Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Audit requirements

    Thank you.

  • Risk assessment and risk treatment


    Answer: Yes. Now that you have identified which risks are to be treated, you have to define with the risk owners the deadlines and required resources, and get the complete risk treatment plan approved by top management.

    2- Should everything be done before we got certified? For example, if we want to get certified during summer 2018, should all deadlines in Risk treatment plan be set before that?

    Answer: No. You can leave some of the controls for the implementation for after the certification under the following conditions:

    1) That you have implemented before the certification the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the certification.
    2) That you have specified th e deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan – of course, those deadlines must be after the certification date.
    3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

    This means that the most important controls must have ”implemented“ status at the certification, while the less important controls can have status ”planned“ or ”partially implemented" at the moment of the certification. Of course that for controls with status of ”partially implemented" you have to keep evidences of activities already performed regarding the implementation (the certification auditor won't audit the control, but he will verify if the implementation plan is being executed).

    Included in the toolkit you bought you have access to video tutorials that can help you with the risk assessment and treatment process.

  • Oportunidades en ISO 9001

    En particular en el caso de la industria farmacéutica, cuales podrían ser?
    O donde puedo encontrar material al respecto.

    Mi respuesta:

    La norma ISO 9001:2015 requiere de la organización determinar y seleccionar oportunidades para mejorar e implementar las acciones necesarias para cumplir con los requisitos del cliente y así aumentar su satisfacción.
    Estas deberían de incluir:
    a) mejorar productos y servicios para cumplir con los requerimientos así como abordar futuras necesidades y expectativas;
    b) corregir, prevenir o reducir efectos no deseados;
    c)mejorar el rendimiento y la efectividad del sistema de gestión de calidad.

    Las oportunidades pueden llevar a la adopción de nuevas prácticas, lanzamiento de nuevos productos, la apertura de nuevos mercados, creación de alianzas, utilización de nueva tecnología y otras posibilidades deseables y viables para abordar las necesidades de la organización o de sus consumidores

    Para más información, vea los sigu ientes artículos:

    - "Cómo abordar los riesgos y las oportunidades en ISO 9001" (en inglés): https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/#

    - "Metodología para el análisis de riesgos de ISO 9001" (en inglés): https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/

    Estos materiales también podrán ayudarle respecto a la determinación y evaluación de los riesgos y las oportunidades:

    - Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/

    - Capacitación gratuita en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

    - Conformio (herramienta en línea para ISO 14001): https://advisera.com/conformio/

  • Auditing risks


    Answer:

    Considering the requirements of the standard related to risks and opportunities, it is hard to find nonconformities related to addressing risks and opportunities. You need to focus on the risks and opportunities related to the effectiveness of the QMS, product or service conformity and customer satisfaction. Fire extinguisher you mentioned belongs to occupational health and safety risks and it is not par o the QMS risks.

    You need to see how they identify risks and opportunities, do they have a record about risks and opportunities and most importantly have they taken actions to address risks and opportunities. Since the standard doesn't require any record, the best way to look for evidence whether actions are taken and whether they were effective is the record about management review. The organization probably produced some records about the risks and opportunities, but the technique that you will have to relay the most is the interview with the top management.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  • Corrective vs. Preventive actions


    Answer:

    Corrective action is taken when there is some nonconformity in the product, process or the QMS (Quality Management System) itself. Purpose of the preventive action is to resolve the cause of the nonconformity and prevent it from recurring.

    Preventive action is taken when there is no nonconformity but there is a high chance of nonconformity or the organization what to take actions to improve the processes or the QMS. Purpose of the preventive action is to prevent nonconformity from occurring in the first place and to improve the QMS. In new version of the standard, preventive actions are replaced with actions to address risks and opportunities.

    For more information, see: Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/

  • External documents to be controlled


    Answer: External documents are any documents not owned or controlled by an organization that are required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself).

    These materials will also help you regarding control of documents:
    - Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Conformio (online tool for ISO 27001) https://advisera.com/conformio/

  • Data Protection Impact Analysis


    Answer: I approximately 2 months from now we will launch the EU GDPR Toolkit which will contain checklists and all other documentation required to ensure compliance with EU GDPR, including templates to help with DPIA.

  • ISO 27001 and business continuity


    Answer: ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations. So while ISO 22301 has a holistic view of business continuity (as you pointed), ISO 27001 focuses on the information aspects of business continuity.

    2 - Do you have a 1-day programme or course outline and notes or pointers fort self-study on the topic of Understanding & applying ISO22301 the faster or easy way?If you do would it be possible that you email it o me as I like to know the process thoughts.

    Answer: For understanding and application of ISO 22301 I can suggest these material:
    - What is ISO 22301? https://advisera.com/27001academy/knowledgebase/what-is-iso-22301/
    - Implementing Bus iness Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
    - Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
    - Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Threat Value VS Vulnerability Value


    Answer: First, let's start with the relation between them. According ISO 27000 (Overview and vocabulary), threat is a potential cause of an incident, something that can harm an organization, system or asset (e.g., fire, malicious software, industrial espionage, etc.). A vulnerability is a weakness in an element (e.g, an asset or control) that can be exploited by one or more threats (e.g., lack of training, careless software development, etc.). So, they are separate things and if one has a high value it does not mean the other will automatically have a high value too.

    Regarding how to evaluate threats and vulnerabilities values, some common used criteria are:
    - Threats: how many vulnerabilities it can exploit, how easy it is to be used, how many resources it requires.
    - Vulnerabilities: how well are they known, how easy they are to be exploited, how easy they to can be accessed by an attacker.

    These articles will provide you further explanation about threats and vulnerabilities:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

    These materials will also help you regarding threats and vulnerabilities:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • FICHA DE PROCESO

    Una ficha de proceso o caracterización de proceso se trata del mismo concepto y puede ser considerado como una información de ayuda que tiene por objeto incluir aquellas características relevantes para el control de las actividades definidas en el mapa de procesos así como para la gestión de procesos.

    La información incluida en una ficha de proceso puede ser variada y debe ser decidida por la organización. Además debe contener la información necesaria para permitir la gestión del proceso.

    Los siguientes conceptos se pueden considerar relevantes para la gestión de procesos y una empresa puede decidir si incluirlo en la ficha de proceso:

    - Misión y objecto

    - Responsable del proceso

    - Alcance del proceso

    - Indicadores del proceso

    - Recursos

    Estos materiales puede ayudarle con respecto a la documentación ISO 9001:

    - Libro "Gestión de documentación ISO: una guia en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

    - Cursigratuito en línea: "Curso fundamentos ISO 9001"
    https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

    - Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/
Page 863-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +