Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit of outsourced service
Answer: For auditing an outsourced service like Office 365 you should use as reference the terms of service for the provision of the service. In this term of service you should look for clauses referring to how the access control to the service (in this case, the email service) will be implemented and how the provider will demonstrate to the customer that the control is implemented and working properly.
From this point you can ask for evidences of how the access control is implemented and how it is being verified and evaluated either by the provider (e.g., by means of an internal or external audit of the provider's premises) and by the organization (e.g., through a review of audit reports sent by the provider to the person responsible by the service in your organization.
You should also note that your company still needs to audit its own process for access control and assess whether the activities are compliant with your organziation's own Access control policy.
This article will provide you further explanation about access control policy:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
This article will provide you further explanation about internal audit:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Standard change
Answer:
There are (many) different kinds of changes which are considered as standard change. Usually, each one of them has separate procedure how to fulfill them. In order to have efficient Standard Change Management process in place, you need to have following:
1. clearly defined procedure - usually defined by Change Manager or someone from Technical Management. This also includes triggers i.e. how to initiate that procedure (and who is allowed to do that)
2. Responsibilities - i.e. who is doing what
3. clearly communicated procedure to all relevant/involved parties
Following article can help you with this issue:
"Tips and tricks for using the ITIL standard change mechanism" https://advisera.com/20000academy/blog/2017/06/27/tips-and-tricks-for-using-the-itil-standard-change-mechanism/ -
Clause 4 in ISO 9001:2015 and AS9100 Rev D
Answer:
Much of clause 4 is new to ISO 9001 and was not present in the ISO 9001:2008 version. in particular:
4.1 is about understanding the organisation and its context. This requires you to determine what internal and external issues affect your QMS and is new.
4.2 is about understanding the needs and expectations of interested parties. This requires you to identify the parties interested in your QMS and what their needs and expectations are, and is also new.
4.3 is about the scope of the QMS and while this is not new it does require you to consider the scope with the knowledge from 4.1 & 4.2; so a review of the scope is a good idea.
4.4 is about understanding the processes in the QMS. This is very similar to the previous version with the addition of a few things such as addressing the risks and opportunities for the processes.
While 4.1 & 4.2 do not require you to keep documented i nformation it is a good idea to keep your listing of issues, interested parties and their needs so that you can review it for updates as time goes on. A procedure on how you accomplish this might also be needed so that everyone understands how you intend to perform these review. -
ISO 27001 personal certifications - where to start?
Answer: There are several different ISO 27001 personal certifications available, and you have to choose what is the most appropriate for you:
- ISO 27001 Foundations Course - this is where you learn the basics of the standard, probably the best way to start as a beginner
- ISO 27001 Internal Auditor Course - this is for becoming the internal auditor
- ISO 27001 Lead Auditor Course - this is for becoming the certification auditor
- ISO 27001 Lead Implementer Course - this is for becoming a consultant or an implementer in your own company.
These materials will help you:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- What does ISO 27001 Lead Auditor training look like? http: //advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/ -
Positive significant aspects
Recycling is the operational control for significant environmental aspect, e.g. plastics, metal, paper waste. Therefore the recycling itself cannot be considered as a positive or any kind of environmental aspect, since it is a operational control over some environmental aspect.
For more information, see: 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ -
CAB and ECAB members
Answer:
Generally, you can do that, but practically - it's not approach I'd advise. Namely, ECAB needs rush action, quick decision and does not have time to wait for (usually - regular) meeting, long discussions (which usually happens when you have too big group of people), brainstorming, testing result analysis...etc.
Most of the activities are, in some form, typical for CAB (Change Advisory Board - i.e. authorizing body for normal changes). ECAB needs different approach so therefore I think you need different approach.
These articles can help you:
"How to manage Emergency Changes as part of ITIL Change Management" https://advisera.com/20000academy/blog/2016/01/19/how-to-manage-emergency-changes-as-part-of-itil-change-management/
"Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/ -
Residual Risk and UAT
Answer: The residual risk does not change from the original identified risk if an organization decides not to mitigate, avoid or transfer the risk (this option is called "retain the risk"). Depending upon the organization's context, there can be many risks relate to not performing an User Acceptance Testing, like:
- Functionality does not work or does not fulfil user's requirements in live environment.
- User's requirements are fulfilled but the output is not what is expected (information integrity problem) (may mean improper specification definition)
For both, the major impact is that the system probably will not be accepted by the client.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
This article will provide you further explanation about system testing:
- How to set secu rity requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/ -
ISO 27001 Internal Auditor recertification
Answer: You only have to seek for recertification regarding an ISO 27001 Internal Auditor course when a new version of the standard is released, because in that case you need to update your knowledge about the standard. -
Employees Security Vs. Product Security in IATF 1699
We should make sure all those requirements are covered and we are nearly sure that the jobs are done, but a small question what were the focused of standard on this key word when they listed from a) to m).
What would be the meaning of Product security over here? In our terms would be about the all thing that would be influence on final functional of products which might be influences on end user securities either along products life time either along its assembly processes.
Despite we discussed and referred to different type of source, still we aren’t totally sure which one is corrects and which one isn’t.
Again, what is exact meaning of product security and which direction will derive us ?
Answer:
Product safety is the ability of a product to be safe for intended use, as determined when e valuated against a set of established rules. Employee security or safety is related to occupational health and safety and product safety is related to consumer safety when using the product.
Regarding the product safety, the standard requires organization to identify statutory and regulatory requirements ans well as customer requirements regarding the product safety, safety-related characteristics of the product and controls of safety-related characteristics of the product at the point of manufacture. It also requires organization to conduct Design FMEA, to have special approval of control plans and processes FEMAs, reaction plans and many other requirements. Meeting all requirements regarding product safety is no way related to employees safety. -
Reviewing processes
Answer:
By "reviewing" I assume you meant "monitoring". In order to determine whether the process is really delivering what you are expecting from it, you need to determine some Key Performance Indicators (KPIs). The frequency of monitoring and measuring of the KPIs will depend on the nature of the KPI and also on the risks related to the processes. For more information, see: How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
Also, if you want to ensure that the process is carried out as planned, you need to perform internal audits of the processes. The purpose of the internal audit is to determine whether the process is carried out in compliance with requirements of the standard and procedures you've defined. At minimu m, internal audit should be performed once a year, but for more complex processes or processes where nonconformity is more likely to occur, internal audits can be done more frequently.