Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 benefits
Answer: For more information about ISO 27001 you can check these materials:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
The general benefits of ISO 27001 are reduction of expenses caused by incidents, increase in the efficiency on compliance with regulations regarding data protection, privacy and IT governance, increase in competitiveness, and improvement on internal organization. Considering the Rural Tourism scenario you can think about these additional benefits:
- Better protection of guests information
- Improvement on communications infrastructure quality and availability (communication is generally a problem in rural areas)
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead Auditor certification
Answer: The certification is issued by the training provider. Entities like PECB, IRCA and Exemplar Global (formerly RABQSA) provide accreditation for training providers that are compliant with ISO 17024 (Conformity assessment - General requirements for bodies operating certification of persons). An certification issued by providers accredited by PECB, IRCA or Exemplar Global is globally recognized. One example is the exam from our ISO 27001 Internal Auditor course, that is certified by Exemplar Global (for more information about this internal auditor course, please see this link: https://advisera.com/training/iso-27001-internal-auditor-course/)
This article will provide you further explanation about Lead Auditor certification:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Audit process
(Hello, the book gives you a slight idea of an internal audit but does not explain each step in detail, neither what documents are needed or generated, nor how they should be generated. Can you help me with this?)
Answer: Since you already have read the book, for a detailed explanation about the steps of an internal audit, I suggest you to take a look at one of our free online courses about internal audit:
-ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-Curso Auditor Interno ISO 9001:2015 https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
-Curso Auditor Interno ISO 14001:2015 https://advisera.com/es/formacion/curso-de-auditor-interno-iso-14001/
These courses have modules specifically devised to present an overview of the requirements of t he related standard and details of the internal auditing process, which is basically the same for all of them.
Regarding required documentation, ISO Management Standards released since 2012 do not demand too much, only an Internal audit program (clause 9.2) and the results of internal audits (clause 9.2). For generating this documentation it is recommended that you define a procedure for internal audit (but this procedure is not mandatory by any standard). To help you with this documentation, I suggest you to take a look at the free demo of our internal audit toolkits:
-ISO 27001/ISO 22301 Internal Audit Toolkit https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
-ISO 9001:2015 Internal Audit Toolkit https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/
-ISO 14001:2015 Internal Audit Toolkit https://advisera.com/14001academy/iso-14001-2015-internal-audit-toolkit/
These toolkits contains the following documents: Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Program, and Internal Audit Report . With these you will be able to properly plan and perform internal audits.
This article will provide you further explanation about audit process considering ISO 27001:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
If you feel you need additional information, you can schedule a free consultation with one of our experts:
-For ISO 27001: https://advisera.com/27001academy/consultation/
-For ISO 14001: https://advisera.com/14001academy/free-consultation/
-For ISO 9001: https://advisera.com/9001academy/free-consultation/ -
Scope review
Answer: Since part of the activities that were performed by your client are now under control of its managed service vendor it has to modify the scope to reflect this new situation. The main point to consider here is how much direct control the organizations has over the applications and databases hosted on the outsourced data center. For example:
- If the organization controls both the applications and databases (the data center only provides the physical and virtual machines), only the basic infrastructure of the datacenter should be excluded from the ISMS scope.
- If the organization uses the applications as a s ervice made available by the provider, only the organization's database should be included in the ISMS scope.
This article will provide you further explanation about Scope review:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
These materials will also help you regarding Scope review:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Mandatory records and retention time in IATF 16949
Answer:
You can find the list of mandatory documents and records here: List of mandatory documents required by IATF 16949:2016 https://advisera.com/16949academy/knowledgebase/list-of-mandatory-documents-required-by-iatf-16949-2016/
The standard requires organization to define, document and implement record retention policy that can be part of Procedure for Document and Record Control. For most of the documents, the organization itself can define the retention time while for production part approvals, tooling records, product and process design records, purchase orders pr contracts and amendments should be retained for the length of the time that the product is active for production and service requirements, plus one calendar year, unless otherwise specified by the customer or regulatory agency. -
Introducing an RfC
Following an ITIL Service Portfolio Management process (SPM) there can found 4 types of process initiators (Strategic iniciative, Request from business, Service improvement and Service suggestion). We call all of them as "iniciatives", not requests for change (RFC). So when business wants to change an application, it is not called RFC from the beginning. It is called INI.
The change proposal is introduced in the 3rd activity of SPM process (approve), when authorisation from a change management is needed to proceed the INI to implementation project (covering design & transition phases of new/changed services). After having accepted of the new/changed services the RFC are generated in order to authorise a deployment of new/changed services into a production environment (where "final changes" of CIs are performed). -
Risks and opportunities in ISO 9001
Could you please clarify my understanding by providing an example?
Thank you very much, Mr. Stojanovic.
Answer:
The standard requires organization to identify and address risks and opportunities related to the QMS effectiveness, which includes quality and conformity of products and services, customer satisfaction, QMS performance etc. Risks related to occupational health and safety for example, shouldn't be considered when identifying risks and opportunities for the QMS,
Same as the risks, the opportunities are focused on the QMS, its effectiveness and ability to achieve the objectives and this is the place to look for them.
The risk can arise either from external or internal context. For example, he organization can have outdated equipment and there is a risk of nonconforming products in the production process, as an action to address the risk, the organization can increase frequency of preventive maintenance of the equipment to avoid failures.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Implementing ISO 9001 without any help
Answer:
ISO 9001 can be implemented without any external help but this approach (although the least expensive) will take a lot time since the persons in charge of the implementation will have to understand the requirements of the standard and find a way to implemented them. Also, you cannot be sure that you implemented all requirements of the standard before the certification audit and that is the most inconvenient moment to find out that you have far too many nonconformities to get the certificate.
However, there are other options for the implementation that do not include hiring a consultant for entire project but just gaining the know how when you need it. For more information, see: Look at your options
https://advisera.com/9001academy/consultant/iso9001-process/ -
People related threats and vulnerabilities
Answer: In fact, the loss of knowledge is an impact (the effect of a realized risk), that can be result of several types of risks, including risks related to people.
Considering the asset-threat-vulnerability methodology, some people-related risks that can result in loss of knowledge are:
- Social engineering: people may be induced by an attacker to inadvertently facilitate the theft of information. A vulnerability would be people without knowledge on how identify and handle social engineering attacks.
- Corruption: people may be induced by an attacker to steal information. A vulnerability would be people personal problems.
- Any event that can make people unavailable or inaccessible (e.g., better job offers, sickness, death, transport strike, etc.). A vulnerability would be people behaviour of not documenting knowledge.
This article will provide you further explanation ab out risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Effectiveness of the corrective actions
Answer:
The purpose of the corrective action is to remove the cause of the nonconformity and prevent it from happening again. If the corrective action managed to achieve this, than it is considered as effective. For example, if corrective action process determined that the cause of the nonconformity was lack of training and you perform training as a corrective action, if the nonconformity is not recurring, than the corrective action was effective.
For more information, see: Using corrective actions to eliminate nonconformities and drive health & safety improvements https://advisera.com/18001academy/blog/2017/02/15/using-corrective-actions-to-eliminate-nonconformities-and-drive-health-safety-improvements/