Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Supplier security clauses
Answer: No. The clauses presented are suggested based on the most common requirements to be covered by organizations that rely on outsourced services. Depending on the nature of the business and results of risk assessment you my need to consider other clauses.
This material will provide you further suggestions about supplier security clauses:
- Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/ -
Implementing integrated management systems
Answer: Considering the number of people you stated, an implementation, including the certification process, usually takes between six and eight months. Since you are thinking about implementing multiple standards, the implementation may vary, but you can take advantage of the similar structure of ISO standards to save some time and money implementing common requirements, like planning, internal audit and management review.
The maintenance process is an ongoing process that will last until the organization decides it does not want the certifications any more. The certification cycle is three years for all standards you mentioned.
Most of the outsourced activities your organization has will be handled by contractual clauses.
These articles will provide you further explanation about implementing the standards:
- How long doe s it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
- How long does it take to implement an ISO 9001-based QMS? https://advisera.com/9001academy/blog/2016/07/05/how-long-does-it-take-to-implement-an-iso-9001-based-qms/
- How long does it take to implement ISO 14001:2015? https://advisera.com/14001academy/blog/2016/04/04/how-long-does-it-take-to-implement-iso-140012015/
- How long should it take to implement OHSAS 18001? https://advisera.com/18001academy/blog/2017/01/18/how-long-should-it-take-to-implement-ohsas-18001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
This material will also help you regarding ISO implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
L1, L2, L3 activities
Answer:
L1, L2, L3...are typical for Incident Management process. How many levels i.e. where does certain level belong in ITSM of the company depends on various factors. Here are few examples:
- processes/functions in place
- complexity of IT services supported
- 3rd parties in place (or not in place)
- capability of ITSM employees
- geography of the organization
- etc.
So, according to the organizational setup, so will be L1, L2, etc. job description (including responsibilities) made. For example, Service Desk can have L1 responsibility, L2 could be expert for certain technology and L3 could be development department.
Other processes - usually organizations don't need many levels in e.g. Knowledge Management. -
Filling SoA
Sorry, I don't understand your answer. Can you point us specifically to Annex A in the documentation toolkit provide with the ISO27001 package? -
ISO 27001 and information security governance
The article links on this post helped me. Thanks Rhand Leal
-
Risk-based thinking in IATF 16949
Answer:
When it comes to risk-based thinking or addressing risks and opportunities, IATF 16949 has addition to requirements of ISO 9001. IATF 16949 requires risk analysis to include, at minimum, product recalls, product audits, returns and repairs, complaints, scraps and rework. The evidence of the risks-based thinking would be FMEA (Failure Mode Effect Analysis) conducted for processes with appropriate actions taken to address the risks. As far as the staff operating the processes is concerned, the best approach is to focus primarily on the risks emerging from their processes and what has to be done to avoid the risks. For example, how to perform the activities and avoid the nonconformities. -
Conducting "desktop audit"
Answer:
I assume you are thinking about ISO 9001 audit, but it is pretty much the similar approach for any standard. Desktop audit is usually a review of quality documents of an organisation to ensure compliance to higher level documents and to familiarize auditor with the auditee's quality management system.This is done generally prior to an audit.
The purpose of this audit is to determine whether the documentation is compliant with requirements of the standard. So, the best way to approach it is to determine first what clauses and what requirements of the standard are relevant to particular documents and then to audit the documents against these requirements. If you are new to auditing, it can be helpful to develop the checklist first and then to conduct the audit by following the checklist.
For mor e information, see: ISO 9001 Audit Checklist https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/ -
Audit criteria and evidence-based approach
Answer:
Audit criteria represents set of requirements against which you will perform the audit. In case of internal audit or certification audit, the criteria is the standard and relevant management system documentation, for example is the production process conducted according to production procedure. Other criteria can be requirements of the customers, legal requirements, etc. For more information, see: What is the ISO 9001 audit program, and how does it work? https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
Evidence-based approach means that you are basing your decision or judgement on evidence you've collected. For example, if you want to determine whether the organization has conducted training according to the training program it developed, you will look for the training records. -
ISMS audit
Answer: An ISO 27001:2005 certified lead auditor can perform internal audit if he/she can prove competence in 2013 revision of the standard. If not, then this person needs to take a training to obtain this competence.
This articles will provide you further explanation about new version of ISO 27001 and internal audit:
- Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Lead Auditor Training for ISO27K
There are many organizations who say they provide certification with training in a cost less than 5000 INR and some are providing it for the cost of more than 50000 INR too.
Which is to be considered is a big question and I want this to be done from a recognized/accredited institution only.
Can you please suggest?
Answer: We do not have deep knowledge of India market to point to give you the best solution, but you can make contact with these training providers:
- SGS https://www.sgsgroup.in/en-GB/Office-Directory.aspx
- BSI https://www.bsigroup.com/en-IN/Contact-us/
- Bureau Veritas https://www.bureauveritas.co.in/home/worldwide-locations/coin-locations
This article will provide you further explanation about Lead Auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/