Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

ISO 27001 and COBIT 5 relation

Answer: ISO 27001 standard describes how to manage information security in an organization, while COBIT provides implementable controls over information technology, organized into IT-related processes. ISO 27001 provides many security control objectives applicable to information technology that can be used to enhance effectiveness of COBIT (e.g., controls from section A.13.1 Network security management) processes. Additionally, COBIT governance practices and ISO 27001 context understanding requirements can be used together to better align information security and information technology with business objectives.

This article will provide you further explanation about COBIT and ISO 27001:
- How to integrate COSO, COBIT, and ISO 27001 frameworks
ISO 27001 implementation

Answer: To implement ISO 27001 from scratch I suggest you to take a look at the 16-step list in this article:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Control performance evaluation

Answer: First of all, the expression "there is no risk" is kind of incorrect (there is no situation risk-free). A more appropriate expression would be "all current risks are acceptable."

That said, to state 'sufficiency of controls' a company should identify which controls are applied to each identified risk and how these controls are being measured and evaluated to ensure they are sufficient. Based on that information an auditor can look for evidences of compliance. As for the identification of the most important control to ensure sufficiency, besides the identified risk you should consider the security requirements and objectives established to built a checklist of what to look for. Seasoned auditors can rely on their experience t o quickly identify them.

These articles will provide you further explanation about risk management and audits:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding risk management and audits:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
ISO 27001 and NIST RMF

Answer: Although ISO 27001 does not prescribe any methodology for risk management, its requirements for risk assessment and treatment can be fulfilled by NIST's RMF (it is not a question whether they are similar or not, but that RMF is a framework that fits ISO 27001 very nice).

These articles will provide you further explanation about ISO 27001 and NIST practices:
- How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

These materials will also help you regarding ISO 27001 risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Th e basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Auditing documentation requirements for ISO 9001 and ISO 13485

Answer:

If your Quality Management System is compliant with both ISO 9001 and ISO 13485, during the internal audit you need to check compliance with both standards. When it comes to common requirements or requirements related to the same elements of the system, you need to audit against requirements of both standards. Whichever standard has stricter requirements, those requirements should be applied and auditing should be done against those requirements.

Another option is to conduct separate audits for ISO 9001 and ISo 13485 but this would just mean that you will double the work.

For more information, see: How to create a checklist for an ISO 13485 internal audit fo r your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/
Risk calculation

Answer: For the purposes of a simple risk assessment, there is no difference if you add or multiply likelihood and consequence to calculate the risk. The difference would only make sense for statistical calculations, which are not required for simple risk assessment.

This article will provide you further explanation about likelihood and consequence assessment:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding likelihood and consequence assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ sh/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Confidentiality in IATF 16949

Answer:

The standard requires organization to ensure confidentiality of the customer-contracted products and projects under development, including related product information. The standard does not specify what kind of protection of the information should be applied and in most cases it is either defined by the customer or usual confidentiality rules of the company are applied.

As far as documenting the requirement in the manual goes, you should explain what rules for confidentiality your company applies and who is responsible to enforce those rules.
Total Productive Maintenance in IATF 16949

Answer:

Total Productive Maintenance (TPM) has been introduced as a new requirement for the aIATF 16949 based on previous non-conformances noted in the areas of equipment management. Requirements for TPM are stated in clause 8.5.1.5 and it is required to document total productive maintenance system.

At a minimum, TPM procedure must include the following:
- identification of process equipment necessary to produce conforming product at the required volume;
- availability of replacement parts for the equipment identified in item a);
- provision of resource for machine, equipment, and facility maintenance;
- packaging and preservation of equipment, tooling, and gauging;
- applicable customer-specific requirements;
- documented maintenance objectives, for example: OEE (Overall Equipment Effectiveness), MTBF (Mean Time Between Failure), and MTTR (Mean Time To Repair), and Preventive Maintenance compliance metrics. Performance -
- to the maintenance objectives shall form an input into management review (see ISO 9001, Section 9.3);
- regular review of maintenance plan and objectives and a documented action plan to address corrective actions where objectives are not achieved;
- use of preventive maintenance methods;
- use of predictive maintenance methods, as applicable;
- periodic overhaul.
Auditing clause 5.1.2

Answer:

Clause 5.1.2 refers to customer focus, and you can audit conformance to it by checking whether:
a) customer and applicable statutory and regulatory requirements are determined, understood and consistently meet;
b) the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed;

Since this clause doesn't require documented information, you will need to check the interested parties and their needs and expectations, if they are determined and whether they include customers and regulatory bodies and to check what risks and opportunities are identified and what actions are taken to address them.

For more information, see: How the ISO 9001:2015 standard can help improve relationships with your customers https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/

These materials will also help you regarding customer focus:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/
Use of SWOT analysis

The following materials will provide you details with quality policy:

- Article - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- [free webinar] How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

ISO 27001 and COBIT 5 relation

ISO 27001 implementation

Control performance evaluation

ISO 27001 and NIST RMF

Auditing documentation requirements for ISO 9001 and ISO 13485

Risk calculation

Confidentiality in IATF 16949

Total Productive Maintenance in IATF 16949

Auditing clause 5.1.2

Use of SWOT analysis

Didn’t find an answer?