Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Products and services in recycling industry


    Answer:

    The clause 8.5 is referring to the products and services equally. Although you deliver service and not the product, you will have to comply with most of requirements from clause 8.5. Considering the type of business you are in, I would suggest you the following exclusions:
    - 8.5.1 f) - validation of product and service
    - 8.5.2 Identification and traceability
    - 8.5.3 Property belonging to customers and external providers
    - 8.5.4 Preservation
    - 8.5.5 Post-delivery activities

    Of course, you will have to provide justifications for the exclusions and keep in mind that I'm not 100% familiar with your processes, so you will have to check if all these exclusions are possible. The rest of the requi rements in clause 8.5 will apply to your organization.

    For more information, see: ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/

    These materials will also help you regarding service provision:
    - Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - Conformio (online tool for ISO 9001) https://advisera.com/conformio/

  • Problem Management KPI's


    Answer:
    Problem Management KPI's can relate to problem's, incidents and changes. Here are few examples of PM KPI's:
    Number of recurring incidents
    Number of incidents without permanent resolution
    Number of available Known Errors
    Total numbers of problems
    Size of current problem backlog for each IT service
    Number of opened changes as a result of root cause elimination

    You can find out more about Problem Management (and create further KPIs) in the article:
    "How to make your ITIL/ISO 20000 Problem Management more effective with a Problem Record" https://advisera.com/20000academy/blog/2017/02/14/how-to-make-your-itiliso-20000-problem-management-more-effective-with-a-problem-record/
    "ITIL Problem Management: getting rid of problems" https://advisera.com/20000academy/blog/2013/08/05/itil-problem-management-getting-rid-problems/
    "ITIL Reactive and Proactive Problem Management: Two sides of the same coin" https://advisera.com/20000academy/knowledgebase/itil-reactive-proactive-problem-management-two-sides-coin/

  • Risks and opportunities vs issues


    It seems to be very similar : Studying the issues or risks that are related with our context and our organization.

    Also how to demonstrate that ? Make a list ? a table ?

    At the scale of a worldwide group, it can be harmonised right ? or at least there be a general basis that the plant can personalized I think.

    Answer:

    Risk and opportunities and external and internal issues are fundamentally different. Issue is a source of the risk or opportunity but it is not a risk or opportunity by itself. For example, old equipment is the internal issue, but the risk related to it are frequent malfunctions, halts in production or inefficient energy consumption. On the other hand, government that is willing to invest in eco-friendly projects is an external issue, the opportunity related to it can be to get funding to renew or update the equipment used by the organization.

    The issue, whether it is internal or external is just a fact about the conditions in which the organization operates, while risks and opportunities are positive or negative effects that can occur regarding the issue. For example, coffee is hot, but that alone is not a risk, it is what we do with the coffee what increases risk of getting burned.

    The standard doesn't require internal and external issues to be documented, however it requires risks and opportunities to be addressed to be documented and this can be done with list or register of risks and opportunities.

    As far as the context goes for the worldwide corporation, you can define one global context of the organization and define more detailed context for smaller organization units on the level of countries. There can also be a list of risks and opportunities on global level and the risks and opportunities on local or country level, since the context in every country can be different to some extent and therefore the risks and opportunities.

    For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/

    These materials will also help you regarding the context and risks and opportunities:
    - Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
    - Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
    - Conformio (online tool for ISO 14001) https://advisera.com/conformio/

  • ISO 27001 Annex A structure


    (I wanted to know if you can help me by informing why Annex A of ISO 27001 starts with the number A5)

    Answer: ISO 27001 Annex A is based on British Standard BS 7799-1 (Information technology - Code of practice for information security management ), which had the following structure:

    Foreword
    0 introduction
    1 scope
    2 terms and definitions
    3 structure of this standard
    4 risk assessment and treatment
    5 security policy
    6 organization of information security
    7 asset management
    8 human resources security
    9 physical and environmental security
    10 communications and operations management
    11 access control
    12 information systems acquisition, development and maintenance
    13 information security incident management
    14 business continuity management
    15 compliance
    Bibliography
    Index

    So, when this content was incorporated to ISO 27001 Annex A, version 2005, to facilitate the transition for those who used the BS standard, the names and section numbers from sections 5 to 15 of the old BS 7799-1 were kept, only including the "A." to indicate they are part of the ISO 27001 Annex. When ISO 27001 was updated to version 2013 this sequence was maintained.

  • ISO 27017, ISO 27018 and certifications


    Question refers to this article: European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

    Answer: ISO 27017 and ISO 27018 are not certifiable standards (they are supporting standards to help implement controls form ISO 27001 Annex A the same way ISO 27002 is), so this new sentence is not applicable. For those organizations making use of ISO 27001 and cloud providers, better questions to ask would be: "Are our cloud providers compliant/certified against ISO 27001 requirements and adopt recommendations from 27017 for cloud security and 27081 for privacy protection?"

    These articles will provide you further explanation about ISO 27002, ISO 27017 and ISO 27018:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Roles and responsibilities


    I need to know how to comply with this mandatory document, should I just create a document with all the roles related to the ISMS e.g. CISO and descript what is the role/responsibilities for him?

    Answer: Included in the toolkit you bought there is the "List of Documents" file, which shows you which clauses of the standard are covered by which templates.

    Regarding control A.7.1.2 (Terms and conditions of employment), the following templates cover this clause:
    - Confidentiality Statement, located in folder 08 Annex A, sub folder A.7 Human resource security
    - Statement of Acceptance of ISMS Documents, located in folder 08 Annex A, sub folder A.7 Human resource security
    - Supplier Security Policy, located on folder 08 Annex A, sub folder A.15 Supplier relationships
    - Security Clauses for Suppliers and Partners, located in folder 08 Annex A, sub folder A.15 Supplier relationships

    Regarding control A.13.2.4 (Confidentiality or non disclosur e agreements), the following template covers this clause:
    - Confidentiality Statement, located on folder 08 Annex A, sub folder A.7 Human resource security

    If you find that these templates still do not cover your needs, you can schedule a meeting with one of our experts (this meeting is included in your toolkit) so he can help you to handle your situation. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

  • Segregation of duties


    Answer: There is no specific template for segregation of duties because responsibilities are defined in each template according the required tasks to be performed (for example, in the Back up policy template, you can define different job titles to create and test backup copies). If for a required activity your organization identifies there is need to segregate it, you can adjust the template to that specific situation.

    Additionally, in the Information Security Policy template you can define segregated activities related to information security (please see the section 4.5 of the document). This template can be found on folder 04 Information Security Policy.

    This article will provide you further explanation about segregation of duties:
    - Segregation of duties in your ISMS accord ing to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

    This material will also help you regarding segregation of duties:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • A path between the ISO 27001 certification and the GDPR toolkit


    Answer: In the Article 32, EU GDPR requires the implementation of security controls, so in our EU GDPR Toolkit we have included 11 documents from ISO 27001 that will cover this requirement - here they are:
    - IT Security Policy (in the ISO 27001 toolkit this one is called the Acceptable Use Policy)
    - Access Control Policy
    - Security Procedures for IT Department (in the ISO 27001 toolkit this one is called the Operating Procedures for Information and Communication Technology)
    - Bring Your Own Device (BYOD) Policy
    - Mobile Device and Teleworking Policy
    - Clear Desk and Clear Screen Policy
    - Information Classification Policy
    - Policy on the Use of Encryption Article 32
    - Disaster Recovery Plan Article 32
    - Internal Audit Procedure Article 32
    - ISO 27001 Internal Audit Checklist

    The point is, the implementation of these security controls is ca 50% of the whole GDPR implementation, while the rest of the effort should be focused on privacy and legal issues.

    These links will help you:
    - Diagram of the EU GDPR implementation process https://advisera.com/eugdpracademy/free-downloads/
    - EU GDPR Documentation Toolkit - you'll find a list of all documents on that page: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

  • Management Review inputs and monitoring and measurement


    Answer:

    According to the process approach, your QMS is a set of interrelated processes. Every process has indicators or some other methods of measuring and monitoring performance. The Management Review Meeting (MRM) is a good place to do two things with those methods. First, are they relevant? Do you still consider them to be good choices to monitor and measure performance? Do you see better choices? Second, what about the performance level according to those indicators and other methods? Should your company update the targets for performance? Should your company develop improvement actions?

    The following material will provide you information about monitoring and measurement:

    * Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/ 001academy/blog/2014/04/15/monitoring-measurement-basis-evidence-based-decisions/
    * How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
    * How to define Key Performance Indicators for a QMS based on ISO 9001- https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
    * free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    * book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • CAB and ITIL implementation


    Answer:
    Yes, roll-out should involve CAB definition and implementation.
    Here is the article about CAB that can help you: "Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/

    Process for project roll-out is shown in this diagram "ITIL Implementation diagram" https://info.advisera.com/20000academy/free-download/itil-implementation-diagram
Page 841-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +