Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Special approval of FMEA for product safety
Answer:
Special approval means that your FMEA assessment is approved your customer. This is, of course if the customer requires from your organization to send them FMEAs for the approval. The standard itself says "if applicable" for this requirement, so if the customer doesn't require to approve your FEMAs, your current FMEAs are sufficient to meet the standard requirements.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ -
Information security policy content
We received this question:
>I have another question, in the Information Security Policy we mention that the controls implemented as listed in the Statement of Applicability. Thus, users will ask question about it, e.g. what SoA is, how can I access it and etc…
>
>What should I tell my end users? Basically I’m just concern about the things which will not make a lot of sense to them.
Answer: In my understanding you are making your Information Security Policy unnecessarily complex. Since ISO 2700 standard does not require an organization to mention the SoA in the information security policy, and you think mentioning it will not make a lot of sense to your users, you should consider not referring it in the policy.
This way you will be avoiding overloading users with information that will not be directly useful to their activities. Remember, users need to see and understand the security policies and procedures that are relevant to their activities. -
Analysis of external issues
Sure. Examples of how you can apply PEST analysis to information security are:
Political: How governments and politicians see and understand information security can define state-wide agendas and impact on regulations and laws applicable to several industries.
Economic: Which costs and profit opportunities can be related to the adoption of information security practices (in some countries that have to import technology variations in the currency used to buy assets can heavily affect security decisions).
Social: Depending on the society culture, impacts perceived by society due an information breach can be far more greater than the real thing. On the other hand, depending on the culture, the assimilation of security practices can be more difficult (a perception of excessive surveillance and invasion of privacy).
Technological: the obsolescence and ascension of new technologies can lead to a complete transformation of security practices (e.g., quantum computati on can have a serious impact on cryptographic controls, and the "Internet of Things - IOT" bring a new whole set of problems related to connectivity). -
Minor non conformity
Answer: Yes. A minor non conformity does not represent a failure in the Information Security Management System with enough severity to prevent an organization to market/advertise it is certificated. But you should ensure its treatment is effective and in the agreed deadline, because failure on treating a minor non conformity can lead to a major non conformity which, depending on the circumstances, can prevent an organization to market/advertise it is certificated.
These articles will provide you further explanation about minor non conformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- ISO 27001 Certification: What’s next after receiving the audit report?
This m aterial will also help you regarding minor non conformities:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Gap Analysis AS9100 Rev C vs Rev D
Answer provided:
Unfortunately, I do not have a Gap Analysis for the changes from AS9100 Rev C vs Rev D, however, a good place to start is with our free whitepaper “AS9100 Twelve-step transition process from Rev C to Rev D” (https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d). The changes are also highlighted in our AS9100 Rev D Transition Toolkit (https://advisera.com/9100academy/as9100-rev-d-transition-toolkit/) to make it easy to see what needs to change. -
Internal Audit Impartiality
Answer given:
The requirement for selecting auditors is that you ensure “objectivity and the impartiality of the audit process”. In general, if you can show that the person you have chosen meets these requirements then this is acceptable. A few rules of thumb are that an auditor should never audit their own work, and any person who could be affected by the audit should not audit that area (such as a manager who would need to deal with the corrective actions that were found). -
Key performance indicators
Answer:
Without any previous experience of working with such a specific organization as a maritime training institution like yours, I would consider your relevant interested parties (clause 4.2) as a starting point: to whom do your organization works? It works for the government, it works for seafarers, and it works for seafarers employers, and it needs trainers.
For each interested party can you determine one or more goals that can measure performance against one or more of their relevant requirements? For example, the government can appreciate the number of seafarers trained and the meeting of the financial budget. Seafarers can appreciate good teachers and recognition of the school from the would-be employers. Seafarers employers can appreciate the quality of your students. Teachers can appreciate the quality of incoming students, school working environment and materials available.
These materials will provide you details with performance indicators:
• article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• article - Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
• - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Changes and relation to DR plan
Answer:
In order to avoid that changes have negative impact on Disaster Recovery (DR), Change Management process should be set in following way:
1. Changes that affect DR should not be authorized without involvement of DR Manager (or, according to ITIL, IT Service Continuity Manager). How to do that - since e.g. minor changes are authorized by Change Manager, he should be involved in DR plan and concept (or, environment, as stated in the question).
2. IT Service Continuity Manager (ITSCM) should be member of the Change Advisory Board (CAB). In such way, it will be ensured that no significant changes are authorized without approval from ITSCM i.e. DR.
To learn more, see the articles:
"Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/
"IT Ser vice Continuity Plan – Why do you need it?" https://advisera.com/20000academy/blog/2017/05/02/it-service-continuity-plan-why-do-you-need-it/ -
Controls implementation
While we think this is a good recommendation and would like to implement it later, we would like to defer it during our Stage 1 and Stage 2 audits. The reason not to implement it initially is the time to get all departments on board with this and all documents updated is going to be a huge effort and the 4th quarter is a stressful time of the year for our business. Our stage 1 audit is the end of November.
Will we get a non-conformity, especially a major one, if we elect not to incorporate this in our SOA for the aforementioned reason?
Answer: You can leave some of the controls for the implementation for after the auditing under the following conditions:
1) That you have implemented before the audit the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the audit
2) That yo u have specified the deadlines for the controls that you will be implementing after the audit in your Risk Treatment Plan – of course, those deadlines must be after the audit date
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the audit
This means that the most important controls must have ”implemented“ status at the audit, while the less important controls can have status ”planned“ or ”partially implemented“ at the moment of the audit. Of course that for controls with status of ”partially implemented” you have to keep evidences of activities already performed regarding the implementation (the auditor won't audit the control, but he will verify if the implementation plan is being executed).
This material will also help you regarding controls implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Risk Mitigation Options
We received this question:
I tried to find the paragraph in ISO 27001, but cant find it there – can you include that in the web-answer?
Answer: Sorry by this confusion. I understand now that you are referring to ISO 27001 content, and not to ours toolkit's content.
In fact, ISO 27001 does not define risk treatment options, it only requires that the organization selects appropriate options taking into account the risk assessment results (clause 6.1.3 a)). The standard was designed this way so the organization can have flexibility to choose the options more relevant to its context.
However, the standard includes a note informing that its information security risk assessment and treatment process is aligned with ISO 31000, the ISO standard for risk management. In that standard you can find information about risk treatment options (on section 5.5.1), as well as on the standard ISO 27005 (Information security risk management), on section 9.
The 4 risk treatment o ptions in our toolkit are part of suggested options in ISO 31000 and ISO 27005, and they are the most commonly used. You can see details about them in the article I mentioned in my previous response.