Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Starting ISO 20000 implementation
Can you help us to define what is the most convenience strategy to guide our IT Client?
Answer:
Decision to implement ISO 20000 (and reasoning behind it) as well as management commitment are - must have before you start your work. Scope is one of the first issues you will face. Here is the article that can help " How to define the scope of the SMS in ISO 20000" https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/
Scope will direct your activities, but this article can help you organize for the implementation (and see where assessment, GAP analysis or internal audit fits) "12 steps for ISO 20000 implementation" https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/
And, here is GAP analysis too l you can use "ISO 20000 Gap Analysis Tool" https://advisera.com/20000academy/itil-iso-20000-tools/iso-20000-gap-analysis-tool/ -
Change Management roles in small IT organization
Answer:
There are several points I'd like to address related to your situation:
1. Initiator - that could be user, customer, someone from IT department, supplier/vendor, CSI, Problem Management, Service Desk...so, it's not necessary that only someone from Change Management i.e. IT department triggers the process.
2.Assessor - that depends on the change category. E.g. for standard changes (see the article Tips and tricks for using the ITIL standard change mechanism https://advisera.com/20000academy/blog/2017/06/27/tips-and-tricks-for-using-the-itil-standard-change-mechanism/), you don't need assessor. See the article "ITIL V3 Change Management – at the heart of Service Management" https://advisera.com/20000academy/knowledgebase/itil/ -v3-change-management-at-the-heart-of-service-management/ and "Three key elements of assessment and evaluation of changes according to ITIL" https://advisera.com/20000academy/blog/2015/06/30/three-key-elements-of-assessment-and-evaluation-of-changes-according-to-itil/ to learn more about other types of changes
3. Approver - that's related to assessment and types of changes. Depending on the type of change - so will be the authorization
4. Change Manager - see the article ITIL/ISO 20000: What is the job of the Change Manager? https://advisera.com/20000academy/blog/2016/10/04/itil-iso20000-what-is-the-job-of-the-change-manager/ to find out more
It is usual (particularly for smaller organizations) that several roles are combined in one person. This article provide more information "What ITIL roles can be combined in one person?" https://advisera.com/20000academy/knowledgebase/itil-roles-can-combined-one-person/ -
Control de la producción y la provisión del servicio
En la versión ISO 9001: 2008 se hablaba acerca de la validación del producto, hay entidades que se exoneraban de ese apéndice (creo que era el 7.5.2 de esa versión); mi consulta es a qué se aplicaba realmente ese concepto y cómo se enfoca actualmente con la versión 2015? -
GDPR Documentation Requirements
Answer:
If you are under time pressure you could of course start with the mandatory documents that would be covering most of the outstanding amount issues in terms of the compliance. Also consider to implement the mandatory documents in the order from the Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ since they are interlinked. This will make your implementation effort more streamlined.
However, I strongly recommend that you consider all the documents in the Toolkit after implementing the mandatory ones. -
Internal audits and checklists
Where is a good place to find audit questions to use for auditing these areas? Is it ok to use the internal QMS audit checklist that provides questions pertaining to each section? Also for each section who is the best person to audit? We are a company with just a Plant Manager, HR, Controller, Salesman, Quality Manager, and Production Manager.”
Answer:
You should audit your QMS, that means to check if:
* it is conforming with all 7 areas of ISO 9001:2015;
* it is conforming with your own requirements; and
* it is effectively implemented and maintained.
The auditors can read the standard and the internal documentation and list topics about what they want to ask, what they want to see, what they want to read, in order to be able to conclude if the QMS is being applied and it is effective . Those collected topics can become your internal QMS audit checklist, that can be collected and improved audit after audit.
Your organization must have defined what are the competence requirements for your internal auditors. For example, what kind of training on audits and ISO 9001:2015 they must have. So, your internal auditors must be competent, according to your own requirements and, very important, they must not audit their own work. That means that, for example, your Quality Manager even if competent should not audit the Quality Department activities.
The following material will provide you information about audits and checklists:
- ISO 9001 – ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- How to create a check list for an ISO 9001 internal audit for your QMS - https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
- Internal Audit Checklist [ISO 9001:2015] - https://advisera.com/9001academy/documentation/internal-audit-checklist/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Applicability of GDPR
Answer:
The EU GDPR might be applicable to your company even if you are not located in the EU/EEA under the following circumstances defined in article 3 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/territorial-scope/) :
- Your company is offering goods or services to individuals in the Union. It refers to both free and paid goods and services; and
- Your company is monitoring the behavior of individuals in the EU/EEA. This refers to more intrusive activities such as tracking individuals across multiple sites or using Apps to track an individual’s location.
So, assess if these situations are applicable to your company and if the answer is yes this means that in relation to the EU/EAA processing activities you need to comply with the EU GDPR. You can also take look at this interesting article on this topic : https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/ -
Certification and partnerships
Answer: Holding an ISO 27001 certification is not necessary if your partners can evidence you by other means they can effectively manage information security. A common situation is by fulfilling security clauses established on a partnership agreement (you can include in the agreement clauses related to the practices you want them to follow, and how these clauses will be verified).
These articles will provide you further explanation about security caluses (the general concepts are still valid if the partner in question is not a supplier):
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- How to perform an ISO 27001 second-party aud it of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/ -
Infrastructure requirements
Answer: ISO 27001 does not prescribe specific infrastructure and system requirements to support an Information Security Management System. These should be identified based on the organizational context, ISMS purpose and results of risk assessment.
These articles will provide you further explanation about ISMS requirements:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- How to set security requirements and test systems according to ISO 27001https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-syste ms-according-to-iso-27001/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 Requirements to implement network segregation according to ISO 27001 control A.13.1.3
These materials will also help you regarding ISMS requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Responsibilities assignment
Who can take this task ?
4.1. Objectives and measurement :
· [Job title] will measure the fulfillment of all the objectives.
· [Job title] is responsible for setting the method for measuring the achievement of the objectives.
4.5. Responsibilities
· [job title] will define which information related to information security will be communicated to which interested party (both internal and external), by whom and when.
· [job title] is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management
Answer: Regarding the responsibilities you mentioned related to section 4.1, and the first one on section 4.5, they are generally assigned to a role created specifically for that purpose (e.g., the CISO), bu t you also can assign them to an existing role in the organizational chart, provided that this person has the necessary skills to carry out the activities (a good choice would be the Management Representative or Quality Manager if you have this role).
For the second responsibility you mentioned in section 4.5, this one can be assigned either to HR Manager or to the roles above mentioned.
These articles will provide you further explanation about CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Changes from AS9100 Rev C to Rev D
Answer:
The main additions to AS9100 Rev D come under context of the organisation where the new standard asks that you consider the internal and external issues that affect your QMS as well as identifying the interested parties of your QMS and their requirements. Other additions include requirements around product safety and control of counterfeit products. One small change that can also have repercussions is the phrase "products and services" which is used throughout the standard and now requires you to consider all oft he products and services you provide to the customer as part of your business.
I recommend you see the following whitepaper for more information on transitioning to the new standard requirements, https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d, as well a s this infographic of the changes: https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/