Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11275 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Cost of downtime

Answer:
Downtime consists of two types of costs:
1. Direct, like:
- Lost profit
- cost generated by resolving the issues which caused downtime (hours of your employees)
- SLA penalties (or even lost SLA)
- cost of en-user (un)productivity
. costs towards third parties
- etc.
2. Indirect, like:
- reputation damage
- cost of lost opportunity
- regulatory/compliance breach costs
- etc.

So, as you can see, while calculation costs of downtime some costs are easily identifiable, and some are just good estimation. Financial people or business will be of great help, so use the chance and include their inputs in calculation.
New 9001 and 13485 standard
Hi Juanito,

ISO 13485:2016 still requires management representative, so in order to be compliant with the standard you need to assign this role to someone in your organization.
Risk register and environmental aspects
1.can we make a single risk register for a company as a whole or should we have to make functional/ departmental wise or the option left to the Organ.?

The standard does not define how organization will compile its risks register, so you can do it in any way that you find the most suitable. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

Regarding EMS 2015 standard
1.Should we have to make risk register for EMS also as per cl.6.1

Yes, you should make risk register for risks and opportunities related to the EMS and you can do it in the same way as for ISO 9001. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/

2.For Aspect Impact study is their any template / format to use?

Yes, we do have templates for identification and evaluation of environmental aspects and impacts. Here you can download free preview of our Procedure for Identification and Evaluation of Environmental Aspects and Risks https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
Lead Auditor certification and CISA

Answer: The pros and cons interpretation will depend on the context of the audit scenario considered. CISA is more focused on audit of information systems and IT processes, while ISO 27001 Lead Auditor covers information protection regardless where it is found (digital format, paper media, people, etc.).

That said, if an audit focuses on information security management, ISO 27001 LA would provide a better basis for audit. On the other hand, if the audit will cover aspects like IT governance activities and technical process, CISA is more adequate. It also can help you perform audits considering the strategic relationships of the information systems and business objectives.

This article will provide you further explanation about certifications of lead auditor and CISA:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
SoA and outsourced IT

Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.

The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).

You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.

These articles will provide you further explanation about controls in outsourced IT:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

These materials will also help you regarding controls in outsourced IT:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Defining scope

Could you please give an advice about how to tackle this problem??

Answer: For such small number of employees, the most efficient way is to include all organization in the scope, because the effort to manage the interfaces and interdependencies with the areas outside the scope will be greater than consider all the areas of the organization. Customers and logistic partners are considered as interested parties that should be considered in the definition of the scope, not included in the scope itself.

This articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

This material will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Risk assessment methodology

Answer:

The standard does not requires organizations to adopt risk assessment methodology, so there are no requirements on how the organization will define its criteria for probability, consequence or any other element of risk. The organization itself can define the criteria for probability and consequence if it decides to apply them at all since they are not required. All the organization needs to do is to identify risks and opportunities and take actions to address them, how it will be done is not defined by the standard and the organization has full liberty to do it as it finds the most suitable.

As far as the certification auditor is concerned, he or she can only audit the QMS (Quality Management System) against the requirements of the standard and cannot interfere or require c hanges in the methodology that the organization adopted.

For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Audit resources and BCM material

En general es un buen material. la expectativa que no se realmente si sea demasado pedir, es tener un caso practico desarrollado, un modelo basado en un estudio o aplicacion real de auditoria.
Soy uno de los profesionales que tengo certificacion en iso27001, y mi dia adia no me ha permitido ejercer una auditoria y me da susto equivocarme, es como tener un taller de ejercicios para llevarlos a la practica.
Aprovecho este oportunidad tambien para comentar la necesidad que tengo de un plan de continuidad del negocio para un servicio de outsourcing en recursos TI. Tema que lo expuesto por sus esquemas de contacto.

(Overall a good material. The expectation that is not really if it is too much to ask, is to have a practical case developed, a model based on a study or real application of audit.
I am one of the professionals that I have certification in iso27001, and my day to day has not allowed me to exercise an audit and I get scared to err, it is like having an exercise workshop to take them to the practice.
I take this opportunity al so to comment on my need for a business continuity plan for an outsourcing service in IT resources. Subject that exposed by their contact schemes)

Answer: For practical examples of how to perform an internal audit I suggest you to attend our free ISO 27001:2013 Internal Auditor Course at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

Additionally our knowledge base has very interesting articles that can help you, like:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

Regarding business continuity plan, I suggest you to take a look at the free demo of our Business continuity plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

This template can help you to define precisely how an organization will manage incidents in the case of a disaster or other disruption of business, and how it will recover its critical activities within set deadlines.

This article will provide you further explanation about business continuity planning:
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
- Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

These materials will also help you regarding Business Continuity Planning:

- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
CMMi toolkit

Answer: We work with ISO management standards related documents, so unfortunately we do not have a CMMI Toolkit in our products portfolio.

2- Do you have any or recommend any CMMI toolkit providers?

Answer: Unfortunately I do not have much knowledge in this specific market to provide a recommendation, but you can take a look at this link at Carnegie Mellon University (the institutions that developed CMMI): https://seir.sei.cmu.edu/toolkit/PurposesofthisToolkitDocument.html
Why is top management important for QMS

Answer:

The top management involvement in the QMS is essential for effectiveness of the QMS. Provision of resources, defining Quality Policy and objectives, assigning roles and responsibilities are some of the responsibilities of the top management and cannot be done by someone else. Involvement of the top management is necessary for planning, check and act phase of the PDCA cycle and without them, these phases cannot be properly conducted and the QMS will only be formally implemented and fail to provide any benefit to the organization. For more information, see: To what extent should top management be involved in your QMS? https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/

The best way to convince the top management to participate in QMS is to present them with benefits that ISO 9001 b rings to the company and explain them that QMS wont work without their active participation. For more information, see: How to get Management Buy-in for ISO 9001 https://advisera.com/9001academy/blog/2014/09/02/get-management-buy-iso-9001/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11275 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Cost of downtime

New 9001 and 13485 standard

Risk register and environmental aspects

Lead Auditor certification and CISA

SoA and outsourced IT

Defining scope

Risk assessment methodology

Audit resources and BCM material

CMMi toolkit

Why is top management important for QMS

Didn’t find an answer?