Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit documentation
I have noticed that there appears to be a number of clauses where there are example templates missing – I assumed when I purchased the ‘premium’ collection this would cover ALL clauses of the standards.
Answer: ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as result of risk assessments, legal requirements or organizational decision. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
For ISO 22301 the situation is the same, the diference being that this standard also considers the busi ness impact analysis information, and you can see the required documents, and the most common documents implemented to support an BCMS in this article: Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for thos e companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.
In the root folder of the toolkit you'll find a document called “List of Documents” which will explain which control is covered by which document.
These articles will provide you further explanation about how our templates can handle some controls from section A.6 of ISO 27001 Annex A:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ -
Security requirements checking and testing
Question: you mean to say after applying all the security controls, the system in question, should go through all the software test. is that, what you mean by?
Answer: What I mean is that the implemented security requirements (e.g., two factor authentication to support an access control requirement, secure communication protocol to support a protected communication requirement, etc.) should go through the same testing process you apply in your software development. You should consider them the same way you consider the tests for your software's functional and non functional requirements.
The tests' coverage and detail levels should be proportional to the degree of confidence you want that the security functions are properly implemented.
For more orientation on security assurance on software development, I suggest you to see the ISO standard 15408-1 at this link:
https://www.iso.org/standard/50341.html -
Prepairing API Sepc Q1 internal audit
Answer:
Regardless of the requirements to be audited, the internal audit process looks more or less the same. First, you need to define your internal audit plan, meaning that you need to define what processes will be audited against what requirements, who you will be speaking to and the detailed timing of visiting departments and interviews. In this way you can notify the people in advance so they can dedicate their tie for your audit.
A very useful tool for conducting the audit is internal audit checklist where you will write the items, or requirement you are planning to check during the audit. Entries in the checklist can be in form of statements or "yes or no" questions and can help you a void missing something out. For more information on how to prepare the checklist, see: How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
Once you have an internal audit plan and the checklist, you are ready for conducting the audit. -
Implementing ISO 14001 without any cost
Answer:
The best way to implement the standard is to start with GAP analysis to determine to what level your organization is already complaint with the standard and what needs to be done to achieve full compliance. Once you determine the gaps, you can develop project plan for the implementation where you will define activities, responsibilities and deadlines. Than you can start developing documentation and performing all activities required by the standard.
When all documents are created and all activities performed, you should conduct internal audit and management review to ensure your system is compliant with the standard. Finally, you need to hire certification body to conduct the audit and issue your company the certificate. For more information, see: List of ISO 14001 implementation steps https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
As far as budgeting of the project is concerned, if you decide to implement the standard comple tely by yourself, you can implement the standard for free, but even in this case you will have to calculate the price of your working hours. This is definitely the cheapest option for the implementation but it will take you a lot of time and at the end you wont be 100% sure you've implemented all requirements of the standard. For more information about costs involved in ISO 14001 implementation and certification, download this free whitepaper: How to budget an ISO 14001 implementation project https://info.advisera.com/14001academy/free-download/how-to-budget-an-iso-14001-implementation-project -
Designing integrated ISO 14001 and OHSA 18001 maual
Answer:
ISO 14001 and OHSAS 18001 do not require the manual so they do not have particular requirements on what the manual should contain. Usual information to be placed in the manual are the scope of the IMS, roles and responsibilities, IMS policy and description of IMS elements and their interactions.
For more information about EMS and OH&SMS manuals, see:
- What is an environmental management system manual? https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/
- Does your organization need a health & safety manual? https://advisera.com/18001academy/blog/2016/10/12/does-your-organization-need-a-health-safety-manual/ -
Business Continuity Strategies
In the Activity Recovery Strategy document at the end of point 3 states: "The recovery strategy for applications / databases and external services will be specified in the general part of the Strategy." But in the BC Strategy document I did not find the perfect place for that, and it doesn't seem to me convenient location. Please help with this.
Answer: If you need to detail strategies for specific applications you can just add this information in the section 5.3 (Applications/databases) of the BC strategy document. The text that comes with the template covers the situation where you use the same strategy for all applications, but this can be adjusted to fit your organization's needs.
This material will also help you regarding BCP elaboration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Identificación de riesgos y oportunidades
Respuesta:
Para determinar el contexto de la organización es necesario considerar:
- cuestiones internas y externas que puedan afectar al funcionamiento de la compañía (Cláusula 4.1.)
- partes interesadas externas e internas y sus necesidades (Cláusula 4.1.)
Mediante el análisis DOFA es posible evaluar las fortalezas, debilidades, oportunidades y amenazas. Pueden equipararse las amenazas y debilidades a los riesgos, y las fortalezas y oportunidades, a las oportunidades.
Utilizando este tipo de análisis DOFA le ayudará a llevar a cabo la planificación e identificar los riesgos y las oportunidades. Por ejemplo, si se identifica que un riesgo es un componente clave en su producto o servicio que va a quedarse obsoleto, entonces se puede planificar encontra r un repuesto antes de que los consumidores reciban el impacto.
Además, será necesario añadir los riesgos procedentes de los propios procesos definidos en la compañía, tales como aquellos derivados de procesos estratégicos, de soporte u operacionales.
Posteriormente en la cláusula 6.1. será necesario analizar y priorizar los riesgos, llevar a cabo un plan de acción, implementar el plan de acción y revisar la eficiencia.
Para más información puede ver el artículo de "cómo abordar riesgos y oportunidades":
https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
ISO management systems compatibility
Can you provide in the process, Cross References between ISO 9001.2015 and Iso 27001/ISO 22 301?
Answer: Currently we have this material you can use to cross reference these standards:
- Clause-by-clause explanation of ISO 9001:2015 https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
- Clause-by-clause explanation of ISO 22301 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008
These materials provide explanations and support material for each clause, and since these standards have the same framework, the clauses numbering are equivalent between them.
This article will p rovide you further explanation about integrating management systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/ -
Misión, visión y valores
Estamos preparándonos para certificarnos ISO 9001, les pregunto:
Debo elaborar unas política de Visión, Misión y Valores diferentes a las que ya poseemos..??
Respuesta
Para la norma ISO 9001 necesitarán redactar nuevas políticas desde un enfoque diferente. La misión y visión deben de estar alineadas con la política de calidad así como con los objetivos de calidad, poniendo énfasis a los clientes en cómo quiere la organización que se realice el servicio de una forma clara y concisa.
La política de calidad incluye la mayoría de las metas, intenciones y dirección de una organización; mientras que los objetivos de calidad están diseñados para dar soporte a la política de calidad y son específicos de empleados y departamentos.
Para más información, vea el artículo "cómo escribir buenos objetivos de calidad": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-escribir-buenos-objetivos-de-calidad/ -
Processes and risks
Answer:
A process is a series of actions or steps taken in order to achieve a particular outcome. You need to observe activities performed within your company and determine what are the separate entities that produce required outcomes. For example production process has an input which is working order, production plan or similar and as an outcome of the process you have a final product. Other examples of processes are sales process, design and development, purchasing, transport, etc. For more information, see: ISO 9001: The importance of the process approach https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
Risks in the processes are in most cases related to events that can result in process failing to deliver the expected outcome. For example, what events can result with process delivering nonconforming products. These events are then assessed in therms of their probability of occurrence and severity of consequences to determine whether they need to be addressed. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/