Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk acceptance criteria
Please let me know if this is sufficient for the ISO 27001 audit.
Answer: Yes. If your risk evaluation, considering your acceptance criteria, has defined that only 5 risks are considered unacceptable, you can have treatment plans only for these 5 risks.
This article will provide you further explanation about Risk acceptance criteria:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
In the video tutorials that came with your toolkit, you have access to a video about Risk Assessment Methodology that can provide you more information about risk acceptance criteria. -
New ISO 27001, ISO 27002, ISO 27003
Answer: BS ISO/IEC 27002:2017 is not a new standard, this is only a "corrigendum" - meaning that existing version of the standard (from 2013) got corrected with some minor details - see the BSI webpage here: https://www.screencast.com/t/neKnflQucNt.
Regarding ISO 27003, we have already included the recommendations that are applicable to smaller companies into our documentation toolkits.
Of course, when a new revision of ISO 27001 and ISO 27002 are published (probably not before 2019), we will update the toolkit as well.
2) I noted a reference to 27001/22301 training in your updates, but I am not clear if your company has any online training for the latter? (By the way, I thought that the ISO27001 IA course was very worthwhile, but cannot really justify the exam in addition to my pre-existing LA and LI certifications.)
Answer: Unfortunately, we do not have online courses for ISO 22301, but we have a couple of free webinars - see their list here: https://advisera.com/27001academy/webinars/ -
Marketing and Sales in QMS
We are a small company and trying to get the ISO 9001:2015 certification. One of the processes is Marketing&Sales. What records related to Marketing&Sales will be audited for ISO 9001:2015 certification? There is one person for marketing and one for sales but only one process. Can 2 persons have a join ownership of the process (Marketing&Sales)?
Answer:
ISO 9001 does not have any explicit requirements regarding marketing but customer satisfaction monitoring (clause 9.1.2) can be considered as requirement related to the marketing. Requirements that can be audited in Sales and Marketing department are from the clause 8.2.
It is very uncommon to have two persons as a process owners, especially if there are only two persons in the process. It is better to define marketing and sales as a separate processes and each person can be owner of its process. They can still be part of the same department. -
Environmental aspects and risks and opportunities
Opportunity Assessment....
They both use matrix assessment....?
What the different......
Can you give me advise or you have some example doc let me know....
Answer:
The main difference between environmental aspects and risks and opportunities is in the scope of assessment. Environmental aspects are assessed within the processes and are directly linked to environmental impacts. Risks and opportunities assessment covers entire context of the organization and they can be related to performance of the EMS (Environmental Management System) or possibilities for improvement of the EMS and not only to environmental aspects.
The second important difference is that environmental aspect assessment requires methodology while risks and opportunities can be assessed in some free form like brainstorming session and only key risks and opportunities need to be documented.
Finally, significant environmental aspects require operational contro ls which are continual and ongoing activities while risks and opportunities require actions to address them which can be one time activity. For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
Emergency preparedness and response and environmental aspects
Answer:
Emergency preparedness and response plans should be developed according to identified emergency situations which do not have to be related to significant environmental aspects. The purpose of these plans is to enable the organization to respond to potential emergency situations. For example, if your organization is close to fuel pump, there is a chance of fire that can affect your organization, so you need to develop emergency preparedness and response plan for this situation.
If emergency and response plans are made only for convenience, then the requirements of the standard will be only formally met without any benefit for the organization. For more information, see: How to satisf y emergency response requirements in ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/19/how-to-satisfy-emergency-response-requirements-in-iso-140012015/ -
ISMS scope
Answer: First of all, ISO 27001 cannot be used to certify products. This standard can be used to certify an organization's Information Security Management Systems, regarding processes, organizations units and locations. That said, your assumption is correct when considering that you can have a limited scope, defining your Information Security Management System in terms of the software development process used to deliver the product, as means to ensure to your customers that the required information security measures are identified, included and maintained in the software. But you should also note that limiting the scope doesn't make sense for smaller companies, since it will require greater effort than managing the security considering the whole organization.
This art icle will provide you further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISMS scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Observer in a audit
My company has already implemented 27001:2013 and we have an external audit scheduled in the comming week.
I would want be an observer in this external audit, before I start auditing. Is it possible? Is it the right way to start off Please share your inputs.
Answer: Yes, it is possible, but this situation varies from organization to organization and according to certification body policies, so you should verify this first with the person responsible for the audit in your organization (e.g., CISO, management representative, etc.). After that this person has to communicate the request to the external auditor so he can see if for that audit is possible to have an observer. If all is ok, the most important issue you have to note is that an observer, as the name says, cannot interfere during the audit. If you have anything to say or ask you have to do that outside the audit scheduled activities.
This article will provide you further explanation about becoming an auditor:
- Which q uestions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/
These materials will also help you regarding becoming an auditor:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS scope definition
I could put a two page document together detailing the reasons why the whole business should be included but need to put this into a couple of lines.
Do you have any suggestions
Answer: You can write that by ISO 27001, clause 4.3 c, when defining the ISMS scope an organization has also to consider its relationships with all external elements that can influence it, and since support and installation have relationships with all other organization's elements, the effort for managing this reduced scope and these relationships would be greater than managing a scope including all the organization.
This article will provide you further explanation about problems with scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Questions about ISO 9001 implementation
ISO 9001 is the world's most well known norm. This standard is pertinent to every one of the fields independent of the size, nature and size of the association. ISO 9001 confirmation in Lagos furnishes an association with a bunch of rules that assurance focused, educated, logical and set up way to deal with the administration of business exercises to efficiently achieve customer fulfillment and regularly improve operational adequacy and helps a wide range of associations to prevail through improved consumer loyalty, staff inspiration and persistent improvement. ISO 9001 in Lagos assists your associations with exhibiting clients that they can offer items and administrations of reliably great quality. It empowers you to more readily adjust and coordinate various administration guidelines. This assists your association with tending to production network the executives all the more viably.
-
Implementación en un solo area
Lo que pensamos hacer y es lo que quiero que me comentes si es correcto hacerlo de la siguiente manera: Las demás áreas de la empresa (administración, software, soporte técnico e ingeniería) que no se desea que implementen ISO 9001, las podemos como proveedores externos y que solo les aplique el requisito 8.4 control de producto y servicios suministrados externamente , ¿es correcto lo que queremos hacer? O ¿de qué otra forma puede hacerse?
Respuesta:
El alcance del SGC no necesita cubrir todos los procesos de la organizació n, sin embargo sí que tiene que incluir al menos un producto o servicio que será entregados al cliente o al menos que formen parte de él. Como en tu caso, es posible implementar el estándar estando el cliente y/o proveedor dentro de la propia organización.
Aunque se quiera implementar la norma en sólo un área de la empresa, es necesario cumplir con todos los requerimientos de ISO 9001, esto aplica a todos los procesos estratégicos y de apoyo en la organización. Es decir, que certificarse en un solo área no exime a la empresa de definir la política de calidad, establecer objetivos, identificar el contexto, llevar a cabo un método de identificación y evaluación de riesgos, etc.
Aquí puedes encontrar información sobre la lista de documentos obligatorios por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/