Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BC policy and BC framework
Answer: The business continuity framework defines which elements are part of an business continuity approach (e.g., Business Impact Analysis, Risk Assessment, Business Continuity Plans and tests, etc.), while a business continuity policy defines the general guidelines for the business continuity (e.g., its purpose, objectives, management commitment, etc.)
2 - Definitions for mission critical /important/ vital assets in an organization? How are they determined?
Answer: These definitions are determined considering the relation and impact of the assets to the business functions. Generally, they can be defined as follows:
- Mission critical assets are related to the purpose of the organization (without them an organization is unable to serve its customers).
- Important assets generally means assets which failure or unavailability can severely impair business operations.
- Vital assets generally means assets which failure or unavailability ca n prevent one or more business processes to work (mission critical assets are one kind of vital assets, specific or related to processes which serve the customers). -
Documenting policies
Answer: ISO 27001 is not prescriptive about how to document your information, so you can put all policies into a single document. To have all policies in a single document can make easier to manage them, but you have to take care not to finish with a document so big that it will become difficult or annoying for user to handle them.
These articles will provide you further explanation about how manage policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/ -
Access control policy: A.9.2.3
The control A.9.2.3 (Management of privileged access rights) is covered in sections 3.4 (Privilege management) and 3.5 (Regular review of access rights).
This article will provide you further explanation about access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
This material will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Different legal entities under one certificate
Answer:
Yes. You can certify different companies under the same certificate as long as the scope is clear about the different locations and includes products and services of both locations. For example, last year I worked for a group of 4 companies, 4 different legal entities, certified under the same certificate.
The following material will provide you information about scope:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015
- https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Getting clients as a consultant
Answer:
Consider your experience to identify in which sectors and for what kind of organizations you should target your efforts. Preferably, before contacting them, you should build ways of showing who you are, what you do, and how you can help. You can use e-mails, newsletters, starting a blog, publishing articles in technical magazines or professional networks, volunteer to speak in conferences, ask for introductions. Another way is to contact consulting companies, perhaps they are looking for a junior with hands-on experience.
The following material will provide you information about scope:
- Free webinar – Free webinar – How to sell ISO consulting services - https://advisera.c om/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar/
- ISO 9001 - How to become an ISO 9001 consultant - https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/ -
PEST, SWOT and the Quality Manual
Answer:
You can have your PEST and SWOT analysis documented as an input to your management review. Using the actual PEST and SWOT analysis in your quality manual, normally implies that you should update your quality manual more frequently. Like with quality objectives, in the quality manual we say that we have quality objectives but document them elsewhere.
The following material will provide you information about context and quality manual:
- ISO 9001 – ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ n-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
External Auditor versus Lead Auditor
Answer: An external auditor can be a second-party auditor (who performs audits in an organization in name of another organization) or a third-party auditor (who performs audits in an organization in the name of a certification body). For third-party auditors the lead auditor qualification is mandatory. As for the second-party auditor, the lead auditor qualification may be optional, depending on the requirements of the organization demanding the audit (in general organizations the lead auditor qualification is required, because the interaction with other organizations has additional steps and phases that are not covered by internal auditor qualifications).
If your purpose is to audit other sites of your own organization, then the internal audit qualification is sufficient.
These articles will provide you further explanation about internal and external auditor qualification:
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Competence evidence
Answer: According ISO 27001, clause 7.2 (Competence), competences are based on appropriate education, training, or experience, which can be evidenced by means of certificates, registered hours of work on specific activities, and records of attended trainings.
These articles will provide you further explanation about evidencing competencies:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/?icn=free-blog-27001&ici=top-how-personal-certificates-can-help-companys-isms-txt -
Sample texts in templates
Is this meant as an example on how to fill it in???
Answer: The purpose of this section is to define how to control the records defined in a procedure or policy, and the Incoming Mail Register is a record defined in this procedure (section 4), to show evidence on how external documents are handled, so it is not a a sample of what you can fill in this section, but a true text that you must use (of course the text in brackets you have to customize to your organization context).
Included in the toolkit you bought you have access to a video tutorial that can help you fill in the Procedure for Document and Record Control. -
Delayed audit report
Due to difficulty to close out the audit finding by collecting bits and pieces of the auditors report, as I am new to the company, I proposed to reaudit the whole process and deliver the new audit report and finding instead. Alternatively we submit RCA to reasons as to why we could not closed out the NCR raised on the Client Audit finding.
Our client still insisted that to close out the NCR raised during the Client Audit finding, is to submit the complete audit report and its analysis of the previous audit. How should I go about this situation?
Answer: You may try to explain to your client that since a very long time has passed since this audit (almost a year by now), the effort to complete and submit this report may not be worthy, since the condition may have changed and the non-conformity treatment may not reflect the audited situation. Besides that you also may argue that the next audit is close and you can use that audit to cover this gap, avoiding unnecessary costs.