Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and BIA
A risk assessment was done for our company recently. The follow through from here is un-clear.
Also, how to calculate the Risk rating for the critical services?
Answer: The information from risk assessment can be used to prioritize which activities to focus first in your BIA, by indicating which business processes are under greater risk, saving time and effort to perform the initial BIA.
For rating critical services considering the results of a risk assessment you can consider the value of the risks, or the number of risks, associated to a specific service. For example, you can have a service with two high risks associated to it and other with ten medium risks associated to it. Considering your context, in terms of risks maybe the second service is more critical.
This article will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ -
BCP and DRP tests
https://www.theverge.com/users/custom_write -
AS9100D Operational Risk Management
Response:
With AS9100 Rev D the requirements of clause 8.1.1 are identical to the requirements of AS9100 Rev C Clause 7.1.2. The only difference is that the clause has been changed from being about "risk management" to being about "operational risk management". The reason for this is to separate it from the new requirement (from ISO 9001:2015), clause 6.1, on actions to address risks and opportunities. This new clause deals with identifying and addressing the risks for the QMS (not necessarily risk management, but risk assessment) where as the requirement you ask about is risk manag ement for the operational processes of the organisation only (for example, what risks are there in the product design, the tight delivery schedule, the assembly process, etc). In truth, this has not changed from before.
So in short, if the process you had in place before was acceptable, then it should remain acceptable now. The only difference in thinking is that now all of operations applies to products and services, so if there is a service you provide the customer (such as turning the customer drawing into computer files for your machines) then the risks from these services need to also be included in the operational risk management.
If you need to know more about the operational risk management process see this article: https://advisera.com/9100academy/blog/2017/05/15/5-key-elements-of-risk-management-in-as9100-rev-d/ -
Improving an information security program
Answer: Considering that your audit was based on ISO 27001, the first thing you should do is consider the results of your audit against the results of your risk assessment (if you did not performed a risk assessment, this is a good moment to do that). By doing that you can identify and prioritize which controls to work first based on the quantity or relevance of the risks affected by them.
Once you have identified which controls to treat first, you should:
- define objectives to be achieved (based on already existent goals or on new defined goals);
- analyse the situation of each control, to identify what should be done (eliminate root causes for the problems, or implement potential improvements)
- define action plans to establish resources, deadlines and respon sible for each action that will be implemented.
This article will provide you further explanation about implementing improvements:
-Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding implementing improvements:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk registry
Answer:
There is no requirement from ISO 9001:2015 to keep documented information about risks. So, you are quite free about how to do it, if you want to do it. For example, you can keep a risk registry for quality and for process objectives. In columns, for each objective, you list determined risks, you classify each risk, you decide what action will be taken and you define the date of evaluation of its effectiveness. If you do this in your computer you can add new risks whenever you decide it and you can update your classification and actions.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Updating NCRs in the OASIS database
NCR DetailsStatus: Auditor assigned to Supplier Representative for follow-up.
NCR #: 7 and 6 others that I am not sure how to answer
The answer:
For the OASIS database each company needs to be assigned a login and password in order to access the database, and this will need to be setup by your certification body. It is best to follow up with the certification body auditors, because it may be that the responses only need to go to them and not to be submitted by you to the OASIS database itself. The auditors will be able to guide you on how to respond, either to them or to the OASIS database. Best of luck with your NCR responses. -
Issues or risks
Answer:
Internal and external issues are factors and conditions that can have an effect on an organization’s approach to its products, services and investments and interested parties. For example, demography (an external issue) or defects level (an internal issue) act like inputs that influence top management decisions like setting a particular objective.
That particular objective is an expected result. Risks are the effects of uncertainty on an expected result. What can block us from attaining a particular expected result?
The following material will provide you information about internal and external issues and risks and opportunities:
ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
ISO 9001 - How to address risks and opportunities in ISO 9001 - https://advisera.c om/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Who verifies the implementation of controls?
Answer: It is primarily part of the management of the company to make sure that everyone knows how to handle mobile devices, and of course it is the internal and external auditor job to check if this is really true.
Regarding the word "policy" - besides a written document, it can also be in a verbal form, or a policy can be a part of an IT policy embedded in some software. Therefore you are right, only when the standards says "shall be documented" then the document needs to be written. See also: Explanat ion of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
Documenting clause 8.1 operational control
Answer:
Let us check clause 8.1 item by item.
About item a) – your company must have specifications for their products.
About item b) – your company must have process control specifications to allow process monitoring, less defects and more productivity and safety (for example, parameters for machine operation, like temperature, speed, pressure, …). Your company must have specifications for quality control of raw materials, intermediate and finished products.
About item c) – when designing and planning your production process, your company should ensure resources for the operations (people for production and quality control, equipment, materials, monitoring resources, …).
About item d) – most companies have process control plans and quality control plans that they implement
About item e) – your company must decid e what procedures and instructions will be needed and what forms it will use to record and evidence performance and results.
The following material will provide you information about control of documents:
ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/