Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documentatio audit

    Is that the documents of the SMI are treated according to the requirements of the three ISO standards written separately or integrated?

    Answer:

    QMS documentation comprises of alldocuments and records required by the standard itself and the documents for which the company determined to be necessary to maintain effective QMS (Quality Management System). All documents that are part of your QMS will be audited and the same document and record control rules should be applied unless the procedure for document and record control states otherwise.

    For more information, see: How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

  • Retention of tooling records


    For example a part is manufactured continuously and the expected product life is 10 years. does that mean 10+1 year records of tools needs to be maintained?

    Answer:

    The records for the tools need to be maintained during the active time of production which means that to be kept as long as the product is being produced plus one calendar year, not product lifetime plus one calendar year. Considering the changes in products this time probably wouldn't take 10 years, but you also need to consider customer and legal requiremnets when it comes to retention of this type of documents.

  • Cláusula 6.1. riesgos y oportunidades


    Mi respuesta:

    La norma ISO 14001:2015 no determina requerimiento alguno para la gestión de riesgos ni tampoco ningún documento, así que depende de la propia empresa elegir la metodología más apropiada para la identificación de los riesgos y las oportunidades. Puede llevarse a cabo mediante un simple sistema cualitativo o un análisis más complejo en el que también se consideren aspectos cuantitativos. Como guía, se pueden examinar los métodos incluidos en la familia de las ISO 31000, que incluye el análisis DOFA y otros métodos de evaluación. Sin embargo, siempre es posible hacerlo de manera más sencilla, organizando una sesión de tormenta de ideas con los empleados más relevantes de la organización.

  • Environmental aspects in consulting agency


    Answer:

    Most of the environmental aspects will be the same as for any office based business, waste paper, toners and other electronic waste, ower consumption, etc. Depending on the type of consultancy you performe (e.g. engineering consultancy), maybe you will have to include environmental protection requiremnets in your deign and development or project management process.

    For more information, see: How to identify environmental aspects in your office using ISO 14001 https://advisera.com/14001academy/blog/2015/05/18/how-to-identify-environmental-aspects-in-your-office-using-iso-14001/

  • Integrating OHSAS 18001 and ISO 14001


    Answer:

    First step in the integration process is to identify all common requiremnets of both standards and start with implementing them first, and then you need to focus on specific requiremnets of ISO 14001 and OHSAS 18001.

    For example, the common requiremnets are control of documents and records, policies, objectives, competence and awareness, communication, nonconformities, corrective actions, internal audit etc.

    For more information on how to integrate OHSAS 18001 and ISO 14001, see: How to integrate OHSAS 18001 and ISO 14001 https://advisera.com/18001academy/blog/2016/08/31/how-to-integrate-ohsas18001-and-iso14001/

  • Risk assessments


    Answer: To ensure you identify the most relevant risks related to an asset (you do not have to identify all risk), you should ensure an approach from as many points of view as possible. Think about including in the same risk identification session people from different areas and processes. For example, if you are evaluating sales process, try to bring in people from IT, financial and legal department. For sure all of them will have different interest on information security and will point out different risks.

    And even if you didn't identify all the risks, you will probably identify them during the next review of your risk assessment - no one expects you to do it perfectly the first time, risk assessment is something that is continually improved.

    These articles will provide you further explanation about Risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    These materials will also help you regarding Risk assessment Risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Cláusula 4.1

    La norma ISO 14001 requiere a las organizaciones definir el contexto de la organización mediante la determinación de cuestiones internas y externas que son relevantes para sus objetivos y que afectan la capacidad de alcanzar los resultados esperados en su SGA. Este término de "resultados esperados" se refiere a lo que es requerido de la organización y lo que quiere alcanzar implementando el SGA. Los resultados mínimos previstos bajo el estándar incluyen la mejora del desempeño ambiental, el cumplimiento de las obligaciones legales y con los objetivos ambientales

    Puedes llevar a cabo un análisis DOFA o un análisis PEST a la hora de determinar el contexto de la organización, o programar una sesión de tormenta de ideas con el personal relevante de tu organización. Los resultados de esos análisis o un registro con los minutos de la sesión de tormenta de ideas probarán que se han considerado todas las cuestiones dentro del SGA.

    Además es posible determinar qué partes de la organización deberían de formar parte del SGA dependiendo de las razones para la implementación de la norma, por ejemplo si se trata de un requerimiento del consumidor o si es un requerimiento de la propia compañía.

  • NIST, COSO and ISO 27001


    Answer: In fact these frameworks are not competitors, but they complement each other. COSO gives you a corporate view for risk management, and NIST SP 800 series provides security practices for IT environments. As for ISO 27001, it provides you a framework for managing information security, considering not only IT environments, but also physical and human aspects, as well as business objectives.

    That said, while ISO 27001 is more prepared to manage information security than NIST standards and COSO, it can benefit form the other two frameworks for complementing its approach regarding IT controls and understanding of risk in business context.

    These articles will provide you further explanation about these frameworks:
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
    - How to use the NIST SP800 series of standards for ISO 27001 implementation h ttps://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

  • Career on Information Security

    I want to take up training and certification for ISO27001, and gradually move up ladder with CISA .
    Here is dilemma like should i opt for ISO certification at this stage or not . And what approach to follow to attain same . What study material should i follow , do you take up training session, what action plan should i follow since post this data center project , there is high probability i would be aligned to different project for same role.
    As of now i am finding myself in a situation while taking up decisions, since the decisions i take , my team would have to live with them for long . My self dont have prior experience in this domain and finding bit difficult to gauge CIA parameters.
    I have expertise in Service operations , Incident , Change and Event management . Good knowledge of Serve r admin role and basics of network .

    Answer: By what you described, my suggestion for your development would be first to consider obtaining knowledge on the requirements of the standard and how to conduct an implementation process. For that you can find on market ISO 27001 Lead implementation courses. Your previous knowledge on ITIL, servers administration and network will help, but information security covers much more issues, like human resources and legal requirements.

    Second would be obtaining knowledge on audit aspects of ISO 27001, and for that you can consider either ISO 27001 Internal audit courses or ISO 27001 Lead auditor courses (for immediate or low budget you can go for internal audit courses, but since you are thinking about CISA, the lead auditor course can help you more regarding that goal).

    Regarding training sessions, you can take a look at some of our online courses:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

    These articles will provide you further explanation about courses on ISO 27001:
    - Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

    These materials will also help you regarding ISO 27001:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Risk assessment


    Answer: For creation of a risk assessment you should consider:
    - Definition of how to identify the risks to information security
    - Definition of how to identify risk owners
    - Definition of criteria for assessing consequences and likelihood of the risk
    - Definition of how calculate the risk
    - Definition of criteria for accepting risks

    Regarding the risk analysis, the main approaches are qualitative and quantitative analysis

    These articles will provide you further explanation about Risk assessment:
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - Qualitative vs. quantitative risk assessments in information security: Differences and simila rities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

    These materials will also help you regarding Risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

    For environmental impact assessment, I suggest you to take a look at these articles:
    - ISO 14001:2015 – How to set criteria for environmental aspects evaluation https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/
    - ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
Page 900-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +