Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Keeping records for certification audit


    Answer:

    If the organization has implemented the standard for the first time, the records should be kept from the moment when the standard was implemented and documents and records are approved. It wouldn't be reasonable to expect from organizations to keep documents required by the standard or be compliant with the standard before the implementation.

  • Uncontrolled Copy and New Issues in ISO 9001 2015

    So, there will be no more unreasonable & conflicting finding on each assessment..regards : sfroel

  • Mejora continua

    La mejora continua se lleva a cabo mediante los objetivos que establece la alta dirección. Como mínimo los objetivos de calidad deben de abordar:
    - La mejora de la eficiencia interna
    - Los requisitos de los clientes individuales
    - El nivel de desempeño que espera tu sector del mercado .

    Cada mejora requiere del compromiso de los recursos, los cuales estarán priorizados por la alta dirección, especialmente si es necesaria una inversión.

    Las oportunidades de mejora se obtienen de las siguientes fuentes:
    - Satisfacción del cliente
    - Reclamaciones y opiniones de los clientes
    - Investigación y análisis de mercado
    - Aportaciones de los empleados, proveedores y otras partes interesadas
    - Auditorias internas y externas del sistema de calidad
    - Registros de no conformidades de producto o proceso
    - Datos y características de procesos y productos, así como sus tendencias

    El procesos de mejora continua e trata de un requerimiento que no es obligatorio documentar. Sin emba rgo la implementación de un procedimiento para la mejora continua es apropiado para la mayoría de los negocios.

  • BS EN ISO IEC 27001 2017


    https://www.bsigroup.com/en-GB/iso-27001-information-security/BS-EN-ISO-IEC-27001-2017/

    Info is from this website, plus there are others referring to it.

    Answer: The change was only in the presentation form of clause 6.1.3 d), related to the Statement of applicability, and does not include any new requirements. You can see the ISO TECHNICAL CORRIGENDUM 2, that defined this change, released at 2015-DEC-01, at this link: https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:cor:2:v1:en

    Former text: "d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A;"

    New text: "d) produce a Statement of Applicability that contains:
    - the necessary controls (s ee 6.1.3 b) and c));
    - justification for their inclusion;
    - whether the necessary controls are implemented or not; and
    - the justification for excluding any of the Annex A controls."

  • Identifying threats and vulnerabilities


    Answer: I'm assuming you are talking about the article "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" (https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/). That said, technically there is no difference if you start first with identifying threats or vulnerabilities (this choice is basically upon which element you know best considering your context). However, in operational terms, the best approach is to identify the vulnerabilities first, since they are easier to be confirmed (assets and controls that may have them are under your management). In case of threats, specially those external to your organization, not always you will have enough information to confirm if they are applicable.

    This material will also help you regarding threats and vulnerabilities:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Roles and responsibilities in incident management


    Answer: There is no specific template, or section in the templates, covering the definition of roles and responsibilities because these are described all along the documents. Please note that any time that there is an action to be performed there is also an associated field called [job title], or similar, identifying who should be responsible for that.

  • Selection of internal auditors

    Nosotros tenemos un comité de implementación (quien lleva la implementación) y estamos en la fase de verificación de los controles implementados.
    Mi consulta es si las auditorías internas nos corresponde hacerlas nosotros o personal externo especializado en el tema.

    (Our institution is in the process of implementing the NTP-ISO / IEC 27001: 2014 (it is the Peruvian Technical Standard that adopted in ISO 27001: 2013).
    We have an implementation committee (who is implementing) and we are in the verification phase of the implemented controls.
    My query is if the internal audits we are required to do by us or external staff specialized in the subject.)

    Answer: According to ISO 27001, clause 9.2 e), to select internal auditors you only have to ensure objectivity and the impartiality of the audit process, and for doing this you can either use external staff or organization's staff that is not direct ly involved in the process being audited (an auditor should not audit his own work).

    These articles will provide you further explanation about Selection of internal auditors:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
    - Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

    These materials will also help you regarding Selection of internal auditors:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Lead auditor certification requirements


    Answer: No. The required hours of observation for ISO 27001 Lead Auditor certification must be related to ISO 27001 audits.

    These articles will provide you further explanation about becoming an ISO 27001 Lead Auditor:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    This material will also help you regarding becoming an ISO 27001 Lead Auditor:
    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

  • Documenting actions to address risks and opportunities


    Answer:

    ISO 9001:2015 does not require action plans for addressing risks and opportunities and it is not required for the actions or their planning to be documented.

    All the standard requires is to identify risks and opportunities and plan actions to address them, it doesn't require any document to be created. However, it is usual to make some records about risks and opportunities and actions for addressing them simply because it is easier to monitor accomplishment of the actions and their effectiveness.

    On the grounds of documenting risks and opportunities or actions for addressing them, certification auditor can only issue you recommendations but he or she cannot issue you n onconformity.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  • Problem analysis techniques


    Answer:
    These techniques are related to problem analysis. There are many techniques und usual ones (beside mentioned pain value analysis, pereto and Kepner and Tregoe) are:
    - chronological analysis
    - brainstorming
    - 5-whys
    - fault isolation
    - affinity mapping
    - hypothesis testing
    - technical observation post
    - Ishikawa diagrams

    Also, the article "ITIL and ISO 20000 Problem Management – Organizing for problem resolution" https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/ can help you.
Page 872-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +