Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 controls validation
Answer: To start with your validation of controls, I suggest you to start with our free ISO 27001 Gap Analysis Tool (https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/). This tool can provide you a quick overview of how much of ISO 27001 you have implemented so far (management requirements and controls also).
For a more formal and systematic approach I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit (https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/). This toolkit is composed of the following documents: Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Prog ram, and Internal Audit Report, and will help you to plan, perform and document the results of an internal audit compliant with ISO 27001
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Developing design and development procedure
Answer:
The procedure should explain the process of design and development. The level of details will depend on the competency of the people included in the design and development process. The more competent they are, the less information is needed in the procedure.
Design and development procedure should cover the following topics:
- Design and development planning
- Design and development inputs
- Design and development controls
- Design and development outputs
- Changes management in design and development process
For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
Also, you can download free preview of our Procedure for Design and Development [ https://advisera.com/9001academy/documentation/procedure-design-development/
These materials will also help you regarding design and development procedu re:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Special approval of FMEA for product safety
Answer:
Special approval means that your FMEA assessment is approved your customer. This is, of course if the customer requires from your organization to send them FMEAs for the approval. The standard itself says "if applicable" for this requirement, so if the customer doesn't require to approve your FEMAs, your current FMEAs are sufficient to meet the standard requirements.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ -
Information security policy content
We received this question:
>I have another question, in the Information Security Policy we mention that the controls implemented as listed in the Statement of Applicability. Thus, users will ask question about it, e.g. what SoA is, how can I access it and etc…
>
>What should I tell my end users? Basically I’m just concern about the things which will not make a lot of sense to them.
Answer: In my understanding you are making your Information Security Policy unnecessarily complex. Since ISO 2700 standard does not require an organization to mention the SoA in the information security policy, and you think mentioning it will not make a lot of sense to your users, you should consider not referring it in the policy.
This way you will be avoiding overloading users with information that will not be directly useful to their activities. Remember, users need to see and understand the security policies and procedures that are relevant to their activities. -
Analysis of external issues
Sure. Examples of how you can apply PEST analysis to information security are:
Political: How governments and politicians see and understand information security can define state-wide agendas and impact on regulations and laws applicable to several industries.
Economic: Which costs and profit opportunities can be related to the adoption of information security practices (in some countries that have to import technology variations in the currency used to buy assets can heavily affect security decisions).
Social: Depending on the society culture, impacts perceived by society due an information breach can be far more greater than the real thing. On the other hand, depending on the culture, the assimilation of security practices can be more difficult (a perception of excessive surveillance and invasion of privacy).
Technological: the obsolescence and ascension of new technologies can lead to a complete transformation of security practices (e.g., quantum computati on can have a serious impact on cryptographic controls, and the "Internet of Things - IOT" bring a new whole set of problems related to connectivity). -
Minor non conformity
Answer: Yes. A minor non conformity does not represent a failure in the Information Security Management System with enough severity to prevent an organization to market/advertise it is certificated. But you should ensure its treatment is effective and in the agreed deadline, because failure on treating a minor non conformity can lead to a major non conformity which, depending on the circumstances, can prevent an organization to market/advertise it is certificated.
These articles will provide you further explanation about minor non conformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- ISO 27001 Certification: What’s next after receiving the audit report?
This m aterial will also help you regarding minor non conformities:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Gap Analysis AS9100 Rev C vs Rev D
Answer provided:
Unfortunately, I do not have a Gap Analysis for the changes from AS9100 Rev C vs Rev D, however, a good place to start is with our free whitepaper “AS9100 Twelve-step transition process from Rev C to Rev D” (https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d). The changes are also highlighted in our AS9100 Rev D Transition Toolkit (https://advisera.com/9100academy/as9100-rev-d-transition-toolkit/) to make it easy to see what needs to change. -
Internal Audit Impartiality
Answer given:
The requirement for selecting auditors is that you ensure “objectivity and the impartiality of the audit process”. In general, if you can show that the person you have chosen meets these requirements then this is acceptable. A few rules of thumb are that an auditor should never audit their own work, and any person who could be affected by the audit should not audit that area (such as a manager who would need to deal with the corrective actions that were found). -
Key performance indicators
Answer:
Without any previous experience of working with such a specific organization as a maritime training institution like yours, I would consider your relevant interested parties (clause 4.2) as a starting point: to whom do your organization works? It works for the government, it works for seafarers, and it works for seafarers employers, and it needs trainers.
For each interested party can you determine one or more goals that can measure performance against one or more of their relevant requirements? For example, the government can appreciate the number of seafarers trained and the meeting of the financial budget. Seafarers can appreciate good teachers and recognition of the school from the would-be employers. Seafarers employers can appreciate the quality of your students. Teachers can appreciate the quality of incoming students, school working environment and materials available.
These materials will provide you details with performance indicators:
• article - How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• article - Monitoring and Measurement: The basis for evidence-based decisions https://advisera.com/9001academy/blog/2020/09/21/how-to-perform-monitoring-and-measurement-according-to-iso-9001/
• - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Changes and relation to DR plan
Answer:
In order to avoid that changes have negative impact on Disaster Recovery (DR), Change Management process should be set in following way:
1. Changes that affect DR should not be authorized without involvement of DR Manager (or, according to ITIL, IT Service Continuity Manager). How to do that - since e.g. minor changes are authorized by Change Manager, he should be involved in DR plan and concept (or, environment, as stated in the question).
2. IT Service Continuity Manager (ITSCM) should be member of the Change Advisory Board (CAB). In such way, it will be ensured that no significant changes are authorized without approval from ITSCM i.e. DR.
To learn more, see the articles:
"Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/
"IT Ser vice Continuity Plan – Why do you need it?" https://advisera.com/20000academy/blog/2017/05/02/it-service-continuity-plan-why-do-you-need-it/