Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27017, ISO 27018 and ISO 27001
Answer: ISO 27017 and ISO 27108 only provide recommendations and guidelines to the implementation of controls of ISO 27001 Annex A, so their application is not mandatory for an organization to be compliant with ISO 27001.
These articles will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Regarding if you can skip cloud elements until the implementation of ISO 27001, you can only do that if there is no cloud-related elements on your ISMS scope.
These articles will provide you fur ther explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 assessment
Answer: For a simple ISO 27001 assessment you can use our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
This gap analysis tool is a simple question-and-answer checklist that will help you identify which specific elements of ISO 27001 you’ve already implemented, and what you still need to do. -
Mapa de procesos
El enfoque basado en procesos es uno de los principios más relevantes en ISO 14001, y el mapa de procesos forma parte de ello. Un buen mapa de procesos debe de contener todos los procesos dentro de la organización clasificado por tipo y orden de ejecución, lo cual proporcionará con una visión general de todo el sistema de gestión.
La responsabilidad ambiental es el principio más importante de un SGA, así que el mapa de procesos puede ser empleado para demostrar el control del impacto ambiental de los productos, servicios u operaciones de la organización.
Para más información, vea ".Cómo crear un mapa de procesos en ISO 9001": https://info.advisera.com/9001academy/free-download/how-to-create-an-iso-9001-process-flowchart
Estos materiales le ayudarán también con respecto a la implementación de ISO 14001:
- Libro “Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: “Curso de fundamentos ISO 14001”: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Conformio (herramienta en línea para ISO 14001): https://advisera.com/conformio/ -
Definición del alcance
Mi respuesta:
Para asegurar que se conocen los límites de lo que tiene que hacerse, es necesario definir el alcance del SGA. Esto ayudar a prevenir la inclusión de áreas de negocio que podrían no afectar al medio ambiente. Para determinar el alcance se deben de considerar:
- Cuestiones internas y externas mencionadas en la sección del contexto de la organización: Ambas deben de considerarse para asegurar que el alcance es definido correctamente y que el SGA es efectivo.
- Obligaciones de cumplimiento
- Unidades de la organización, funciones, límites físicos
- Actividades, productos y servicios
Las herramientas clave para definir el alcance son la política ambiental y los aspectos ambientales (la interacción que la organización tiene con el medio ambiente); estos son los primeros documentos que necesitan crearse para el SGA.
Para más información, vea los s iguientes artículos:
- "Lista de pasos para la implementación de la ISO 14001": https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/
- "Cómo determinar el alcance del SGA de acuerdo a ISO 14001:2015" (en inglés): https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/#
Estos materiales le ayudarán también con respecto a la implementación de ISO 14001:
- Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: "Curso de fundamentos ISO 14001" https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Conformio (herramienta en línea para ISO 14001): https://advisera.com/conformio/ -
Controls from section A.11.1
Answer: In the root folder of the toolkit you'll find a document called “List of Documents” which will explain which control is covered by which document. In there you will find that control A.11.1.5 (Working in secure areas) is covered by template "Procedures for Working in Secure Areas", that can be found on folder 08 Annex A A.11 Physical and environmental security.
Regarding the other controls from section A.11.1, ISO 27001 does not require a document for each control that is implemented. For small and mid-size companies generally is sufficient to simply describe how they are implemented in the Statement of Applicability (SoA). This template you can find on folder 06 Statement of Applicability.
To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These articles will provide you further explanation about physical security:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/
This materials will also help you regarding physical security:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
All articles of the GDPR
Answer: You can find the full text of the GDPR here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 and we recommend the use of our EU GDPR Documentation Toolkit to comply with all the articles - you can find detailed information here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Products and services in recycling industry
Answer:
The clause 8.5 is referring to the products and services equally. Although you deliver service and not the product, you will have to comply with most of requirements from clause 8.5. Considering the type of business you are in, I would suggest you the following exclusions:
- 8.5.1 f) - validation of product and service
- 8.5.2 Identification and traceability
- 8.5.3 Property belonging to customers and external providers
- 8.5.4 Preservation
- 8.5.5 Post-delivery activities
Of course, you will have to provide justifications for the exclusions and keep in mind that I'm not 100% familiar with your processes, so you will have to check if all these exclusions are possible. The rest of the requi rements in clause 8.5 will apply to your organization.
For more information, see: ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
These materials will also help you regarding service provision:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Problem Management KPI's
Answer:
Problem Management KPI's can relate to problem's, incidents and changes. Here are few examples of PM KPI's:
Number of recurring incidents
Number of incidents without permanent resolution
Number of available Known Errors
Total numbers of problems
Size of current problem backlog for each IT service
Number of opened changes as a result of root cause elimination
You can find out more about Problem Management (and create further KPIs) in the article:
"How to make your ITIL/ISO 20000 Problem Management more effective with a Problem Record" https://advisera.com/20000academy/blog/2017/02/14/how-to-make-your-itiliso-20000-problem-management-more-effective-with-a-problem-record/
"ITIL Problem Management: getting rid of problems" https://advisera.com/20000academy/blog/2013/08/05/itil-problem-management-getting-rid-problems/
"ITIL Reactive and Proactive Problem Management: Two sides of the same coin" https://advisera.com/20000academy/knowledgebase/itil-reactive-proactive-problem-management-two-sides-coin/ -
Risks and opportunities vs issues
It seems to be very similar : Studying the issues or risks that are related with our context and our organization.
Also how to demonstrate that ? Make a list ? a table ?
At the scale of a worldwide group, it can be harmonised right ? or at least there be a general basis that the plant can personalized I think.
Answer:
Risk and opportunities and external and internal issues are fundamentally different. Issue is a source of the risk or opportunity but it is not a risk or opportunity by itself. For example, old equipment is the internal issue, but the risk related to it are frequent malfunctions, halts in production or inefficient energy consumption. On the other hand, government that is willing to invest in eco-friendly projects is an external issue, the opportunity related to it can be to get funding to renew or update the equipment used by the organization.
The issue, whether it is internal or external is just a fact about the conditions in which the organization operates, while risks and opportunities are positive or negative effects that can occur regarding the issue. For example, coffee is hot, but that alone is not a risk, it is what we do with the coffee what increases risk of getting burned.
The standard doesn't require internal and external issues to be documented, however it requires risks and opportunities to be addressed to be documented and this can be done with list or register of risks and opportunities.
As far as the context goes for the worldwide corporation, you can define one global context of the organization and define more detailed context for smaller organization units on the level of countries. There can also be a list of risks and opportunities on global level and the risks and opportunities on local or country level, since the context in every country can be different to some extent and therefore the risks and opportunities.
For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
These materials will also help you regarding the context and risks and opportunities:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/