Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Communication plans requirements


    Answer: No. Both ISO 27001 and ISO 22301 require that communication requirements must be determined, but the implementation is up to the organization. So, in some cases you may have a single communication plan for multiple processes and teams (e.g., communication by Intranet), and in others you may have specific plans for specific situations (e.g., communication plan for a project or a communication plan that is part of a disaster recovery plan).

    For smaller companies you can include rules for communication without emphasizing that this is a Communication plan - e.g. in the Incident management procedure you can simply define who has to notify whom through which means, and this will be completely enough.

    These articles will provide you further explanation about communications requirements:
    - How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
    - Enabling communication during disruptive incidents according to ISO 22301 https://advisera.com/27001academy/blog/2016/12/19/enabling-communication-during-disruptive-incidents-according-to-iso-22301/

    These materials will also help you regarding communication:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • ISO certification for universities


    Answer: I'm not aware of any specific ISO standard for universities. In general you can consider the ISO 9001 for implementation of quality management and ISO 17025 for quality management in laboratories, but these will depend mostly of the university's objectives and legal requirements it must comply with. It is important to note that you have to verify with the entity that regulate engineering courses in your country which are the requirements the workshops and labs must comply with. These are your main guidance to identify ISO standards.

    This article will provide you further explanation about ISO 9001 for universities:
    - Should universities implement ISO 9001? https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/

  • AUDITORIA INTERNA

    Si quiere tener éxito en la implementación de un SIG, tanto usted como los empleados de la compañía necesitan adquirir el suficiente conocimiento como para poder llevar a cabo un proyecto de tal complejidad.

    Llevar a cabo el proyecto por sus propios medios es la opción más eficaz en términos de costes ya que las herramientas en línea son más baratas que contratar un consultor externo. De esta forma también se preserva la confidencialidad de información sensible de la empresa, se incrementa el compromiso de los empleados que redactan su propia documentación, y el conocimiento se mantiene dentro de la organización.

    Si quiere obtener conocimientos sobre ISO 14001 puede asistir al Curso gratuito de Fundamentos de ISO 14001: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ o a cualquiera de nuestros webinars de ISO 14001: https://advisera.com/14001academy/es/webinars/

    Además también se encuentra disponible un white paper que podría ayudarle en integrar ISO 14001 e ISO 9001 : https://advisera.com/14001academy/es/descargas-gratuitas/ ar-las-revisiones-2015-de-iso-9001-e-iso-14001.

    En cuanto a la auditoria externa, hay muchas maneras en las que un auditor puede encontrar las respuestas a sus preguntas, como la revisión de los registros, o la observación de los empleados y las entrevistas a los mismos. Entre la información que el auditor recogerá está:

    - Si todas las cláusulas han sido abordadas
    - La coherencia de los procesos y si estos han sido revisados
    - Las acciones correctivas que han sido implementadas donde haya sido necesario
    - Si el enfoque basado en riesgos ha sido implementado
    - Si existen planes para la mejora continua
    - Si ha sido llevada a cabo la revisión por la dirección

    Para más información, vea: https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/#

  • Implementing private cloud

    But we plan migrate new IT Org Structures in the cloud-enabled. Could you help me this structure model? Have you ready templates?
    At the same time, this new IT org structure must compliance to ISO 27001, ISO 27017 ISO 27018 when I writing it. Could you help me this issues?

    Answer: Unfortunately we not have templates specifically related to IT based infrastructure. But I suggest you to take a look at the free demo of our ISO 20000 Documentation Toolkit (https://advisera.com/20000academy/iso-20000-documentation-toolkit/).

    Although traditional IT and cloud IT are based on very different architecture, they share many common processes (e.g., incident management, capacity management, etc.), and these are covered by the ISO 20000 standard, the basis for the ISO 20000 Documentation Toolkit

    This article will provide you further explanation about ITIL (the framework from which ISO 20000 standard was developed) and cloud services:
    - How ITIL can help cloud services https://advisera.com/20000academy/blog/2015/07/28/how-itil-can-help-cloud-services/

    Additionally, since this toolkit is also based on an ISO standard, like the one you already bought, you will have similar information regarding which template covers which standard's clause. This will make integrating them easier.

    This article will provide you further explanation about integrating management systems:
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

  • Developing procedure for addressing risks and opportunities

    Dear Strahinja , I have created the procedure. If I send it to you would you be able to check it and correct it if needed? Thank you

  • Documents for employees and risks

    1- be completed in competence of my employee ( required documents of them i need – personal documents of them )

    Except for the training records, the standard does not define what documents for the employees the organization needs to keep, so it is completely up to the organization to decide. You can keep their CVs or other personal files, basically you can decide what information about the employees are sufficient.

    2- best way to do my risk matrix of operations and sample i follow if applicable

    When it comes to risks related to operation, the best approach is to examine each activity and determine where and how the noncoformities can occur and take actions to prevent the nonconformities from occurring. For example, if the organization is storing temperature sensitive products, it should apply regular mo nitorin g of the temperature.

    For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

  • Introducing new document to the QMS

    Do I need to have approved first to my third party accreditation body before I can use the form?

    Answer:

    When introducing new document to your QMS, you need to follow your own procedure for document control. This procedure should define who approves the documents prior to their use.

    The documents do not have to be sent to the third party for approval unless they are created after the third party identified the nonconformity and the document is part of the corrective action. In this case the document should be sent to the third party as an evidence of resolved nonconformity.

    For more information, see: New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Asset owner identification


    Currently we are writing the Risk Assessment Table and we have found some doubts about the definition of "Asset Owner". Considering the risk "mail exchanged with customers and partners (docs in paper)", the asset owner is:
    - who is exchanging the mail so that the responsible to guarantee the security of the mail exchanging or
    - who is the responsible to guarantee (or not, in case of leak of information, for example) the security of information exchange (ie. some governance or compliance department)

    I apologize if I was not clear in the explanation. If you have any question, please let me know.

    Answer: The asset owner in this case is the person who is exchanging the mail, because he is the one most interested that the information won't be compromised and will seek for the implementation of proper security controls.

    The other role in the risk assessment is the "Risk Owner", the one with the accountability to ensure the risk is properly handled (e.g., the responsible for the mail services).

    This article will provide you further explanation about asset owner and risk owner:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    These materials will also help you regarding asset owner and risk owner:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • 6.1 ACCIONES PARA ABORDAR LOS RIESGOS

    La cláusula 6.1 trata la necesidad de planificar acciones para abordar los riesgos y las oportunidades, integrar estas acciones en el SGC y evaluar las acciones según su efectividad.

    Es importante mencionar que no existen requerimientos obligatorios de un proceso formal para hacer el seguimiento y control de los riesgos y oportunidades dentro del SGC, por lo que se pueden emplear los resultados obtenidos del análisis DOFA ya realizado anteriormente y planificar las acciones para abordar los riesgos y oportunidades que han sido encontrados.

    Para más información, vea: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Page 880-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +