Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Conducting "desktop audit"
Answer:
I assume you are thinking about ISO 9001 audit, but it is pretty much the similar approach for any standard. Desktop audit is usually a review of quality documents of an organisation to ensure compliance to higher level documents and to familiarize auditor with the auditee's quality management system.This is done generally prior to an audit.
The purpose of this audit is to determine whether the documentation is compliant with requirements of the standard. So, the best way to approach it is to determine first what clauses and what requirements of the standard are relevant to particular documents and then to audit the documents against these requirements. If you are new to auditing, it can be helpful to develop the checklist first and then to conduct the audit by following the checklist.
For mor e information, see: ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/ -
Audit criteria and evidence-based approach
Answer:
Audit criteria represents set of requirements against which you will perform the audit. In case of internal audit or certification audit, the criteria is the standard and relevant management system documentation, for example is the production process conducted according to production procedure. Other criteria can be requirements of the customers, legal requirements, etc. For more information, see: What is the ISO 9001 audit program, and how does it work? https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
Evidence-based approach means that you are basing your decision or judgement on evidence you've collected. For example, if you want to determine whether the organization has conducted training according to the training program it developed, you will look for the training records. -
ISMS audit
Answer: An ISO 27001:2005 certified lead auditor can perform internal audit if he/she can prove competence in 2013 revision of the standard. If not, then this person needs to take a training to obtain this competence.
This articles will provide you further explanation about new version of ISO 27001 and internal audit:
- Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Lead Auditor Training for ISO27K
There are many organizations who say they provide certification with training in a cost less than 5000 INR and some are providing it for the cost of more than 50000 INR too.
Which is to be considered is a big question and I want this to be done from a recognized/accredited institution only.
Can you please suggest?
Answer: We do not have deep knowledge of India market to point to give you the best solution, but you can make contact with these training providers:
- SGS https://www.sgsgroup.in/en-GB/Office-Directory.aspx
- BSI https://www.bsigroup.com/en-IN/Contact-us/
- Bureau Veritas https://www.bureauveritas.co.in/home/worldwide-locations/coin-locations
This article will provide you further explanation about Lead Auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Cost of downtime
Answer:
Downtime consists of two types of costs:
1. Direct, like:
- Lost profit
- cost generated by resolving the issues which caused downtime (hours of your employees)
- SLA penalties (or even lost SLA)
- cost of en-user (un)productivity
. costs towards third parties
- etc.
2. Indirect, like:
- reputation damage
- cost of lost opportunity
- regulatory/compliance breach costs
- etc.
So, as you can see, while calculation costs of downtime some costs are easily identifiable, and some are just good estimation. Financial people or business will be of great help, so use the chance and include their inputs in calculation. -
New 9001 and 13485 standard
Hi Juanito,
ISO 13485:2016 still requires management representative, so in order to be compliant with the standard you need to assign this role to someone in your organization. -
Risk register and environmental aspects
1.can we make a single risk register for a company as a whole or should we have to make functional/ departmental wise or the option left to the Organ.?
The standard does not define how organization will compile its risks register, so you can do it in any way that you find the most suitable. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Regarding EMS 2015 standard
1.Should we have to make risk register for EMS also as per cl.6.1
Yes, you should make risk register for risks and opportunities related to the EMS and you can do it in the same way as for ISO 9001. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
2.For Aspect Impact study is their any template / format to use?
Yes, we do have templates for identification and evaluation of environmental aspects and impacts. Here you can download free preview of our Procedure for Identification and Evaluation of Environmental Aspects and Risks https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/ -
Lead Auditor certification and CISA
Answer: The pros and cons interpretation will depend on the context of the audit scenario considered. CISA is more focused on audit of information systems and IT processes, while ISO 27001 Lead Auditor covers information protection regardless where it is found (digital format, paper media, people, etc.).
That said, if an audit focuses on information security management, ISO 27001 LA would provide a better basis for audit. On the other hand, if the audit will cover aspects like IT governance activities and technical process, CISA is more adequate. It also can help you perform audits considering the strategic relationships of the information systems and business objectives.
This article will provide you further explanation about certifications of lead auditor and CISA:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/ -
SoA and outsourced IT
Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.
The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).
You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.
These articles will provide you further explanation about controls in outsourced IT:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding controls in outsourced IT:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Defining scope
Could you please give an advice about how to tackle this problem??
Answer: For such small number of employees, the most efficient way is to include all organization in the scope, because the effort to manage the interfaces and interdependencies with the areas outside the scope will be greater than consider all the areas of the organization. Customers and logistic partners are considered as interested parties that should be considered in the definition of the scope, not included in the scope itself.
This articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
This material will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/