Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Disposal of asbestos sheets
Answer:
Asbestos cement sheeting is commonly found as grey corrugated or flat sheets. It is thin and brittle and produces a clean edge when broken. It contains a small amount of asbestos encapsulated within cement, which, in good condition, does not normally present a risk to health. Please remember that any work on asbestos sheet may generate airborne asbestos fibers.
Asbestos should be disposed at organization authorized for handling asbestos, such as waste recycling centers. Before bringing asbestos to the waste recycling centre, take these actions to to ensure your asbestos will be accepted:
- all pieces of asbestos should be double wrapped in heavy duty plastic, this does not include plastic such as bin liners or carrier bags
- the double wrapped plastic does not need to be clear, but you should ensure that nothing is protruding from inside the plastic as this will not be accepted
- you should soak large pieces before breaking it down to bring on to site - this stops fibers escaping
For more information on handling and disposal of asbestos, see: Guideline for Construction/Asbestos Waste Management https://advisera.com/14001academy/documentation/guideline-for-constructionasbestos-waste-management/ -
Alternative controls and control plan
how can I handle the alternate process control method? within the "normal" control plan? or make another control plan?
If I use the normal control plan, have a mark an any way the alternate controls?
Answer:
The organization needs to identify, document and maintain the alternate methods for process control and get approval from the customer for these controls. The list of alternate process control methods should be referenced in a control plan, so you do not have to create another control plan, just include in existing one references to the alternate controls.
Since alternate controls are used incidentally and not on the regular basis (the standard requires organization to return to the standard process as soon as possible), the alternate controls should be distinguished in some way from the regular controls in the control plan. -
Documenting Design History File
If all our records are electronic (e.g. JIRA, confluence, office365) do we need to maintain a design history file (DHF)? Or can we just provide all the documents or an index of those documents?
Answer:
Design and Development File and Design History File are basically the same documents. The ISO 13485 standard requires organization to maintain this file for each medical device type or device family. It must include either records or references to them to demonstrate conformity to the requirements for design and development and records for design and development changes.
You don't have to have separate record for it, you can create database or index to all of those documents. -
Scope and asset definition
1. May we/should we exclude third-party cloud providers (document management, e-mail, and time and billing)? [Note: Most have their own ISO 27001 certifications—may we or should we reference these in our documentation, or would that only confuse things?]
Answer: By the scenario you described, you do not need to include the third-party cloud providers in your scope. The main point to consider here is how much direct control your firm has over the applications and databases hosted on the outsourced IT services. If you can manage the applications (e.g., create and manage user accounts, change configurations, etc.), you should include the applications in your scope. If all t his management work is performed by the provider you have to include only the databases in your ISMS scope (e.g., email database, documentation database, time and billing database).
2. Should we include our IT service provider? If so, how deeply must we delve into their systems? [They provide similar services to many companies, and have visibility into our system for maintenance and troubleshooting.]
Answer: As explained in the first answer, you do not have to include your IT service provider in the scope.
This article will provide you further explanation about Scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
3 - A related question pertains to the distinction between a company and its software. For example, Microsoft as a company may be subject to threats such as breach of contractual relations or equipment failure. At the same time, its software (in this case Office 365) may have its own threats and vulnerabilities, such as application errors, inadequate patching, etc. Should these be combined in the risk assessment table as a single reference to Microsoft with all related threats and vulnerabilities, or should it be broken out as third-party provider and software? (Assuming, of course, that they are included at all consistent with our questions above.)
Answer: Considering your example, if your relationship with Microsoft is limited to the use of Office 365, then the "Office 365" is the asset to be assessed, and all identified risks should be associated to it. However, if besides Office 365 you also use other Microsoft products or services (e.g., onedrive, skype, windows, etc.) then an additional asset, called for example as "Software Provider - Microsoft", also should be considered for assessment, because now you also have to consider risks in terms of all Microsoft products and services you use, not only the risk for specific ones, and this can be better handled if they are concentrated in a single asset. -
Security in web applications
Thank you for you replay ,
is 27001 combined with 27002 a good idea to secure a web application also? , because i mean there is some points in 27001 that we dont need probably or if i want to write a security policy for a web application , because i didn't get a lot of information about 15408 and how it works
What do u think about PCI ? im just trying to get the best norm and explain why thanks for u help -
8.5.1.2 Standardized Work
8.5.1.2 Standardized Work – operator instructions and visual standards
The organization shall ensure that standardized work instructions are:
a) Communicated to and understood by the employees who are responsible for performing the work:
b) Legible:
c) Presented in the language(s) understood by the personnel who are responsible to follow them:
d) Accessible for use at the designated work area(s).
Thank you
Answer:
In case when you have different nationalities, you can either choose to define official language of the company so all official documents are required to be written on this language but this wont resolve your problem with people who don't speak the language.
For people who do not speak the official language of the company, you can either translate the documents that they need to use and make the doc uments bilingual or try to make those document more pictorial and avoid writing text but present them with pictures. In any case you do not have to translate all QMS documents but only those that are used by employees who don't speak the official language. -
Making IATF 16949 transition using documentation templates
Answer:
The templates can e very useful and save you a lot of time and effort in the transition project. They are usually well formatted and cover all requirements of the standard regarding the documentation. Basically, you will save yourself from spending too much time on details and technicalities related to the standard and focus on the essence and process control.
When thinking of purchasing the templates it is important to make sure it contains all mandatory documents an d maybe some non-mandatory documents that can be useful. And also to see what kind of support is included in the price, do they offer online meetings, answering your questions by email, document review, etc. -
Risk treatment evidences
What level of documented information is expected here? Am I expected to maintain a separate log or is using the risk treatment plan which details the treatments enough to use as a basis for demonstrating that the treatments have been applied?
Answer: Besides the Risk Treatment Plan you also have to maintain evidences of the results achieved with each treatment implemented. For example, if the treatment is monitoring an asset, evidences may be log, as you stated. If treatment is backup, evidences may be the backup media or backup media register.
In the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.
This article will provide you further explanation about risk treatment:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/knowledgebase/risk -treatment-plan-and-risk-treatment-process-whats-the-difference/
These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Scope definition
Answer: You cannot set only the software's database as your scope. An ISMS scope should be defined in terms of processes, organizational units or physical locations. Considering this, a suggestion is that you define your scope in terms of the department that handles the development and/or production of that software/database. Another way you can use is set the scope for your whole company, this is the best solution for smaller companies (e.g. up to 50 employees).
These articles will provide you further explanation about Scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding Scope definition :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Surveillance audit and transition
Yes, you can cancel the surveillance audit and apply directly for the new version. The only thing is that between the moment when you cancel the certification audit and get certificate for the new version, your company wont be ISO 9001 certified.