Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Evidences for policies and controls
Answer: There is no generic answer for this question, because depending upon the policy or control objective, the requirements regarding which should be kept as compliance evidence will vary.
For example, for a backup policy, a record identifying the date, content and ID of the backup media is required, while for access control policy an user account creation record would be needed, and they basically do not share any kind of information field.
So, what I can say to you for identifying required logs, forms and records needed is to evaluate ISO 27001 requirements and which results you expect from an implemented policy or control and which information you need to present, or evaluate, to prove to someone you are actually achieving those results.
This article will provide you further explanation about mandatory records for ISO 27001:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-ma ndatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding mandatory records for ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Surveillance audit
Thank you for the information that you given to me. this ideas are big help to me. -
Risks, opportunities, objectives and aspects
Thanks for your valuable replay
How to determine Risk & Opportunity with mitigation plan document pl. guide ?
Risks and opportunities to be identified for Environmental Management System should be related to environmental aspects, compliance obligations and other issues emerging from context of the organization. Once you identify the risks you need to plan actions to address them. Planning actions includes defining what needs to be done, who will do it, what resources are needed and what is the deadline. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
How to set Objectives?
Objectives for the EMS or any other management system need to be SMART (Specific, Measurable, Attainable, Relevant and Timely). This enables organization to monitor achievement of the objectives. For more information, see: How to Use Good Environme ntal Objectives https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
How to determine format for the Aspect and Impact study.
The best way to identify environmental aspects and impacts and to demonstrate process approach is to conduct assessment process by process and activity by activity. You need to observe every process, its inputs and outputs and to determine what can be environmental aspects arising from each process. Then you need to apply some criteria to determine what aspects are significant and require operational controls. For more information, see: 6 ways to deal with significant environmental aspects in your EMS https://advisera.com/14001academy/blog/2016/12/12/6-ways-to-deal-with-significant-environmental-aspects-in-your-ems/ -
Metodologia para determinar aspectos ambientales significativos
Es importante que emplees una metodología que ofrezca resultados repetibles y coherentes. Además la metodología va a depender de la complejidad de la organización, la disponibilidad de información y el impacto que tenga el producto a lo largo de todo su ciclo de vida.
Por otro lado, la evaluación debe de llevarse a cabo para todos los aspectos ambientales generados tanto en condiciones de funcionamiento normales como anormales, y situaciones de emergencia.
La determinación de cuáles de los aspectos son significativos debería de involucrar aquellas personas dentro de la organización que estén familiarizadas con los aspectos ambientales asociados a estos impactos.
Los métodos para evaluar los aspectos ambientales pueden dividirse en dos tipos distintos: cuantitativos y cualitativos. Algunas organizaciones desarrollan matrices complejas y algoritmos sofisticados, sin embargo siempre van a existir elementos subjetivos en la definición de la escala de relevancia. Por eso si la organización no implementa una metodología cuantitativa científica es mejor usar una cualitativa.
Algunas de las metodologías cualitativas son:
1. Matriz de relevancia, con criterios de evaluación a través de una sesión de tormenta de ideas.
2. Método ABC, donde el análisis y los resultados son determinados por los valores e ideas definidos por la organización y se categorizan en:
A= alto impacto; B=medio impacto; C= bajo impacto
siguiendo ciertos criterios como la escala, severidad, ocurrencia y duración.
También es posible desarrollar la evaluación utilizando tu propio sistema de escala
El uso de criterios puede ayudar a la organización a establecer cuáles de los aspectos ambientales e impactos son significativos. A la hora de determinar esos criterios de significancia, la organización necesita considerar:
- Los criterios para la conservación del medio ambiente: como la escala, severidad, duración del impacto o el tipo, tamaño y frecuencia de los aspectos ambientales
- Los requerimientos legales y otros requerimientos, por ejemplo, las limitaciones de las emisiones, las licencias para las emisiones, regulaciones legales, etc.
- Las necesidad y expectativas de las partes interesadas: reputación, ruido, olor, degradación visual, etc
Para más información, vea : https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/# -
DUDA
En cuanto a la cláusula 7.1.2 de la norma ISO 9001:2015 no es obligatorio aunque sí recomendable un procedimiento sobre competencia, formación y concienciación; sin embargo las funciones y responsabilidades aparecen en raras ocasiones reflejadas en este procedimiento. Pueden ser incluidas en procedimientos relevantes para organización como las funciones y responsabilidades del proceso de producción, dentro del procedimiento de producción, o en un documento separado que contenga todas las funciones y responsabilidades.
Para más información puedes ver: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-asegurar-la-competencia-y-la-concienciacion-en-iso-90012015/ -
Documenting clause 6.3
Answer:
The standard does not require organization to document clause 6.3, but if you choose to do it, the best way to do it is by documenting procedure and conducting risk assessment for the planned change.
The procedure can describe how the organization is planning the changes, how the organization considers the purpose and consequences of the changes, integrity of the QMS, availability of resources and roles and responsibilities for the actions taken to make the changes in the QMS. Additionally, you can conduct risk assessment using FMEA or some other methodology to demonstrate that the consequences of the change are examined and actions to mitigate consequences are taken. -
Determining context of the organization
I'm having some difficulty determining how to format the context of our organization. I was wondering if perhaps I could also state in our QMS that the internal and external issues are to be determined/addressed yearly, and that the meeting to determine these issues is to be held after our upcoming audit. Will that be acceptable? Our transition audit is rapidly approaching...
Thanks in advance for your input.
Answer:
Defining the context on annual meeting can be acceptable from the side of the standard when it comes to defining how the context will be determined. However, you need to determine context of the organization before the transition audit because without defined context, the QMS will be incomplete since so many other elements of the QMS depend on the context.
My suggestion is to determine the context prior to the audit and there are some simple ways to do it, for example SWOT (Strength, Weaknesses, Opportunities, Threats) analysis. This analysis will leave a record behind it and can be useful to demonstrate that d etermination of the context have been conducted.
For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/ -
Supplier performance indicator
What would be the expectations in terms of evaluation of this kind of suppliers?
Answer:
The supplier performance indicators are mandatory for all suppliers. Depending on the type of service or product being provided, the organization will have to develop different suppliers performance indicators. For example, requirement 8.4.2.4 a) for maintenance providers can be the daily or monthly plan of maintenance and the organization can monitor whether the plan was realized. -
Inventory of assets and risk assessment
Answer: First of all, an inventory of assets is not mandatory according to ISO 27001:2013 (it is a suggested control from Annex A, which may be selected if there is an unacceptable risk that can be treated by its implementation).
Second, some risk assessment approaches are not based on assets for risk identification. Instead, they could be based on some method not related to assets (e.g., scenario based).
Third, for smaller companies that use the asset-based approach for risk assessment it is easier to list all the asset directly into the Risk assessment sheet; later on, they do not need to have a separate Inventory of assets.
This article will provide you further explanation about I nventory of assets and risk assessment:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding Inventory of assets and risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Information management
1 - In the case of the example when you say : “… you should verify what is defined in the procedures established by the area that provides the information” … what do you mean by “area”? The Management or the specialized area that reports to said management?
Answer: I meant the specialized area that reports to management. In your text you mentioned that was this specialized area that designed, developed,and is using the security protocols.
2 - If the Management owns the information .. why it should be subject to the procedures of the area that provides the information and that I understand is the specialized area.
Answer: Because there are situations where if the information owner's actions do not follow specific procedures the responsible area (in this case, the specialized area) cannot ensure proper information protection. Changing information classification level or the list of who can access them is one of them.
3 - Finally: There is no formal risk analysis that has been raised to the Board. As I wrote, the security policies were defined by the specialized area be cause there are no such policies in the Management. And one of the Security policies was not to share information with non-specialized areas.
What should the specialized area do?
Answer: The specialized area should consider providing a brief risk analysis showing the risks related to sharing that information with non-specialized areas for management evaluation. Based on this analysis management can decide to assume the risks and share the information, or consider the risks unacceptable and decide for another course of action (e.g., do not share the information, change the report content sent to non-specialized areas to minimize sensitive information sharing, etc.). The important thing here is that management makes a decision with clear information about risks involved on hands.
Additionally the specialized area should consider reviewing its procedures and protocols to include the performing of regular risk assessments. This can help anticipate potential risks.