Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk management
1. What is the objective of Risk Assessment?
Answer: The objective of risk assessment is to identify and prioritize risks you are exposed to, according predefined criteria. This way you will have an overview which one your should handle first and why.
2 What are the methods of Risk Remediation?
Answer: There are 4 general risk remediation options: 1) decrease the risk; 2) share the risk; 3) avoid the risk; and 4) retain the risk. See more information in this article:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
3. Why risk assessment is conducted?
Answer: A risk assessment may be conducted to fulfil a legal requirement (e.g., law, standard or contractual clause) or an organization's decision. In either case, the purpose is to use its results to make better decisions considering the organizational resources available and the main risks to which is exposed.
4. What are the steps to conduct the risk assessment?
Answer: According to ISO 27001, the risk assessment process includes 6 steps: 1) risk assessment methodology; 2) risk assessment implementation; 3) risk treatment implementation; 4) risk assessment report; 5) Statement of Applicability; and 6) Risk treatment plan. For more information, see this article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
5. Is it a good idea to define policies/procedure/guidelines before risk assessment or vice versa of it?
Answer: You should define policies/procedure/guidelines for treating risks after the risk assessment, so you will define only what is needed to handle the risks you are exposed to. Only the documentation related to risk assessment methodology should be defined first, so everyone performing the assessment do that the same way.
This article will provide you further explanation about risk management:
- What is an Information Security Management System (ISMS) according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
These materials will also help you regarding management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27001 Implementation- A8 Assets Management
I am documenting the assets inventory template as per the purchased ISO 27001 toolkit.
Under assets category, mostly the INFRASTRUCTURE and OUTSOURCED SERVICES.
1 - In the company, we have workstations, and for each workstation we got different assets like PC, Monitor, keyboard, mouse etc. So my question is while documenting this, should I state the workstation as an asset or should I list all the components mentioned as assets for the document to be ISO 27001 compliant?
Answer: If there is no specific reason to list the individual assets separately you can refer to them as workstation in your inventory. You only have to include in the notes column a comment describing the parts that make up the workstation.
This article will provide you further explanation about assets management implementation:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
2 - My other question concerns the outsourced services, in my case the office space and the data centers are leased from 3rd parties. So is the policies and ISO 27001 certificates enough evidence to be used?
Answer: No. Regarding outsourced services you also should include the contracts or agreements you have with them, which should include clauses covering security measures the outsourced services should fulfil.
This article will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
ISO 27005 toolkit
Answer: The risk assessment and treatment templates in our ISO 27001 toolkits are fully compliant with ISO 27005, you can use them if you want to be compliant with this standard.
You can take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit and see if it fulfills your needs. The link for the toolkit is https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
It is composed by the following templates: (1) Risk Assessment and Risk Treatment Methodology, (2) Risk Assessment Table, (3) Risk Treatment Table, (4) Risk Assessment and Treatment Report, (5) Statement of Applicability, and (6) Risk Treatment Plan.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatmen t-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Certification costs
Answer: The main certification's costs area are related to the size of the scope and the controls to be implemented, so I suggest you to verify if the scope size is appropriated to the organization's objectives for the ISMS and which are the risks levels the organization is willing to accept (the more risk taken, the less controls will be regarded as necessary). A smaller scope and less controls to be implemented will also reduce the implementation time. During implementation, a way to shorten the time is to implement some normally sequential controls at same time (e.g. information classification and back up). But please note that these alternatives should be well weighte d considering the risks of your implemented system ends up lacking the capacity to work properly.
To help you validate you implementation duration estimative, try our Free Calculator – Duration of ISO 27001/ISO 22301 Implementation (https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/)
This article will provide you further explanation about reducing ISMS costs:
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
These materials will also help you regarding implementing an ISMS:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project -
Transition of ISO 13485 and maintaining ISO 9001
Answer:
If you do not have requirements by your customers to have ISO 9001 certificate, my advice would be to cancel the certificate. The reason is that the new version of ISO 13465 is aligned with ISO 9001:2008 and does not follow new ISO 9001:2015. Keeping both standards will make you have all old requirements from ISO 9001:2008 together with new requirements of ISO 9001:2015 and ISO 13485:2016 and there is no need to create such robust system if there are no requirements by the customers in this regards. And you will also save money on the certification fees. -
Qualifications of the Management Representative
The MR doesn't have to have formal education regarding QMS or ISO 9001, the standard doesn't prescribe qualifications for the MR. New version of the standard doesn't even requires MR as a role in the QMS. For more information, see: What will be the destiny of the management representative in the new ISO 9001:2015? https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
2. Is is possible that the Document Controller become QMR or appointed as QMR?
Yes, but considering the usual duties of the MR, maybe it is better to have somebody from the production or some other core process in the company. On the other hand, Document Controller has experience with administrations so his or her contribution to the QMS can be valuable. For more information, see: Choosing the best person for the job of quality management representative https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
3. What are the Qualification to become a QMR
There are no formal requirements regarding qualifications for the MR, but it is reasonable to expect that this person is familiar with the standard and processes within the company. Here you can sign up for our free online ISO 9001 Foundation course https://advisera.com/training/iso-9001-foundations-course/ -
Section 4.4.1.2 Product Safety
Thank you that was very helpful. -
Toolkit documents
Answer: The document in the Toolkit which covers the ISO 27001 clause 7.5 is the Procedure for Document and Record Control located in the folder 00 Procedure for Document and Record Control.
By the way, in the root folder of the toolkit you'll see a document called 'List of documents' where you'll see a list of all documents in the toolkit together with the clauses of the standard that are covered by each document. -
IATF 16949 transition
Answer:
Since the IATF 16949 is rather complex standard, the transition process should be conducted as a project. First step should be to conduct a GAP analysis to determine to what level your existing QMS is compliant with IATF 16949 and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, yo can develop project plan for the transition, defining what needs to be done, who will do it, what resources are needed and what are the deadlines.
Then you can start implementing new requirements of the standard. The most important changes are related to context of the organization and addressing risks and opportunities but almost every clause has suffered changes to some extent. -
ISO 14001 in procurement process
Answer:
The standard requires organization to control or influence outsourced processes and procured products or services. As far as the outsourced processes are concerned, depending on the ability of the organization to enforce controls, the organization can define work instruction for the outsourcing partner, conduct audits, etc. It will all depend on how the relations between the organization and outsourced partner are arranged and the standard doesn't define to what extent the controls should be applied.
When it comes to procurement of products and services, the organization can define environmental protection criteria when performing the procurement or to insist on procuring recyclable raw materials, etc.
For more information, see: Defining and implementing operational control in ISO 14001:2015 https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/