Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SoA and Risk Treatment Plan
Thanks for the advice; I thought that was the case. -
Documents to be reviewed during stage 1 audit
Answer:
The Stage 1 audit is often called a ‘documentation review’ audit because the auditor will review your documentation to establish whether it is in line with the requirements of the standard. This stage is more of a ‘reconnaissance’ audit, or a ‘pre-assessment’, whereby the auditor does a high-level review of your management system and establishes whether the internal audit programme is in place.
Stage 1 is completed on-site to determine whether your management system has met the minimum requirements of the standard and is ready for a certification audit. The auditor will point out any areas of nonconformity and potential improvements of the management system.
Documents to be reviewed during this stage of the audit are all the documents that belong to the scope of your management system, this includes documents required by the standard itself and the ones that the organization determined as necessary for effective maintenance of the manage ment system.
For more information, see: List of ISO 14001 implementation steps https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/ -
Information security on project management
Answer: Unfortunately we do not have a template or tool covering specifically Information Security in Project Management, but there are many similarities with implementing an ISMS that you can use to drive the implementation of this control in a specific project:
1 - You have to define information security objectives and include them in the project objectives, the same way you define information security objectives for an ISMS aligned with organization's objectives, the only difference is that these objectives are restricted to the scope of the project
2 - You have to perform at the beginning, and periodically, information risk assessments in the project, like you would do it with other business processes, to identify necessary controls
3 - You have to ensure that information security practices are part of all phases of the project (e.g., from the issue of the project charter to project closing)
In short, you can think the inc lusion of information security in project management as if you are going to implement a small ISMS that will fit the projects needs and will be proportional to the project's lifetime and budget.
Considering this, I suggest you to take a look at the free demo of our Risk Assessment Toolkit (https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/), and our online tool, Conformio (https://advisera.com/conformio/), since they can be used in the scope of a project to ensure information security is properly implemented and managed.
This article will provide you further explanation about Information security in project management:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
This material will also help you regarding information security in project management:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Certificates for Asia Pacific and EU regions
Answer: For cloud services and datacenters you can consider certificates based on ISO management standards like:
- ISO 27001 (information security): https://www.iso.org/standard/54534.html
- ISO 22301 (business continuity): https://www.iso.org/standard/50038.html
Additionally, there are other standards that can support the implementation of security controls, like:
- ISO 27017 (security controls for cloud services): https://www.iso.org/standard/43757.html
- ISO 27018 (cloud privacy protection): https://www.iso.org/standard/61498.html
I advise you to look for a legal expert to provide information about related laws, standards and regulations in these regions, because these are the main sources that motivate the development and adoptio n of certificates.
Here you can see reference for some legislation regarding these regions:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
These material will provide you further explanation about the above mentioned standards:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 22301? https://advisera.com/27001academy/knowledgebase/what-is-iso-22301/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Proactive vs. reactive Problem Management
Answer:
Most probably the question is about proactive and reactive Problem management.
Reactive Problem Management is reaction to created Problem Record, usually based on an incident. So, Problem Management is triggered to do something (find a root cause of one or more incidents).
On the other side, Proactive Problem Management is usually carried out in scope of Continual Service Improvement and means - "let's see if we can find some common pattern in incident/problem history in order to prevent future incidents".
The article " "ITIL Reactive and Proactive Problem Management: Two sides of the same coin" https://advisera.com/20000academy/knowledgebase/itil-reactive-proactive-problem-management-two-sides-coin/ to learn more. -
Incident vs. problem management
Answer:
Aim of the Incident management is to enable the user to use greed services, as soon as possible. This means, sometimes, to implement - temporary fixes (i.e. workarounds).
On the other side, goal of the Problem management is to prevent incidents by finding the root cause of one or more incidents.
Read these article to find out more about these processes:
"Incident Management in ITIL – solid foundations of operational processes" https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
"ITIL Incident Management" https://advisera.com/20000academy/knowledgebase/itil/-incident-management/
"ITIL and ISO 20000 Problem Management – Organizing for problem resolution" https://advisera.com/20000academy/blog/2014/07/29/itil-iso-20000-problem-management-organizing-problem-resolution/
"ITIL Problem Management: getting rid of problems" https://advisera.com/20000academy/blog/2013/08/05/itil-problem-management-getting-rid-problems/ -
BCM Templates vs BCM Software
Answer: Some pros and cons we can mention are:
- Software tools are more expensive, but provide you more control and management capabilities, like access control and searching functionalities.
- Templates are cheaper and more adequate to work with non-structured information (like policies text), but they are less efficient and effective in large environments.
This article will provide you further explanation about tools selection:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/ -
Incident vs accident
As far as my 'limited' understanding goes, OSHA is now using only the phrase accident as description for the impact phase. The phrase "incident" now refers to near miss incidents.
However, accident, to my opinion, refers to something that could not be prevented like an act of God so to speak an incident refers to a preventable loss after the contact phase.
Is it at all possible for you to provide clarity on this?
Answer:
As defined by OHSAS 18001 "incident is work-related event in which an injury or ill health (regardless
of severity) or fatality occurred, or could have occurred". On the other hand, "An accident is an incident which has given rise to injury, ill health or fatality". As we can see, from the definitions, terms incident and accident are not limited to "act of God" events and cover any event related to injuries or ill heath.
For more information, see: How to be prepared for a health and safety incident https://advisera.com/18001academy/blog/2016/12/21/how-to-be-prepared-for-a-health-and-safety-incident/ -
Scope of ISO 9001 vs scope of QMS
Answer:
In the text of ISO 9001:2015 there are two sections explaining scopes. Clause 1 Scope explains the scope of the standard itself, its applicability to any type of organization regardless of the type, size and products and services it provides. This clause does not contain any requirements for QMS.
On the other hand, clause 4.3 Determining the scope of the quality management system defines requirements for organization to determine and document scope of its QMS (Quality Management System) as well as the requirements of what the scope statement should include (i.e products and services being covered by the scope).
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Documenting clauses 4 and 5 without Quality Manual
Answer:
Clauses 4 and 5 do not have so many requirements for documentation. If the organization doesn't have the need to document them above the requirements of the standard, it can only create document about the scope of the QMS (Quality Management System) where it will define the scope and the exclusions and Quality Policy which is the only requirement for documentation in clause 5.
Also, the fact that the manual is no longer a mandatory document doesn't mean that it is forbidden. If the organization finds it useful for its QMS, it can keep it as a part of the documentation.
For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/