Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Shared resources


    Asset name: Network locker (NO Office)
    Threat: Information interception
    Vulnerability: Switch Locker is shared with other companies
    Consequence(0 to 3): 2
    Likelihood(0 to 3): 3

    The neighboring office (and anyone with access) has access to the locker through a door that can only be locked from their side. The people that are responsible for the building, will apparently install an alarm that will go off if anyone opens the door, however we are not very happy about that as a solution, and we’d much rather be able to control exactly who has access to the locker.

    ?Do you have any suggestion that u can give us?

    Answer: Considering the scenario you described, you should try to establish with the people that are responsible for the building an agreement specifying the security controls they need to implement (e.g., install an alarm, give you the key to the locker, etc.). If this solution is not possible, other alternatives you should consider are:
    - Implement a separate switch/network
    - Implement cryptography to protect communication between the computers in your network and to protect you files.
    - Implement access control into the shared folders in your network.

    The last alternative in terms of risk management is to accept the risk (and do nothing), and to avoid the risk (e.g., by stopping using the switch).

    This article will provide you further explanation about handling suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • ISO 27001 implementation project


    Answer: The first and most critical step is to get management support for the project. Implementing information security will need resources in terms of people, material and capital, and most of all, it involves cultural change, and for that you will need top management support and involvement.

    To help you with Top Management, I suggest you to use our Project proposal for ISO 27001 / ISO 22301 implementation and Project plan for ISO 27001 / ISO 22301 implementation that you can find at these links:
    - https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword
    - https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

    These documents can be adjusted to your organization context and can help you explain the importance of ISO 27001 to the business and how the implementation should be conducted.

    Regarding the gap asses sment phase, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    Its question-and-answer format allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.

    These articles will provide you further explanation about implementation steps:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding implementation steps :
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
    - Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/

  • Applicability of controls


    Answer: A control from Annex must be applied only if one of the following occurs:
    - There are risks identified as unacceptable in the risk assessment that require the implementation of the control
    - There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
    - There is a top management decision requiring the implementation of the control

    If none of these occurs there is no need to implement a control considering ISO 27001 requirements (what occurs in fact is that hardly one of these won't happen regarding incident management - is extremely rare that a company does not have any control from section A.16). Since you did not provide the justification for exclusion in your documen t it is not possible to evaluate is the exclusion acceptable or not (at the beginning of the document, about control A.6.1.1, there is a comment about the same issue - justification for inclusion/exclusion).

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  • ISO 27005 Annexes


    Answer: Annexes B (Identification and valuation of assets and impact assessment), C (Examples of typical threats) and D (Vulnerabilities and methods for vulnerability assessment) from ISO 27005 are compilations from common practices and situations found in the market, so there is no problem to adopt them in your framework

    This material will also help you regarding risk management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • ISMS audit


    Answer: I'm assuming that you are interested in performing the internal audit, and to help you with this I suggest you the following material:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/

    Additionally I suggest you to take a look at our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

    This toolkit will provided you templates to build your internal audit process, audit plan and other documents require to perform an i nternal audit according ISO 27001.

    These materials will also help you regarding ISMS audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Who can sign a CofC in AS9100?

    machined parts to various external customers?

    Answer:
    The relevant clause of AS9100 Rev D that discusses this is Clause 8.6, Release of Products and Services. In this clause there is a discussion on not releasing the product or service until all planned arrangements are met, or any difference is agreed to, and ends with the requirements to have documented information on the release of the product or service, which is often a C of C in the aerospace industry as you have indicated (even though AS9100 does not use this term). The requirements for this documented information is that it includes a) evidence that the product and service is conforming, and b) traceability to the person(s) authorizing release.
    So, AS9100 does not say who that authorizing person needs to be, it is up to you to determine this. In general, what you would need to do is determine the competence that is needed for authorizing the release, and then dete rmining who has that competence. If you can show that the documentation tech has the competence to look at all of the documented evidence that shows that the machined parts are conforming to all requirements and determine that what you are sending meets those requirements or has been accepted otherwise, then you will have an argument that this person can do this task. Of course, this does always link back to the customer contract, so if they identify who needs to sign the C of C then there is nothing to really justify. If they ask for the quality representative, then it is hard to argue.
    If you want more information on the quality representative in the AS9100 QMS take a look at this article: https://advisera.com/9100academy/blog/2017/09/25/who-is-the-best-person-to-be-as9100d-quality-representative/

  • Internal auditor competence


    Answer:

    In order to demonstrate competency, the internal auditors must demonstrate understanding of five points listed in the standard under the clause 7.2.3. The standard doesn't say how to verify the competence, so it can be done in any way that the organization finds the most appropriate, whether it is by attending internal auditor courses and providing certificates, or by conducting internal training and testing the auditors against the above mentioned criteria.

    As far as the second-party audits are concerned, the standard also defines requirements for competency in clause 7.2.4, and again it does n't require certificate and neither it defines the method for verification of their competence, so the same rules apply.

    Internal auditor course is a good way of demonstrating competence, simply because it provides documented evidence provided by the third party.

    For more information, see: Requirements for competence of IATF 16949 internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/

  • IATF 16949 9.3.2.1 identifying potential field failures


    Answer:

    A field failure is in a broad sense, a failure of the product when used by the customer, or the end user in the intended application. Quality field failure data has often been described as the ultimate source of reliability information.

    Usually, the organizations are counting failure events and assess their effect of the end user. And this is just a initial type of information the organization must have. Depending on the type of product the organization manufacturers, there can be different KPIs established, for example number of failures/number of field operational hours. This covers only the requirement 9.3.2.1 k), for requirements under j) the organization needs to conduct FMEA analysis in order to determine potential field failures and their potential frequency and effect and to take actions to mi tigate this risk.

    For more information, see: What is FMEA, and how to apply it in IATF 16949 https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/

  • FDA 21 CFR Part 820 vs ISO 13485


    Answer:

    They have several differences, which is what have kept them from harmonizing. ISO 13485 is a standard based on ISO 9001 that is specific to medical devices. This standard is not adopted by the Food and Drug Administration (FDA) but the FDA participated in writing ISO 13485 to make sure their requirements and ISO 13485 are aligned. The FDA QSR has more stringent complaint handling & reporting requirements

    However, if a company meets the requirements of ISO 13485:2003, they should easily be able to meet the FDA Quality System Requirements (QSR).

    For more information, see: Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

  • Quality objectives and values


    Answer:

    You can use the “core purpose” of the company to develop a quality policy, and by doing that follow clause 5.2.1 a) of ISO 9001:2015. But you should also include the commitments mentioned in clauses 5.2.1 c) and 5.2.1 d). Quality Objectives and “core values” are not the same thing. Quality objectives is something that your organization wants to meet in the future, it is a tangible result. “Core values” are operating philosophies or principles that guide an organization's conduct.

    The following materials will provide you details about Quality objectives:

    - Article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/

    - [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 798-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +