Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is addressing risks and opportunities one time activity?
Is to be done periodically or to be done if there is any change in QMS process?
Answer:
Addressing risks and opportunities shouldn't be one time process. The risks and opportunities should be assessed any time there are some changes in the context of the organization and changes in the QMS. Additionally, during the management review, you need to evaluate effectiveness of the actions taken to address risks and opportunities and as an output of the management review, you need to define opportunities for improvement.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Internal audit frequency
Answer: ISO 27001 allows you to set your own frequency and audit scope, however you need to perform at least one internal audit per year because of the certification body surveillance visits. This means that you can take both approaches you suggested - full audit scope every year, or full audit scope in the 3-year period.
It is better if your internal audit covers the whole scope every year, because this way you reduce the likelihood of being non-compliant at surveillance visits.
There is one exception to what I explained above: when you go for the initial certification audit, your internal audit needs to cover the whole ISMS scope.
These materials will also help you regarding internal audit:
- Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Inventory of assets
In that for example I bundled laptops together in assest name and category of IT equipment as our main risks/concerns were loss or theft during travel and hence our treatment was MDM and encryption of drives. However I believe in the inventory table I need to list each laptop the company owns, every member of staff for example? Please confirm as if that is the case I have my work cut out.
Thanks in advance for your help
Answer: There is no need to mention specific laptops and staff members in the inventory if you are applying the same controls for all laptops. You can use a general asset description like "corporate laptop" and as asset owner you can define "laptop user" for example.
This article will provide you further explanation about inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Waste management audit
Answer:
The first thing when auditing waste management is to see if there are any statutory and regulatory requirements regarding the type of waste being managed. If there are such legislation, then you need to see if the waste management process is compliant with these requirements first.
Then you need to see if there is any documented procedure or work instruction that explains how the waste management process is carried out and audit the process according to information provided in the procedure. This type of audit requires from the auditor to conduct interviews with employees and the manager responsible for the process to determine if the process is carried out as planned and also whether the process is effective.
For more information, see: 7 steps in handling waste according to ISO 14001 https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/ -
Defining quality objective
Answer:
When defining any quality objective, you must ask yourself what is the best for the QMS and how the objective affects customer satisfaction. In case of the response to the quality issues raised by customer, the best way to respond is as soon as possible but you need to define some time frame (e.g. 24 or 12 hours) and measure your response rate so you can see if the objective is achieved or not. Also, you need to define plan for achieving the objective, in this case, it can be changing the procedure for communication with customers, or hiring new people to ensure that the response time is within limits you previously defined.
For more information, see: How to Write Good Quality Objectives https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ -
Reaching objectives and targets in OHSAS 18001
Answer:
First step in reaching the objectives and targets is to define them in a way that enables you to evaluate level of achievement of the objectives. This means that the objectives and targets needs to be SMART (Specific, Measurable, Attainable, Relevant and Timely). Once you define the objectives and targets, you need to define programs for achieving the objectives and targets. This means that you need to define what actions will be taken, what resources are needed, who is responsible and what is the deadline for those actions. Finally, during the management review you need to evaluate level of achievement of the objectives. For more information, see: How to define OHSAS 18001 objectives and programs https://advisera.com/18001academy/blog/2015/11/11/how-to-define-ohsas-18001-objectives-and-program s/
Here you can download free preview of our Management Review Minutes for OHSAS 18001 https://advisera.com/18001academy/documentation/management-review-minutes/ -
ISO 27001 benefits
Answer: For more information about ISO 27001 you can check these materials:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
The general benefits of ISO 27001 are reduction of expenses caused by incidents, increase in the efficiency on compliance with regulations regarding data protection, privacy and IT governance, increase in competitiveness, and improvement on internal organization. Considering the Rural Tourism scenario you can think about these additional benefits:
- Better protection of guests information
- Improvement on communications infrastructure quality and availability (communication is generally a problem in rural areas)
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead Auditor certification
Answer: The certification is issued by the training provider. Entities like PECB, IRCA and Exemplar Global (formerly RABQSA) provide accreditation for training providers that are compliant with ISO 17024 (Conformity assessment - General requirements for bodies operating certification of persons). An certification issued by providers accredited by PECB, IRCA or Exemplar Global is globally recognized. One example is the exam from our ISO 27001 Internal Auditor course, that is certified by Exemplar Global (for more information about this internal auditor course, please see this link: https://advisera.com/training/iso-27001-internal-auditor-course/)
This article will provide you further explanation about Lead Auditor certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Audit process
(Hello, the book gives you a slight idea of an internal audit but does not explain each step in detail, neither what documents are needed or generated, nor how they should be generated. Can you help me with this?)
Answer: Since you already have read the book, for a detailed explanation about the steps of an internal audit, I suggest you to take a look at one of our free online courses about internal audit:
-ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-Curso Auditor Interno ISO 9001:2015 https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
-Curso Auditor Interno ISO 14001:2015 https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/
These courses have modules specifically devised to present an overview of the requirements of t he related standard and details of the internal auditing process, which is basically the same for all of them.
Regarding required documentation, ISO Management Standards released since 2012 do not demand too much, only an Internal audit program (clause 9.2) and the results of internal audits (clause 9.2). For generating this documentation it is recommended that you define a procedure for internal audit (but this procedure is not mandatory by any standard). To help you with this documentation, I suggest you to take a look at the free demo of our internal audit toolkits:
-ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
-ISO 9001:2015 Internal Audit Toolkit https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
-ISO 14001:2015 Internal Audit Toolkit https://advisera.com/14001academy/iso-14001-2015-internal-audit-toolkit/
These toolkits contains the following documents: Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Program, and Internal Audit Report . With these you will be able to properly plan and perform internal audits.
This article will provide you further explanation about audit process considering ISO 27001:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
If you feel you need additional information, you can schedule a free consultation with one of our experts:
-For ISO 27001: https://advisera.com/27001academy/consultation/
-For ISO 14001: https://advisera.com/14001academy/free-consultation/
-For ISO 9001: https://advisera.com/9001academy/free-consultation/ -
Scope review
Answer: Since part of the activities that were performed by your client are now under control of its managed service vendor it has to modify the scope to reflect this new situation. The main point to consider here is how much direct control the organizations has over the applications and databases hosted on the outsourced data center. For example:
- If the organization controls both the applications and databases (the data center only provides the physical and virtual machines), only the basic infrastructure of the datacenter should be excluded from the ISMS scope.
- If the organization uses the applications as a s ervice made available by the provider, only the organization's database should be included in the ISMS scope.
This article will provide you further explanation about Scope review:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
These materials will also help you regarding Scope review:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/