Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Threats and small organizations
Answer: Basically, all organizations are exposed to the same types of threats, but due to their size, more limited resources, and sometimes misconceptions, these are some threats that are more relevant:
- Unauthorized physical access
- Malicious code
- Access to the network by unauthorized persons
- Unauthorized installation of software
- Unpatched software
This article will provide you further explanation about threats:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
This material will also help you regarding threats:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Business continuity objectives
Answer: Sure. Examples of business continuity objectives may be:
- Comply with xyz law/regulation by December 31, 2017, using ISO 22301 methodology
- Enter a new market in the next 12 months because of the ISO 22301 certificate
- During 2017, improve our recovery time by 12 hours while not incurring new costs.
This article will provide you further explanation about business continuity objectives:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
This material will also help you regarding business continuity objectives:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
AS9100D clause 8.4.2.d
We have been discussing a very interesting topic in the standard clause 8.4.2.d especially where the test reports need to be verified to confirm meets requirements. If we are REQUIRED to comply this will definitely not be able to due to the very expensive cost of verifying the plastic material we purchase for our Aerospace customers.
Are we misinterpreting this requirement or is there a less costly method to comply?"
Answer given:
Edward,
The actual wording of clause 8.4.2 d is "The organisation shall determine the verification, or other activities, necessary to ensure that the externally provided processes, products and service meet requirements." This is in regard to the type and extent of control that you need to place on external providers.
So, the requirement is asking you to determine what activities you will use to verify that you have processes, products and services that meet requirements. In your example, this could mean verification testing of the plastics products you receive, but it could also mean receiving and verifying the material test report from your supplier as a way of verifying that you received the product that meets the requirements. The requirement is not saying you need to verify every material you get, but to identify what activities are necessary.
Just one step further, the next sentence in the AS9100 Rev D standard states that the verification activities are to be performed according tot he risks identified by the organisation, so if you have not identified a risk for this material it would further indicate that extra material testing was not required. -
Examples on various IATF 16949 topics
1. Product safety (clause 4.4.1.2)
Products must be safe and comply when they are available for supply, or 'placed on the market'. This occurs when a manufacturer first makes the product available for further supply or when an importer takes ownership of the goods once they have been cleared by customs.
What is safe is determined by considering all characteristics of the product, how it is presented, the effect that it might have on other products it is likely to be used with and the consumers at risk when using it.
For many product sectors there is specific safety legislation (covering, for example, electrical goods and machinery), which sets out more detailed safety requirements applicable to those products. This legislation generally applies to both consumer and commercial products, but sets out the same safety criteria.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/
2. Confidentiality (8.1.2)
Confidentiality is usually determined by the customer. Some customer may require that documents or processes the organization perform to provide the product are under confidentiality agreement and cannot be presented to other parties.
3. Organization manufacturing feasibility (8.2.3.1.3)
Based on the customer requirements,the organization needs to determine whether it is capable to provide demanded product in therms of quality and quantity. It can be done through validation of manufacturing process, benchmariking studies or other methods.
4. Internal audit programme (9.2.2.1)
The IATF 16949 requirements for the audit program ask that you plan, establish, implement, and maintain an audit program, meaning that you need to have an ongoing program in effect.
The following information should be included in the program:
- Audit frequency
- Audit methods
- Responsibilities
- Requirements for planning
- Criteria for the audit
- Scope of the audit
- Audit reporting
For more information, see: Five Main Steps in an IATF 16949:2016 Internal Audit https://advisera.com/16949academy/knowledgebase/five-main-steps-in-an-iatf-169492016-internal-audit/ -
Organizational knowledge - Clause 7.1.6 of ISO 9001:2015
Answer:
Clause 7.1.6 of ISO 9001:2015 basically has two parts. The first one is about the knowledge necessary for the operation of processes and to get conforming products and services. For each process ask yourself what kind of knowledge each participant in a process need to perform proficiently each activity and to make good decisions.
The second part is about new knowledge to address changing needs and developments in know-how or market conditions, for example. Is like defining a radar of knowledge to watch and monitor in order to discover the new.
• article - How to manage knowledge of the organization according to ISO 9001
• - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
• - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ -
Alternative site and ISO 22301
During the first audit (Gap Analysis) for the standard (22301) it seemed that the alternative site is a must
Answer: No. An alternative site is not mandatory by ISO 22301, but what may happen is that the results of your business impact analysis may point out that your organization should consider it as a strategy to ensure business continuity in specific disaster scenarios.
In cases like these, if your organization decide to not adopt an alternative site as a business continuity strategy it should record this decision and the criteria adopted to support it.
This article will provide you further explanation about alternative sites:
- Business continuity for small businesses – necessity or not? https://advisera.com/27001academy/blog/2011/04/04/business-con tinuity-for-small-businesses-necessity-or-not/
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/ -
ISO 22301 scope
“An IT services organisation having contracts with customer for both onshore and Offshore work. The BCP that organisation has is primarily focused on the services being rendered from Offshore sites.” My questions are
1 - Does Onshore work also need to be cover? I have always been of the opinion it should not as service organisation does not have control on resources of Client onsite locations. Please clarify
Answer: According ISO 22301, the decision to include or not a service or process in the business continuity scope is up to the organization, that has to consider:
- its business objectives;
- legal requirements and contracts it has to fulfil;
- costs involved in implementing business continuity;
- potential losses related to disruptive events; and
- that any exclusion made will not affect the organization's ability and responsibility to ensure business and operations continuity.
So, if after considering all these issues you find no reason to include your Onshore work op eration on the BCMS scope, it does not need to be covered by the business continuity management system,
2 - When client facility or network not available there is a possibility of Service organisation losing revenue due to the disaster at Client location. This has billing impact on service organisation. What is the way forward for such situation?
Answer: If I understood well, you're asking what kind of business continuity strategy to develop if your client has a disruption - since you are completely dependent on this client in such case, the best strategy is not to have only a few big clients, but several smaller clients. That way you will decrease the risk of drop in revenue if one client is affected by a disaster. -
Controls selection
Answer: Considering your example the ISO 27001 controls that you should consider are:
- Control A.9.3.1 Use of secret authentication information (this control provides orientation on how to store secret authentication information)
- Control 9.2.3 Management of privileged access rights (this control provides orientation on how secret authentication information should be maintained when shared)
Both controls can help you to treat the mentioned risk.
This material will also help you regarding ISO 27001 controls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
ISO27005 Threats & Vulnerabilities
Thanks but I was referring to the actual threat 'events' in the threat & vulnerability catalogue, i.e. is there a definition anywhere of what constitutes the difference between for example 'unauthorised access to info systems' opposed to 'access to network by unauthorised persons' or 'info leakage' opposed to 'disclosure of info' etc., etc. -
Information security personal development
Answer: I suggest you to explore the following resources of 27001 Academy:
- Webinars about ISO 27001 implementation, audit, integration with other standards (e.g., with ISO 9001 or ISO 20000): https://advisera.com/27001academy/webinars/
- Blog articles about controls application, challenges in implementation, etc.: https://advisera.com/27001academy/blog/
- White papers: a more detailed written approach of topics presented on blog articles: https://advisera.com/27001academy/free-downloads/
- Book: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Additionally, this material will present you some other links to external blogs that can also provide useful information to improve your knowledge ab out information security:
- Top 10 information security bloggers in 2014 https://advisera.com/27001academy/blog/2014/12/17/top-10-information-security-bloggers-in-2014/
- Top 10 information security blogs https://advisera.com/27001academy/blog/2012/05/07/top-10-information-security-blogs/
2 - Would you also be able to point me to organizations that may be looking for trainee ISO 27001 auditors to help me acquire the experience I need to become certified?
Answer: Unfortunately that's a difficult question to provide you an answer, because most of the main certification bodies already have their auditors, and always there are more people looking for opportunities than openings for new auditors.