Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Remote Audit
Answer: Besides documentation audit (which you can send to the auditor before the audit local phase), other situations for remote audit should be evaluated by the auditor on a case by case scenario, considering the specific organizational context, identified risks and implementation methods applied, so it is not possible to point a proportion or rule. What I can say to you is that an auditor would keep remote audit to a minimum, because direct observations are one of the main resources for compliance verification (e.g., even when auditing teleworking the auditor can find some local evidences in the organization like systems access logs).
This articles will provide you further explanation about performing an audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding performing audit:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/ -
Information Security Governance In Health Services
I would appreciate your invaluable inputs as soon as possible because I have to make a presentation on this program in a few days.
Answer: From the Information Governance Toolkit site (https://www.igt.hscic.gov.uk/), I assume you are referring to the requirements for Health and Social Care Information Centre, which cover requirements for: Information Governance Management, Confidentiality and Data Protection Assurance, Information Security Assurance, Clinical Information Assurance, and Corporate Information Assurance.
Considering the definitions provided in the "About The IG Toolkit" document (https://www.igt.hscic.gov.uk/resources/About%20the%20IG%20Toolkit.pdf), I understand the implementation of information governance toolkit can follow the same general steps used for an ISO 27001 ISMS implementation:
- Project planning and elaboration of basic documentation
- Carrying out the risk assessment and risk treatment plan elabo ration
- Information security policies and procedures elaboration
- Implementation, operation and evaluation of policies and procedures (at this point some corrective actions may be required)
- Internal audit and management review
- Treatment of internal audit nonconformities and management review decisions
Advisera works with ISO management standards, and I personally do not know details regarding the specificities of UK Health care regulations, so we cannot provide much more inputs beyond that.
Regarding the specific scenario of an Healthcare organization, you can include as reference ISO 27799 - Information security management in health using ISO/IEC 27002, which will provide you specific recommendations about this sector: https://www.iso.org/standard/62777.html
These articles will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/ -
Supplier security clauses
Answer: No. The clauses presented are suggested based on the most common requirements to be covered by organizations that rely on outsourced services. Depending on the nature of the business and results of risk assessment you my need to consider other clauses.
This material will provide you further suggestions about supplier security clauses:
- Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/ -
Implementing integrated management systems
Answer: Considering the number of people you stated, an implementation, including the certification process, usually takes between six and eight months. Since you are thinking about implementing multiple standards, the implementation may vary, but you can take advantage of the similar structure of ISO standards to save some time and money implementing common requirements, like planning, internal audit and management review.
The maintenance process is an ongoing process that will last until the organization decides it does not want the certifications any more. The certification cycle is three years for all standards you mentioned.
Most of the outsourced activities your organization has will be handled by contractual clauses.
These articles will provide you further explanation about implementing the standards:
- How long doe s it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
- How long does it take to implement an ISO 9001-based QMS? https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- How long does it take to implement ISO 14001:2015? https://advisera.com/14001academy/blog/2016/04/04/how-long-does-it-take-to-implement-iso-140012015/
- How long should it take to implement OHSAS 18001? https://advisera.com/18001academy/blog/2017/01/18/how-long-should-it-take-to-implement-ohsas-18001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
This material will also help you regarding ISO implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
L1, L2, L3 activities
Answer:
L1, L2, L3...are typical for Incident Management process. How many levels i.e. where does certain level belong in ITSM of the company depends on various factors. Here are few examples:
- processes/functions in place
- complexity of IT services supported
- 3rd parties in place (or not in place)
- capability of ITSM employees
- geography of the organization
- etc.
So, according to the organizational setup, so will be L1, L2, etc. job description (including responsibilities) made. For example, Service Desk can have L1 responsibility, L2 could be expert for certain technology and L3 could be development department.
Other processes - usually organizations don't need many levels in e.g. Knowledge Management. -
Filling SoA
Sorry, I don't understand your answer. Can you point us specifically to Annex A in the documentation toolkit provide with the ISO27001 package? -
ISO 27001 and information security governance
The article links on this post helped me. Thanks Rhand Leal
-
Risk-based thinking in IATF 16949
Answer:
When it comes to risk-based thinking or addressing risks and opportunities, IATF 16949 has addition to requirements of ISO 9001. IATF 16949 requires risk analysis to include, at minimum, product recalls, product audits, returns and repairs, complaints, scraps and rework. The evidence of the risks-based thinking would be FMEA (Failure Mode Effect Analysis) conducted for processes with appropriate actions taken to address the risks. As far as the staff operating the processes is concerned, the best approach is to focus primarily on the risks emerging from their processes and what has to be done to avoid the risks. For example, how to perform the activities and avoid the nonconformities. -
Conducting "desktop audit"
Answer:
I assume you are thinking about ISO 9001 audit, but it is pretty much the similar approach for any standard. Desktop audit is usually a review of quality documents of an organisation to ensure compliance to higher level documents and to familiarize auditor with the auditee's quality management system.This is done generally prior to an audit.
The purpose of this audit is to determine whether the documentation is compliant with requirements of the standard. So, the best way to approach it is to determine first what clauses and what requirements of the standard are relevant to particular documents and then to audit the documents against these requirements. If you are new to auditing, it can be helpful to develop the checklist first and then to conduct the audit by following the checklist.
For mor e information, see: ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/ -
Audit criteria and evidence-based approach
Answer:
Audit criteria represents set of requirements against which you will perform the audit. In case of internal audit or certification audit, the criteria is the standard and relevant management system documentation, for example is the production process conducted according to production procedure. Other criteria can be requirements of the customers, legal requirements, etc. For more information, see: What is the ISO 9001 audit program, and how does it work? https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
Evidence-based approach means that you are basing your decision or judgement on evidence you've collected. For example, if you want to determine whether the organization has conducted training according to the training program it developed, you will look for the training records.