Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Corrective action for IT department
Answer:
Since the cause was lack of awareness, the corrective action should be to raise awareness and maybe to perform additional training to the IT staff so they get familiar with requirements of the standard and what is expected from them. As a follow up, you can later audit the IT department to check whether it is compliant with the standard and the procedures the organization defined.
For more information, see: How to proceed once a QMS corrective action is defined? https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/ -
Health and Safety certification
Implementing OHSAS 18001 is sufficient for getting the certificate based on this standard. I'm not sure what you mean by Health and Safety certification, but in most cases OHSAS 18001 is enough.
2) How best can an employer deal with a worker who does not abide by the safety guidelines stipulated by the company in regards to the implementation of Occupational Health and Safety Management Systems?
In cases when the employee is not following the company procedures and guidelines all you can do is to warn, punish and ultimately expel the employee from the work site.
3) Kindly list down the safety requirements, procedures and policies that a company must have in compliance with OSHAS 18001 and the possible optional ones.
Here you can find mandatory documents according to OHSAS 18001: List of mandatory documents required by OHSAS 18001 https://advisera.com/18001academy/blog/2016/11/23/list-of-mandatory-documents-required-by-ohsas-18001/ -
The context and leadership requirements
May I be highlighted by you whether clause 4 can be written in details in my Quality Manual without a separate procedure ?
Is clause 5.1.1 a new requirement? I observe that all the clause 5 and sub_clauses on leadership are basically the same except risks and opportunities that must be identified and addressed so as not to affect customer satisfaction or risks of customer dissatisfaction.
Answer:
First, requirements for context of the organization do not include documenting the context or writing the procedure. If you decide to document it, you can include it in your Quality Manual or make separate procedure, since it is not requirement of the standard, you are free to do it in any way that you find the most suitable. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
As far as clause 5.1.1 is concerned, there are no new requirements compared to the previous version o the standard. For more information, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/ -
SOP vs Quality Plan
Answer:
The main difference is in the scope, work instruction usually describes one operation or activity while Quality Plan is written for entire process. Work instructions are usually written in form of text or flow chart while Quality Plan is in for of spreadsheet but the purpose of both documents is to ensure that the process or activity is carried out as planned.
For more information, see: Making the best out of ISO 9001 Quality Plan https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/ -
BCM training material
Answer: Yes. At this link: https://advisera.com/27001academy/webinars/
You can find free webinars about business continuity management like:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
- Developing the business continuity strategy according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar/ -
Vulnerabilities understanding
Answer: No. Vulnerabilities are weaknesses that also may be result of improper implementation of an otherwise well designed project (e.g., a safe made of a defective alloy) or a control misconfiguration (e.g., a password policy that enforces alphanumeric characters but limits the size to a small value).
This article will provide you further explanation about vulnerabilities:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
These materials will also help you regarding vulnerabilities:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Asset owner
Currently we are writing the Risk Assessment Table and we have found some doubts about the definition of "Asset Owner". Considering the risk "mail exchanged with customers and partners (docs in paper)", the asset owner is:
- who is exchanging the mail so that the responsible to guarantee the security of the mail exchanging or
- who is the responsible to guarantee (or not, in case of leak of information, for example) the security of information exchange (ie. some governance or compliance department)
I apologize if I was not clear in the explanation. If you have any question, please let me know.
Answer: The asset owner in this case is the person who is exchanging the mail, because he is the one most interested that the information won't be compromised and will seek for the implementation of proper security controls.
The other role in the risk assessment is the "Risk Owner", the one with the accountability to ensure the risk is properly handled (e.g., the responsible for the mail services).
This article will provide you further explanation about asset owner and risk owner:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
These materials will also help you regarding asset owner and risk owner:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Writing ISO 27001 documentation
Answer: You should keep the documentation as small and simple as possible. So, considering 5 departments, the best approach should be that you propose drafts for the evaluation of department heads. You should consider writing general documents that can cover all departments, including specific sections for specific situations regarding the departments. If you see this approach cannot cover the department need s, then you should consider writing specific procedures for the departments who needs them (in our experience the general documents cover most of the situations).
Regarding scope, you can write a single document covering all departments. This way you can have a systemic view of all your ISMS and avoid excessive administrative work. For more information, please see these articles:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Examples of documents that can be written for the whole organization are the statement of applicability and the risk assessment report. Examples of documents that should be writen by each department are records of monitoring and measurement.
These articles will provide you further explanation about writing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
These materials will also help you regarding writing documents:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk assessment and application control practical examples
a. Risk Assessment Table
b. Risk Treatment Table
Answer: Together with the ISO 27001 Documentation Toolkit you bought you have access to video tutorials with practical examples that will help you fill the risk assessment and risk treatment tables. In those videos you will get examples of vulnerabilities, threats, and how assess the level of risk, as well as how to determine options for the treatment of risks and appropriate controls for unacceptable risks.
2. A file (cross-link) that defines the 27002-controls that should be used for the pre-defined vulnerabilities as used in the template that is part of the toolkit.
Answer: Since the applicability of ISO 27002 controls is unique for each organization's context, even for the pre-defined vulnerabilities listed in the template, we do not provide definitions on what should be used by organizations (this is an organization decision, based in specific information). What we can provide are criteria and recommendations that should be considered when deciding which treatments and controls to apply through our many blog post you can consult here: https://advisera.com/27001academy/blog/
These are some examples:
- How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
If you still feel you need more assistance you can schedule a meeting with one of our experts to ask for more specific orientation (https://advisera.com/27001academy/consultation/), which is also part of the toolkit you bought. -
Business continuity strategy, plan, and procedure
Answer: The business continuity strategy is related on how an organization will ensure its recovery and continuity in the face of a disaster or other major incident or business disruption. It covers general decisions applicable to a wide range of types of disasters, major incidents or business disruptions (e.g. use of alternative sites).
The BC plan defines precisely how the organization will manage incidents in the case of a specific disaster or other disruption of business, and how it will recover its critical activities within set deadlines (e.g. BC plan for chemical leakage, fire, etc.).
The BC procedure is a document defining how a specific business continuity activity should be performed (e.g., evacuation procedure).
For templates of these documents, I suggest you to take a look at our following free demos:
- Business continuity strategy https://advisera.com/27001academy/documentation/business-continuity-strategy/
- Business continuity plan https://advisera.com/27001academy/documentation/business-continuity-plan/
- Incident response plan https://advisera.com/27001academy/documentation/incident-response-plan/
This articles will provide you further explanation about Business continuity strategy and plan:
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
This material will also help you regarding Business continuity strategy, plan, and procedure:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/