Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Example of risks in EMS


    Answer:

    Risks and opportunities in ISO 14001:2015 can be related to environmental aspects, compliance obligations and other issues related to context of the organization. For example, if the environmental aspect is waste oil, the risk related to the aspect can be leakage of the oil or failure to meet legal requirements for waste oil disposal.

    For more information about risks and opportunities, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/

  • Project budget


    I can’t find a template for that? Or I am I supposed to write it without any template?

    Answer: Each organization's context for budgeting its activities or projects, or plan human resources, is unique, so it is unpractical to develop templates to cover every possible situation. But I suggest you to use our Project plan template for both of these things - it already includes a section (3.4) where you have to list all the members of the project team but you could add other necessary people as well. Additionally, you can also add a section about the financial resources needed for the project. The link for the Project plan template is https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

    Futher more, in this white paper you will find common aspects that you can use to prepare a project budget:
    - How to Budget an ISO 27001 Implementation Project https://info.advisera. com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

    Although the white paper covers ISO 27001, the same concepts are applicable to ISO 22301.

    These materials will also help you regarding project budget:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Facilities protection


    Answer: Considering ISO 27001, the security measures focus first on protection of information deemed important for the business (in your case the private data of hotel''s guests are a good example), and after that on the protection of assets that support the information (e.g., the hotel facilities).

    Said that, the first measure you must consider is the implementation of a risk management process, so you can create a trustful information basis for determining which controls to apply.

    For protection of information, common preventive measures are the establishment of an access control policy, criteria for information classification, and training of staff about how to handle sensitive information.

    For protection of facilities the main controls recommended are perimeter definition (e.g., lobby, parking lot, guest''s rooms, etc.) , implementation of access controls (card keys for rooms), use of identification (e.g., badges and uniforms), and segregation of working and public areas (e.g., looby and management office).

    These articles will provide you further explanation about Facilities protection:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    - How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

    These materials will also help you regarding Facilities protection:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Toolkit documentation


    I have noticed that there appears to be a number of clauses where there are example templates missing – I assumed when I purchased the ‘premium’ collection this would cover ALL clauses of the standards.

    Answer: ISO 27001 does not require each control in Annex A to be implemented, only those deemed necessary as result of risk assessments, legal requirements or organizational decision. To see the required documents by the standard, and the most common documents implemented to support an ISMS, please see this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    For ISO 22301 the situation is the same, the diference being that this standard also considers the busi ness impact analysis information, and you can see the required documents, and the most common documents implemented to support an BCMS in this article: Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

    Our toolkits focus on small and mid-size companies, and that's the reason we do not write documents to cover each control – for thos e companies this large number of documents would result in an overkill for many of them. Instead of that a single template may cover multiple controls.

    In the root folder of the toolkit you'll find a document called “List of Documents” which will explain which control is covered by which document.

    These articles will provide you further explanation about how our templates can handle some controls from section A.6 of ISO 27001 Annex A:
    - Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
    - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

  • Security requirements checking and testing

    Question: you mean to say after applying all the security controls, the system in question, should go through all the software test. is that, what you mean by?

    Answer: What I mean is that the implemented security requirements (e.g., two factor authentication to support an access control requirement, secure communication protocol to support a protected communication requirement, etc.) should go through the same testing process you apply in your software development. You should consider them the same way you consider the tests for your software's functional and non functional requirements.

    The tests' coverage and detail levels should be proportional to the degree of confidence you want that the security functions are properly implemented.

    For more orientation on security assurance on software development, I suggest you to see the ISO standard 15408-1 at this link: 

    https://www.iso.org/standard/50341.html

  • Prepairing API Sepc Q1 internal audit


    Answer:

    Regardless of the requirements to be audited, the internal audit process looks more or less the same. First, you need to define your internal audit plan, meaning that you need to define what processes will be audited against what requirements, who you will be speaking to and the detailed timing of visiting departments and interviews. In this way you can notify the people in advance so they can dedicate their tie for your audit.

    A very useful tool for conducting the audit is internal audit checklist where you will write the items, or requirement you are planning to check during the audit. Entries in the checklist can be in form of statements or "yes or no" questions and can help you a void missing something out. For more information on how to prepare the checklist, see: How to create a check list for an ISO 9001 internal audit for your QMS https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/

    Once you have an internal audit plan and the checklist, you are ready for conducting the audit.

  • Implementing ISO 14001 without any cost


    Answer:

    The best way to implement the standard is to start with GAP analysis to determine to what level your organization is already complaint with the standard and what needs to be done to achieve full compliance. Once you determine the gaps, you can develop project plan for the implementation where you will define activities, responsibilities and deadlines. Than you can start developing documentation and performing all activities required by the standard.

    When all documents are created and all activities performed, you should conduct internal audit and management review to ensure your system is compliant with the standard. Finally, you need to hire certification body to conduct the audit and issue your company the certificate. For more information, see: List of ISO 14001 implementation steps https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/

    As far as budgeting of the project is concerned, if you decide to implement the standard comple tely by yourself, you can implement the standard for free, but even in this case you will have to calculate the price of your working hours. This is definitely the cheapest option for the implementation but it will take you a lot of time and at the end you wont be 100% sure you've implemented all requirements of the standard. For more information about costs involved in ISO 14001 implementation and certification, download this free whitepaper: How to budget an ISO 14001 implementation project https://info.advisera.com/14001academy/free-download/how-to-budget-an-iso-14001-implementation-project

  • Designing integrated ISO 14001 and OHSA 18001 maual


    Answer:

    ISO 14001 and OHSAS 18001 do not require the manual so they do not have particular requirements on what the manual should contain. Usual information to be placed in the manual are the scope of the IMS, roles and responsibilities, IMS policy and description of IMS elements and their interactions.

    For more information about EMS and OH&SMS manuals, see:
    - What is an environmental management system manual? https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/
    - Does your organization need a health & safety manual? https://advisera.com/18001academy/blog/2016/10/12/does-your-organization-need-a-health-safety-manual/

  • Business Continuity Strategies


    In the Activity Recovery Strategy document at the end of point 3 states: "The recovery strategy for applications / databases and external services will be specified in the general part of the Strategy." But in the BC Strategy document I did not find the perfect place for that, and it doesn't seem to me convenient location. Please help with this.

    Answer: If you need to detail strategies for specific applications you can just add this information in the section 5.3 (Applications/databases) of the BC strategy document. The text that comes with the template covers the situation where you use the same strategy for all applications, but this can be adjusted to fit your organization's needs.

    This material will also help you regarding BCP elaboration:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Identificación de riesgos y oportunidades


    Respuesta:

    Para determinar el contexto de la organización es necesario considerar:

    - cuestiones internas y externas que puedan afectar al funcionamiento de la compañía (Cláusula 4.1.)
    - partes interesadas externas e internas y sus necesidades (Cláusula 4.1.)

    Mediante el análisis DOFA es posible evaluar las fortalezas, debilidades, oportunidades y amenazas. Pueden equipararse las amenazas y debilidades a los riesgos, y las fortalezas y oportunidades, a las oportunidades.
    Utilizando este tipo de análisis DOFA le ayudará a llevar a cabo la planificación e identificar los riesgos y las oportunidades. Por ejemplo, si se identifica que un riesgo es un componente clave en su producto o servicio que va a quedarse obsoleto, entonces se puede planificar encontra r un repuesto antes de que los consumidores reciban el impacto.
    Además, será necesario añadir los riesgos procedentes de los propios procesos definidos en la compañía, tales como aquellos derivados de procesos estratégicos, de soporte u operacionales.
    Posteriormente en la cláusula 6.1. será necesario analizar y priorizar los riesgos, llevar a cabo un plan de acción, implementar el plan de acción y revisar la eficiencia.

    Para más información puede ver el artículo de "cómo abordar riesgos y oportunidades":
    https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Page 918-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +