and coaching records for new employees or employees that changed roles.
3) what the organization knows it does not know
This can be handled with the help of external training, suppliers, books and technical magazines, for example and can be performed by several internal functions.
If an auditor, ask for evidences of this type I would show evidences of learning occurred due to study, external training, reports from suppliers, reports from investigation, reports from improvement projects.
4) what the organization does not know that it does not know
This can be handled by different internal functions that maintain a kind of radar surveying relevant potential new knowledge with the help of books, magazines, blogs, conferences, networking, suppliers, …
I would show evidence of any case that could demonstrate this last case. For example, some years ago, I was working in a process engineering team in the chemical industry. One afternoon, one of my colleagues, reading a technical magazine, started to comment about a new kind of material for storage silos. Rapidly, we in the room started a kind of brainstorm about benefits and drawbacks. After that, my colleague contacted the manufacturer, requested technical information and presented it to our board of directors. After some calculations, it was easy to conclude that the new material had a lot of advantages. We used it in the next plant expansion.
The following material will provide you information about internal audits:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Most important documentation
Answer:
The question is much to broad to be able to provide you with an exact answer. However, given the sector in which you are activating I think that one of your first priorities would be:
- Setting up your privacy notices;
- Establishing the “Inventory of processing activities” (art. 30 of the EU GDPR – “Records of processing activities” - https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/)
- Data Protection Impact Assessments; -
Document control template
Does the Retention time mean that all entries related to the ISMS that are in the mail register (in our case our CRM) have to be deleted after X (three) years or ALL registrations which are older than three years. Moreover why should you want to delete entries of documents that may still be relevant? I find this document retention situation where mail is concerned very very confusing.
Answer: The retention time refers to entries related to the ISMS only, and it must be defined considering precisely the time frame you consider that information will be relevant to the organization. For example, if you consider that the information in your incoming mail register only will be irrelevant after 5 years, then you must define the retention time as 5 years. Issues you should consider for defining the retention time are business objectives, contractual or legal clauses.
This article will provide you further explanation about document control:
- Records management in ISO 27001 and ISO 22301 https://advise ra.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding document control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Awareness in IMS
1. How should top management promote the use of process approach and risk based thinking?
2. How should the organization’s communication process enable people doing work under the organization’s control to contribute to the IMS and its continual improvement?
Answer:
1. Showing the importance of their involvement in the implementation project and using of process approach and risk based thinking, as well as ensuring that all employees at a lower level have a channel where they can feed their opinions upwards for consideration by the management team.
To learn more about risk-based thinking you can see this article - Risk- based thinking replacing preventive action in ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
For more information about process approach in IMS, see these articles:
- ISO 9001: the importance of the process approach: https://advis era.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Application of the process aproach in ISO 14001 implementation: https://advisera.com/14001academy/blog/2017/01/30/application-of-the-process-approach-in-iso-14001-implementation/
2. You can organize an awareness session with the employees of your organization explaining the benefits and myths of implementing IMS and the importance of their involvement in the project.
You can download these presentations to help you with preparing the awareness sessions:
- Why ISO 9001:2015: Awareness presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation
- Why ISO 14001:2015: Awareness presentation: https://info.advisera.com/14001academy/free-download/why-iso-14001-awareness-presentation
To learn more about awareness in IMS, see these articles:
- How to ensure competence and awareness in ISO 9001: 2015: https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- ISO 14001 competence, training and awareness: Why are they important for your EMS? https://advisera.com/14001academy/blog/2014/11/26/iso-14001-competence-training-awareness-important-ems/ -
Risk register and incident register
Answer: An incident should be recorded separately, because this has really happened (risk has materialized) , while a risk is a potential occurrence (register them together may cause confusion). Information to be recorded shold not be limited to the event identified, but also contain information about how it was treated, so this record can be used as reference in the future.
These articles will provide you further explanation about risk management and incident management:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk man agement and incident management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and GDPR Implementation
1. ISO 27001 foundation course;
2. ISO 27001 internal auditor course;
3. EU GDPR foundations course; and
4. EU GDPR Data Protection Officer course.
Therefore, I appreciate to have a response on the following questions:
1. How many months or years does it take to implement both standard as an integration?
2. Could a small-mid size company as a Data Center meet compliance in 5 months with 1 person doing the project?
Answer: For both questions, the time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available (including people doing the project), etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 3 to 12 months. When considering an integrated implementation with GPDR, you should consider 10% to 20% more time, specificity of the GDPR.
To have an estimate based on your organization context, I s uggest you to take a look at our free ISO 27001/ISO 22301 Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These articles will provide you further explanation about ISO 27001 and GDPR implementation:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Procedures documentation
My question is like four documented procedures: a procedure for the control of documents, a procedure for internal ISMS audits, a procedure for corrective action, and a procedure for preventive action. Should the Risk Assessment and treatment be a documented procedure?is it mandatory?
Answer: These 4 procedures you mentioned were mandatory according to the previous revision of the standard, but they are not mandatory according to the latest revision of ISO 27001.However the organization can document these procedures if it considers they will help fulfil the ISMS objectives.
ISO 27001 says it is mandatory to document risk treatment process, and this is usually done through the Risk assessment & treatment methodology.
This article will provide you further explanation about mandatory documents and records for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 rev ision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Annex A related non-compliances
Do the inspectors write the findings in the relevant Annex A as evidence, indicating the nonconformities they have identified from Annex A? For example, does the auditor specify "A.9.4.4 by using the number 9.9.4, or by associating it with one of the first 10 items of the standard" in relation to the use of privileged support programs?
Answer: We are unaware about IAF such related recommendations about ISO 27001 audits, but what I can tell you is that non-conformities statements must be as precise as possible, and if an auditor can state directly a control from ISO 27001 Annex A, then he should do it to make the understanding and resolution of the non-conformity easier.
What is common is that, when applic able, the auditor states both controls from Annex A and requirements from the main sections of the standard. For example, non conformities related to control A.7.2.2 (Information security awareness, education and training) may also be associated to non compliance with requirement 7.2 Competence. -
Password complexity
Answer: ISO 27001 does not specify requirements for password complexity, so organizations are free to adopt criteria that better suits them. ISO 27002, a supporting standard which provides recommendations and guidance for implementation of ISO 27001 Annex A controls suggests passwords:
- easy to remember;
- not based on anything somebody else could easily guess or obtain using information like names, telephone numbers and dates of birth etc.;
- not based on words included in dictionaries;
- free of consecutive identical characters;
- made of numeric and alphabetic characters.
These materials will also help you regarding defining passwords:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/