Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 competencies
Answer: ISO 27001 only requires the definition of necessary competencies for persons that affect its information security performance. Considering that, only the persons that handles the information you want protect must be included in the competency matrix. For example, if you want to protect only the research and development information, most probably the HR and financial personnel won't be included in your competency matrix.
2- And what type of competencies need to be included – do they have to be related to information security only ?
Answer: The competencies to be included will depend on which roles you have in your matrix, but broadly speaking they are related to information technology, physical security, HR management and legal.
As you can notice, they are not limited to information security. In fact information security competencies will drive which specific competencies in these areas must be developed.
For example, for protecting confidentiality, competencies related to physical and logical access control must be developed, as well as security practices in systems development will need to protect confidentiality of information stored and processed by information systems.
These articles will provide you further explanation about managing competencies:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding managing competencies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Context and organizational chart
Answer:
You should not build a management system in a limbo. Your organization’s management system will be a function of its context, external and internal. For example, imagine that your organization is American and exports very successfully to China. Will trade barriers be erected? How will that change the market? Imagine that your organization sells mainly to stores in shopping malls. I read today, honestly, someone defending that around 25% of shopping malls will close in the next years. Imagine that a competitor with a different business model is disrupting the market. Your management system must take this in consideration when thinking about the future. About the internal context, imagine that your commercial department is saying that customers want or need shorter delivery times, but your internal data reveal an opposite trend, your organization’s delivery times are becoming larger. Clause 4.1 of ISO 9001:2015 is about this kind of stuff. Normally, top management is who determines which issues are relevant. Most of these issues can be seen as the basis for uncertainty about the future of the business, and with that uncertainty comes risks and opportunities (clause 6.1.1). Because of the most relevant risks and opportunities, your organization can change some practices (clause 6.1.2), that is: change the way some processes are executed.
The following materials will provide you details about the context determination:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Objectives and KPIs
Answer:
I assume that by “objectives” you mean quality objectives and that by KPI you mean Key Performance Indicator.
Since I do not have more information I will speculate upon the reasons that can support the auditor’s behavior. Normally, organizations develop quality objectives, stated challenges that imply a direction of improvement. Then they use indicators to monitor, measure performance and define a precise target to meet. Has your organization wrote any statements about each objective?
Please, see below the first article where you can read “These product or process objectives are often referred to as Key Performance Indicators (or KPIs). By utilizing the KPIs that the company has identified as the important indicators that the processes are functioning well the overall QMS objectives for improvement become much easier to measure.” I believe your auditor feel s those statements are missing. Quality objectives can be measured by KPIs but are more than KPIs.
The following materials will provide you details about quality objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ITIL certification
Answer:
If you have ISO 20000 certification for your company - that's maximum you can get. There is no ITIL certification for companies, only individuals can be ITIL certified.
These articles can help you clarify:
ITIL Certification Path – list of all available ITIL trainings, exams and certificates https://advisera.com/20000academy/knowledgebase/itil-certification-path-list-of-all-available-itil-trainings/
ITIL Certification https://advisera.com/20000academy/knowledgebase/itil-certification/
New ITIL Practitioner Guidance book – what does this mean for your certification and implementation? https://advisera.com/20000academy/blog/2016/08/30/new-itil-practitioner-guidance-book-what-does-this-mean-for-your-certification-and-implementation/ -
Servicios y alcance de la ISO 20000
2.- Estrategias para expandir el alcance de los servicios certificados de un grupo de servicios al total de los servicios orientados a los clientes externos.
3.- Cómo migrar de un sistema basado en ISO 9001 con implementación de prácticas ITIL a un sistema ISO 20000-1
Respuestas:
1.- Mi recomendación es que deberías seleccionar los servicios principales del negocio, o los servicios que quieres dar más publicidad a tus clientes de que tienes implementado el estándar ISO 20000. Para más información sobre cómo definir el alcance de la ISO 20000 este artículo puede ser interesante para ti “How to define the scope of the SMS in ISO 20000” : https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/
2.- Disculpa, pero no estoy seguro si he entendido bien tu pregunta, aunque si quieres proporcionar servicios de TI a clientes que están solicitando una certificación a sus proveedores, puede ser int eresante la implementación y certificación de la ISO 20000. Y esto puede ser la estrategia, es decir, dependiendo de los requerimientos y necesidades de tus clientes, puedes incluir en el alcance de la certificación ISO 20000, los servicios que estén relacionados con los clientes que lo requieran/necesiten.
3.- Si tienes una ISO 9001 con ITIL, la implementación de la ISO 20000 puede ser muy sencilla, por lo que básicamente necesitarás conocer los requerimientos específicos de la ISO 20000, y cuáles de estos requisitos están cubiertos por la ISO 90001 + ITIL. Esta matriz gratuita puede ser útil para ti “ISO/IEC 20000-1: 2011 vs. ISO 9001:2015 matrix” : https://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix
Con este artículo también puedes ver una comparativa entre ITIL e ISO 20000 “ITIL and ISO 20000: A comparison" : https://advisera.com/20000academy/knowledgebase/itil-iso-20000-comparison/
Y aquí también puedes ver cómo están relacionadas ISO 20000 e ITIL “ISO 20000 and ITIL - How are they related?” : https://advisera.com/20000academy/knowledgebase/iso-20000-and-itil-how-are-they-related/ -
ISO 20000 Design and transition of new or changed services
Answer:
Design and transition of new or changed services is responsible (in scope of the SMS - Service Management System) to manage any changes on existing, or introduction of new services. In your case, I rather see that you'll have changes on existing services. In scope of your change management (e.g. in your policy) you should define which changes are introduced using design and transition process.
If you have Design and transition process in place, evidences that you can show to the auditor could include:
- specification
- service requirements
- test plan
- transition plan
- risk assessment
- service acceptance criteria, etc.
Here are few articles that could help:
ITIL Service Acceptanc e Criteria – keep control in your hands https://advisera.com/20000academy/knowledgebase/itil-service-acceptance-criteria-keep-control-hands/
ITIL/ISO 20000 Service Level Requirements – Ensure you deliver what the customer asked for https://advisera.com/20000academy/blog/2017/03/21/itiliso-20000-service-level-requirements-ensure-you-deliver-what-the-customer-asked-for/
Design and transition of new or changed services in ISO 20000 https://advisera.com/20000academy/blog/2014/07/15/design-transition-new-changed-services-iso-20000/ -
Scope and external facilities
Answer:
1.If those external warehouses belong to your organization and they are relevant to your scope they must be included. 2.Probably, during the certification audit a sample of some of those warehouses will be audited.
The following materials will provide you details about the scope of a management system:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 20000 implementation
Answer:
There are few items on our web portal that can help you:
1. Free webinar "How to use a Documentation Toolkit for the implementation of ITIL / ISO 20000" https://advisera.com/20000academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-itil-iso-20000-free-webinar-on-demand/
2. Whitepaper "How online tools are revolutionizing ITIL and ISO 20000 implementation" https://info.advisera.com/20000academy/free-download/how-online-tools-are-revolutionizing-itil-and-iso-20000-implementation
3. ISO 20000 Gap Analysis Tool https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/ -
Linking interested parties, processes, risks/opportunities and corrective action
Answer:
Your organization determines its interested parties and their needs and expectations. How does your organization answers to those needs and expectations? Through its processes. What can help (opportunity) or hinder (risk) each of your organization’s processes in meeting those needs and expectations? Acting on those opportunities and risks can be done through corrective actions. Imagine that an interested party (customer) values delivery speed, your processes of order treatment, production and delivery must be designed to support delivery speed. Risks like supplier delay or production machine breakdown, or opportunities like using pre-order stocks can be determined. Corrective actions can be used to mitigate risks, like reducing production machine breakdown frequency, or take advantage of opportunities.
ss
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Rev D transition date
For AS9100 Rev D the date to transition from an AS9100 Rev C certified QMS to the new standard has always been aligned with the ISO 9001:2015 transition dates. In September 2017 the ISO & IAF group put out a news release stating that this date for transition would be September 15, 2018. After this date no certification for ISO 9001:2008 would be valid, and likewise certifications for AS9100 Rev C would not be in effect any longer.
Of course, there is no last date to certify a new QMS to AS9100 Rev D. This will be the aerospace standard going forward.
For more information on AS9100 Rev D transition see this whitepaper https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d