Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Incident vs accident
As far as my 'limited' understanding goes, OSHA is now using only the phrase accident as description for the impact phase. The phrase "incident" now refers to near miss incidents.
However, accident, to my opinion, refers to something that could not be prevented like an act of God so to speak an incident refers to a preventable loss after the contact phase.
Is it at all possible for you to provide clarity on this?
Answer:
As defined by OHSAS 18001 "incident is work-related event in which an injury or ill health (regardless
of severity) or fatality occurred, or could have occurred". On the other hand, "An accident is an incident which has given rise to injury, ill health or fatality". As we can see, from the definitions, terms incident and accident are not limited to "act of God" events and cover any event related to injuries or ill heath.
For more information, see: How to be prepared for a health and safety incident https://advisera.com/18001academy/blog/2016/12/21/how-to-be-prepared-for-a-health-and-safety-incident/ -
Scope of ISO 9001 vs scope of QMS
Answer:
In the text of ISO 9001:2015 there are two sections explaining scopes. Clause 1 Scope explains the scope of the standard itself, its applicability to any type of organization regardless of the type, size and products and services it provides. This clause does not contain any requirements for QMS.
On the other hand, clause 4.3 Determining the scope of the quality management system defines requirements for organization to determine and document scope of its QMS (Quality Management System) as well as the requirements of what the scope statement should include (i.e products and services being covered by the scope).
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/ -
Documenting clauses 4 and 5 without Quality Manual
Answer:
Clauses 4 and 5 do not have so many requirements for documentation. If the organization doesn't have the need to document them above the requirements of the standard, it can only create document about the scope of the QMS (Quality Management System) where it will define the scope and the exclusions and Quality Policy which is the only requirement for documentation in clause 5.
Also, the fact that the manual is no longer a mandatory document doesn't mean that it is forbidden. If the organization finds it useful for its QMS, it can keep it as a part of the documentation.
For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/ -
ISO 27001 certified organization in EU
Answer: You can find statistic about ISO certifications at ISO survey web page: https://www.iso.org/the-iso-survey.html
This link contain detailed files: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1 -
Elaborating an asset inventory
Thanks, this definitely helps. Another question I have is about threats: One of the obvious threats for an information system is "interruption of service". Is it wise to differentiate on the length of the interruption? For instance "interruption of service for less that 8 hours" and "interruption of service for more than 8 hours". Because the first may result in an acceptable risk, whereas the second is unacceptable. -
Control of outsourcing partner
Answer:
The purpose of controlling the outsourcing partner is to ensure that the product or service they deliver is compliant with your requirements. The simplest way of controlling outsourcing partner is by controlling quality of the product or service they deliver to your organization along with other requirements that you've imposed on them (e.g. deadlines).
Other way of control is to define processes and activities that the outsourcing partner needs to perform in order to deliver the product or service, or to perform second-party audits of your provider to ensure the product or service to be delivered is compliant with your requirements.
The method and extent of the controls imposed on the outsourcing partner depends on many factors and the standard only requires organization to ensure that externally provided product, process or service is compliant with requirements of the organization.
For more informa tion, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/ -
Standard for safety in university workshops and lab
If we want only our Chemical Lab to be certified, not the entire facility in the campus, Is this possible. -
Filling a SoA document
Answer: ISO 27001 does not requires responsibilities to be included in the SoA, so you do not need to include this information because of the standard. Some organizations decide to include this information in the SoA so it becomes easier for them to identify who is responsible for each control (all information could be found in a single document). Of course, if you decide for this approach, if a control is considered not applicable, them you should left the field blank. -
Document control procedure template
Answer: Yes. You can have a printed version of a document with a higher confidentiality level too.
The access control of printed information is more difficult to be ensured than on electronic versions, that's why the text of section 3.3.2 does not mention the handling of printed versions, but it is only a suggestion.
The comments in this section explain that if an organization wants to use printed versions of more sensible information it only has to adapt the text according its needs.
With the toolkit you've bought are also included access to video tutorials that explain the document control procedure and can help you customize your document according your needs. -
BCP and ISO 27031 standard
I have all the templates from you for ISO22301 and have used them a few times so not concerned about their use. I have gone through the ISO27031 standard and can see the difference or value add of this approach for IRBC.
I would like to know;
1. How to use ISO27031, should I use it??
Answer: I would recommend you to use ISO 27031, since it can be a valuable reference to check and improve the BC Plans for IT, usually called IT disaster recovery plans, since its recommendations can show you if your plans already cover the most common controls and safeguards or if they need adjustments.
You can think the use of ISO 27031 in the same way ISO 27002 is used for ISO 27001, where ISO 27002 provides recommendations and guidelines for implementation of ISO 2 7001 Ann ex A controls.
2. Do you have documents that show how to use ISO27031.
Answer: Specifically for ISO 27031 we do not have such material, however our DRP template is compatible with 27031.
3. Having read through the standard it looks like DRP made smarter.
Answer: Yes, this is basically what ISO 27031 does, providing recommendations and guidelines to controls and safeguards applicable to IT BC plans
4. How do I marry the two?
Answer: You can consider the use of ISO 27031 in the planing phase of business continuity. After performing the BIA and defining RTO's, RPO's and general strategy, you can use ISO 27031 to detail which controls and other measures you have to consider in your DRP plans.
This article will provide you further explanation about ISO 27031:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/