Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Product safety in plastic part manufacturing
Answer:
The requirements for product safety cannot be excluded even if there are no safety issues related to the product. If you are not designing the product and get the drawing from the third party (e.g. customer), they should provide you with information on the product safety. If they don't, you should conduct risk assessment to determine if there are any risks related to the product safety and take appropriate actions. Even if there are no product safety issues, you will still need to have the product safety process.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ -
Password security and ISO 27001
Thanks for taking time from your busy schedule to reply to me.
Answer: ISO 27001 does not prescribe any solution to be applied for security controls in Annex A, only objectives to be achieved. This gives organizations freedom to implement the most adequate solutions according to their context. For guidelines and recommendations about what to consider in the implementation of security controls, you should consider the ISO 27002 standard.
That said, regarding security of system passwords, service passwords, and application passwords, including passwords at administrator level, you should consider ISO 27002 recommendations for the following controls:
- Control A.9.2.3 (Management of privileged access rights): for shared administration user IDs, you should consider practices like changing passwords frequently and as soon as possible when a privileged one user of these shared IDs leaves or changes job, and communicating these passwords to administrators through secure mechanisms. Besides that, all other recommendations from control A.9.3.1 (Use of secret authentication information), aimed for general users, should also be applicable to administrators.
- Control A.9.3.1 (Use of secret authentication information): when passwords need to be part of automated log on procedures they must be properly protected (e.g., do not store password on plain text)
- Control 9.4.3 (Password management system): when stored, password should be kept on files separated from application system data.
This article will provide you further explanation about use of passwords:- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding use of passwords:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk Assessment on SDLC
We want to start the risk assessment right before the design stage.
We want to ensure that the design is secure and taking into consideration all the security risks that system environment will be facing.
By understanding the risk and the risk level, all appropriate controls will be put in place at the design stage.
This will then ensure secure development, secure delivery and the end objective to have secure operation and maintenance.
I am thinking of using threat modelling risk assessment at the design stage.
As I understand the risk assessment is not a “one time do and forget” exercise. Thus, we should be having a periodic risk assessment, with review and monitoring. May be it is a good practice to have a yearly exercise.
For our environment, we should have it at every stages.
Hope to get some feedback from you on the above.
Answer: Your thinking is absolutely right. System security must be though as soon as possible in the development process, and s hould be periodically reviewed because of the identification of new types of threats, codification problems and opportunities of improvement. To ensure this thinking is considered in your organization's process you should consider the implementation of a Secure Development Policy (a template for this policy is included in your toolkit, at folder 08 Annex A, subfolder A.14 System acquisition, development and maintenance), as well as integrate the security activities in your current development process. A good reference for secure development is the ISO 15408 standard, which you can see at this link: https://www.iso.org/standard/50341.html
These articles will provide you further explanation about secure development:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/ -
Information Security Policy
The first thing you have to consider is the identification of the requirements this Information Security Policy must comply to (e.g., laws, contracts, standards, etc.), then, based on these requirements you can plan what to look for as evidences that this policy is implemented and being followed.
I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit has four documents (Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Program, and Internal Audit Report) that can help you perform an internal audit considering the ISO 27001, the leading ISO standard for information security, in a easy and efficient way.
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 h ttps://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Defects, problems and incidents
Answer:
Incidents lead to problems, that's correct (see the articles
ITIL Problem Management: getting rid of problems https://advisera.com/20000academy/blog/2013/08/05/itil-problem-management-getting-rid-problems/
How to make your ITIL/ISO 20000 Problem Management more effective with a Problem Record https://advisera.com/20000academy/blog/2017/02/14/how-to-make-your-itiliso-20000-problem-management-more-effective-with-a-problem-record/
On the other side, defects relate to not satisfying service requirements and involve e.g. change on the service in early life support phase. According to ITIL, definition of a problem is " A cause of one or more incidents.". So, if that defect doesn't cause incidents, there is no need to go to problem management. It's rather that you need to send it back to development (Release and Deployment or even to Service Design processes if you conclude that there is an error in service design). So, as you could see, defect can have much deeper causes then "usual relation" incident -problem. -
Major Incident Management process
Answer:
I assume MIM stands for Major Incident Management. So, having so many people in MIM process is seldom productive. MIM usually involves minimum required people. That means you should have someone who is in charge per resolution (consider it as "project leader"), someone from top management (you need quick reaction, best people you have, maybe some monetary resources - so you need strong sponsor) and technical experts related to the topic.
This article can provide more details:
Major Incident Management – when the going gets tough… https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/ -
Cláusula 8.5.2
Mi respuesta:
La organización debe controlar la identificación única de los productos cuando la trazabilidad es un requisito, y debe retener la información documentada necesaria para permitir la trazabilidad. Esto significa que va a necesitar proporcionar justificaciones para las exclusiones que realice
Respecto a la cláusula 8.5.2, no todos los productos o servicios requieren identificación y trazabilidad. Algunas empresas etiquetan sus piezas con números de serie únicos que pueden contener todos los datos de la trazabilidad de esa pieza, mientras otros aplican la trazabilidad al lote que se necesita.
Para más información, vea "ISO 9001:2015 Cláusula 8.5 realización del producto: ejemplos prácticos para su cumplimiento" (en inglés): https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
Estos materiales también pueden ayudarle en la implementación de ISO 9001:2015:
- Libro “Preparación para el proyecto de implementación: Una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Implementación ISO 9001
Mi respuesta:
Lo que se certifican son las actividades, que coinciden con el alcance de la certificación. En el caso de que quieras implementar ISO 9001 en un solo departamento/unidad de la organización/localización, no existen demasiados beneficios, ya que la norma ISO 9001 ha sido desarrolla para ser aplicada en la totalidad de la organización, por lo que contiene requisitos para toda la organización.
Para más información vea "Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/
Estos materiales también pueden ayudarte en la implementación de ISO 9001:2015:
- Libro "Preparación para el proyecto de implementación: Una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
ISO 22301 toolkit content relate to internal and external issues
Answer: The information required by ISO 22301 clause 4.1 is addressed by following templates:
- Organization's activities (from clause 4.1 a)) and potential impact from disruptive incidents are addressed by template Business Impact Analysis Questionnaire (located at folder 04 Business Impact Analysis Methodology)
- Organization's functions (from clause 4.1 a)) are addressed in all templates when an activity to be performed is required (by means of the field [job title]). Functions related specifically to the BCMS are defined in the template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
- Organization's product and services (from clause 4.1 a)) are addressed by template Business Continuity Policy, section 3.5, (located at folder 03 Business Continuity Policy)
- Relations with suppliers, partners and interested parties (from clause 4.1 a)) are addressed by template Business Continuity Strategy (located at folder 05 Business Continuity Strategy)
- Relationships between the Business Continuity Policy and other organization's policies, objectives and general risk management strategy (from clause 4.1 b)) are addressed by template Business Continuity Policy, section 2, (located at folder 03 Business Continuity Policy)
- Organization's risk appetite (from clause 4.1 c)) is addressed by template Business Impact Analysis Questionnaire, section 6 (maximum acceptable outage) (located at folder 04 Business Impact Analysis Methodology)