Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Evaluation of outsource partners
Answer:
The company needs to evaluate all its external providers of processes, products and services and it can be done in different ways. Due to difference of nature of relationships with customers and suppliers, the company will have to use different methods. Survey wouldn't be appropriate methodology but rather the company should define crtiria that are important for it and evaluate the suppliers against those criteria. Criteria can be quality of products and services, price, packaging, etc.
For more information, see: Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/ -
No training records
Answer:
In theory, the organization doesn't have to have any training records. For example, if it has only low skilled workers that do not need any training, then the company can have a certificate without any training record. The standard requires organization to retain appropriate documented information as evidence of competence. This means that the company needs to have at least some evidence of employee's competence such as college degrees, high school diplomas, licences, etc. but they do not have to have training records if they determined that no training is needed. There is no requirement for employees to attend training on the polic y or the standard itself, but if they attended any training, there should be a record about it.
For more information, see: How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/ -
Risk acceptance criteria
Please let me know if this is sufficient for the ISO 27001 audit.
Answer: Yes. If your risk evaluation, considering your acceptance criteria, has defined that only 5 risks are considered unacceptable, you can have treatment plans only for these 5 risks.
This article will provide you further explanation about Risk acceptance criteria:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
In the video tutorials that came with your toolkit, you have access to a video about Risk Assessment Methodology that can provide you more information about risk acceptance criteria. -
New ISO 27001, ISO 27002, ISO 27003
Answer: BS ISO/IEC 27002:2017 is not a new standard, this is only a "corrigendum" - meaning that existing version of the standard (from 2013) got corrected with some minor details - see the BSI webpage here: https://www.screencast.com/t/neKnflQucNt.
Regarding ISO 27003, we have already included the recommendations that are applicable to smaller companies into our documentation toolkits.
Of course, when a new revision of ISO 27001 and ISO 27002 are published (probably not before 2019), we will update the toolkit as well.
2) I noted a reference to 27001/22301 training in your updates, but I am not clear if your company has any online training for the latter? (By the way, I thought that the ISO27001 IA course was very worthwhile, but cannot really justify the exam in addition to my pre-existing LA and LI certifications.)
Answer: Unfortunately, we do not have online courses for ISO 22301, but we have a couple of free webinars - see their list here: https://advisera.com/27001academy/webinars/ -
Marketing and Sales in QMS
We are a small company and trying to get the ISO 9001:2015 certification. One of the processes is Marketing&Sales. What records related to Marketing&Sales will be audited for ISO 9001:2015 certification? There is one person for marketing and one for sales but only one process. Can 2 persons have a join ownership of the process (Marketing&Sales)?
Answer:
ISO 9001 does not have any explicit requirements regarding marketing but customer satisfaction monitoring (clause 9.1.2) can be considered as requirement related to the marketing. Requirements that can be audited in Sales and Marketing department are from the clause 8.2.
It is very uncommon to have two persons as a process owners, especially if there are only two persons in the process. It is better to define marketing and sales as a separate processes and each person can be owner of its process. They can still be part of the same department. -
Environmental aspects and risks and opportunities
Opportunity Assessment....
They both use matrix assessment....?
What the different......
Can you give me advise or you have some example doc let me know....
Answer:
The main difference between environmental aspects and risks and opportunities is in the scope of assessment. Environmental aspects are assessed within the processes and are directly linked to environmental impacts. Risks and opportunities assessment covers entire context of the organization and they can be related to performance of the EMS (Environmental Management System) or possibilities for improvement of the EMS and not only to environmental aspects.
The second important difference is that environmental aspect assessment requires methodology while risks and opportunities can be assessed in some free form like brainstorming session and only key risks and opportunities need to be documented.
Finally, significant environmental aspects require operational contro ls which are continual and ongoing activities while risks and opportunities require actions to address them which can be one time activity. For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
Emergency preparedness and response and environmental aspects
Answer:
Emergency preparedness and response plans should be developed according to identified emergency situations which do not have to be related to significant environmental aspects. The purpose of these plans is to enable the organization to respond to potential emergency situations. For example, if your organization is close to fuel pump, there is a chance of fire that can affect your organization, so you need to develop emergency preparedness and response plan for this situation.
If emergency and response plans are made only for convenience, then the requirements of the standard will be only formally met without any benefit for the organization. For more information, see: How to satisf y emergency response requirements in ISO 14001:2015 https://advisera.com/14001academy/blog/2015/10/19/how-to-satisfy-emergency-response-requirements-in-iso-140012015/ -
ISMS scope
Answer: First of all, ISO 27001 cannot be used to certify products. This standard can be used to certify an organization's Information Security Management Systems, regarding processes, organizations units and locations. That said, your assumption is correct when considering that you can have a limited scope, defining your Information Security Management System in terms of the software development process used to deliver the product, as means to ensure to your customers that the required information security measures are identified, included and maintained in the software. But you should also note that limiting the scope doesn't make sense for smaller companies, since it will require greater effort than managing the security considering the whole organization.
This art icle will provide you further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISMS scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Observer in a audit
My company has already implemented 27001:2013 and we have an external audit scheduled in the comming week.
I would want be an observer in this external audit, before I start auditing. Is it possible? Is it the right way to start off Please share your inputs.
Answer: Yes, it is possible, but this situation varies from organization to organization and according to certification body policies, so you should verify this first with the person responsible for the audit in your organization (e.g., CISO, management representative, etc.). After that this person has to communicate the request to the external auditor so he can see if for that audit is possible to have an observer. If all is ok, the most important issue you have to note is that an observer, as the name says, cannot interfere during the audit. If you have anything to say or ask you have to do that outside the audit scheduled activities.
This article will provide you further explanation about becoming an auditor:
- Which q uestions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/
These materials will also help you regarding becoming an auditor:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS scope definition
I could put a two page document together detailing the reasons why the whole business should be included but need to put this into a couple of lines.
Do you have any suggestions
Answer: You can write that by ISO 27001, clause 4.3 c, when defining the ISMS scope an organization has also to consider its relationships with all external elements that can influence it, and since support and installation have relationships with all other organization's elements, the effort for managing this reduced scope and these relationships would be greater than managing a scope including all the organization.
This article will provide you further explanation about problems with scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/