Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Does each clause in section 8 of AS9100D require a PEAR? i.e. 8.1.1 and 8.1.2?

    If by PEAR you mean Process Effectiveness Assessment Report then this is not a requirement of AS9100. Unless your customers require that you provide this sort of information it is up to you to decide what you must do for the requirements in Clause 8 of AS9100 Rev D.
    Specifically, for Clause 8.1.1 & 8.1.2, these are defined in the standard as planned, implemented and controlled processes, and there is no requirement within AS9100 Rev D that documented information of the process is needed. In cases where there is not a requirement for documented information of the procedure it is up to the company to decide the necessity of documenting the procedure needed to address the clause requirements.

  • What is the difference between AS9100 and AS9120

    The difference in the standards is the type of organization the Quality Management System requirements are intended for:
    AS9100 – Requirements for Aviation, Space and Defense Organizations
    AS9110 – Aerospace – Requirements for Maintenance Organizations
    AS9120 – Aerospace Requirements for Stockist Distributors
    So, from your comments it sounds like you are a distributor who is registered to AS9120 currently but is wondering about your repair facilities. If this is a repair and overhaul function, as opposed to a repair when there is defect function, then this would fall under AS9110 as it is a maintenance organisation. AS9100 is intended for organisation which produce new parts as opposed to those who do either repair and overhaul or distribution.
    I hope this answers your questions, please let me know if there is anything further you need.

  • ISO personal certifications and Content for employees


    Answer: There is one kind of certification issued to persons similar to COBIT Assessor: the ISO 20000 Lead Auditor certification. This certification recognizes its holder has demonstrated competence to audit a management system with ISO 20000 standard, which defines requirements for the management of IT services.

    2. I work in HR and we are looking at ISO 27001, what is the requirement with regards to Staff Manual? We have ISMS policies in place but I wonder if there is anything required that needs to be included in the Staff Manual?

    Answer: ISO 27001 has no specific requirements demanding a Staff Manual, but you should ensure it reflects the results of risk assessment and treatment, i.e., risks and controls that employees can directly interact with. Examples of content, as you pointed out, are the implemented security policies, but you can also include examples of risks and how manage them (e.g. how identify and handle social engineerig attacks). Additionally you can als o communicate the employees' responsibilities regarding information protection, the impacts of non conformities, and the importance to achieve the defined information security objectives. By using the Staff Manual this way you can cover requirements related to leadership commitment (clause 5.1) and communication (clause 7.4).

    This article will provide you further explanation about what you should consider as content for a Staff Manual:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

  • Ensuring compliance of information security in projects


    Answer: Information security management requires a lot of analysis and evaluation work to be done, and today most of these activities cannot be simply automated, because some decisions require a human feeling and perception of business environment that a machine can proper evaluate. However, when we talk about measurement and monitoring you can make use of automated tools to:
    - collect data, or remember a person that data should be gathered;
    - compare data gathered with risk level limits to warn about risks that require further analysis
    - organize and present data for decision making.

    Considering this, you can make use of automated tools to cover part the monitoring and measurement of risk management functions, if you can ensure the compliance automated solution can provide control and evidence you would require if the control was done manually. One w ay to provide this assurance is by defining your requirements for this automated solution at the beginning of the development or acquisition process, so you can test them during the development / acquisition process.

    This article will provide you further explanation about requirements in development life cycle and use of tools:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
    - When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

  • Business continuity plans


    Answer: Yes. In a general manner, you can have business continuity plans related to the continuity of business processes themselves and plans for the continuity of the infrastructure that support business processes. As an example you can think about a sale process supported by an information system hosted in a remote data center. In this case you can have a business disruption happening either in the point of sale (e.g., an store) or in the data center. For each situation you should consider a different business plan.

    Additionally, the business plan itself must consider different types of action:
    - emergency actions to be performed right after the disruption being identified;
    - continuity actions to bring activities back to minimum agreed levels;
    - recovery actions to bring activities back to normal operations.

    These articles will provide you further explanation about business continuity plans:
    - How to write business continuity plans? https://advisera.com/27001academy/blog/2 010/04/08/how-to-write-business-continuity-plans/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/

    This material will also help you regarding business continuity plans:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • ISO 27001 security controls


    (How do the 114 controls that are applied in the standard work?)

    Answer: The controls stated on Annex A of ISO 27001 standard should be applied to treat risks identified as unacceptable as a result of a risk assessment. Each one of them has characteristics that can be used, alone or in combination with other controls, to minimize the probability of occurrence of a risk or its impact to the organization.

    For example, if your risk assessment identifies that the loss of a electronic database is unacceptable, you can decide to mitigate this risk, and by consulting the controls of Annex A, you can decide to apply controls A.12.2.1 (Controls against malware), to minimize chances of a virus or other malicious software compromise your database, and control A.12.3.1 (Information backup) to minimize the impact of information compromise if a risk realizes, by maximizing the data that can be recovered by using a backup.

    This article will provide you further explanation about ISO 27001 se curity controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

    These materials will also help you regarding ISO 27001 security controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISO 27001 certification

    Thanks very much rhandleal.

  • ISO 27001 and ISO 27002


    Answer: Since you mentioned your current role is heading IT infra, I'd suggest you pursue first ISO 27001 knowledge, because it can help you understand how justify and prioritize which security controls should be implemented and how they should be managed, activities more related to your role. Additionally, if you are considering ISO implementation, ISO 27001 is the standard to be considered, since ISO 27002 is not certifiable.

    ISO 27002 focuses on details and recommendations to be observed for implementing ISO 27001 Annex A controls, and are more recommended for technical and operational personnel.

    This article will provide you further explanation about ISO 27001 and ISO 27002 standards:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    These materials will also help you regarding ISO 27001 and ISO 27002 standards:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Smq in a power plant

    Hi and thank you for all what you give for us. Please im now folowing a project of implementing an smq with a consultant in one of our power plant, and we have many problems : 1. We have chose à wrong project manager. And now we are in the description of the processus and interaction. Can we remove him and replace by an other? 2. The consultant at gap analysis didnot use the documentary audit. He only made the interview !. When I asked him. He told me I will do it letter. Iis it a problem ? 3. When they describe the processus. They add a processus of social partener. Even its dont influence the smq. Is it correct? 4. The consultant has proposed a quality policy without see the policy of the power plant! Can it possible ? Thank you in advance
Page 896-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +