Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementing ISO 9001 in hospital
Answer:
By implementing ISO standard, I assume you mean ISO 9001, but the implementation process wouldn't differ too much from standard to standard, only the different requirements would be implemented.
Assuming that you already have support from the top management, the best way to start the implementation process is by conducting GAP analysis to determine to what extent your organization is already compliant with the standard and what needs to be done to achieve full compliance with the standard. Once you determine the gaps, you can develop project plan for the implementation defining what needs to be done, who will do it, what resources are needed and what are the deadlines.
Then you should start implementing requirements of the standard and the implementation process is consisted of developing documents, updating and establishing processes to meet all applicable requireme nts of the standard. When the implementation project is over, you should conduct internal audit and management review to ensure that your Quality Management System is compliant with ISO 9001. Finally, you can hire certification body to conduct the audit and issue your company the certificate.
For more information about the implementation, see: Checklist of ISO 9001 implementation & certification steps https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
As far as the standard manual is concerned, it is no longer a mandatory document, so you can decide whether to develop it or not. For more information, see: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/ -
ISO 27001 references
Answer: ISO 27001 books are a good support to understand the concepts and find details about how implement the standards requirements, but these are not substitute for the standard, that you should also consider to buy (the link for buying the standard is https://www.iso.org/isoiec-27001-information-security.html).
This material will also help you regarding ISO 27001 understanding:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk treatment
Is there any sample threat and vulnerabilities database that can be used for contractual agreement, outsourcing, SLA and regulatory requirement.
Answer: Our Risk Treatment Plan does not have drop-down menu for threats and vulnerabilities because this is part of the risk assessment and is covered in the Risk Assessment Table. As our video tutorial shows, you should simply copy the unacceptable risks (with all the assets, threats and vulnerabilities) from the Risk Assessment Table and paste them into the Risk Treatment Table.
In the Risk Assessment Table you'll find a list of of threats and vulnerabilities related to outsourcing, SLAs and regulatory requirements: e.g., breach of contractual relations, breach of legislation, unauthorized access to facilities allowed and unclearly defined rules for access control. -
Material for information protection
1. Assess and provide guidance on how to handle classification of data or information
2. Review and provide guidance in terms of the approach that should be followed to determine the various levels of classification.
3. Review the impact analysis process for when data is lost or when confidentiality of the information is compromised and provide recommendations to improve the process.
Answer: For information classification and handling I suggest you this material:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
For reviewing the impact of information compromising I suggest you these articles:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- How to handle inci dents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding information classification and handling and controls improvement process:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Difference between sites and Certificates in ISO SURVEY
Answer: ISO 27001 certificates may be defined in terms of processes/services, organizational units or locations (the ISMS scope), and a single certification may cover multiple locations, also called sites. For example, you can have an organization's HQ and its filial covered by a single ISO 27001 certificate, resulting in one certification and two sites.
This article will provide you further explanation about differences regarding certification and other related ISO terms:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Implementing ISO 22301 with support of ISO 27001
I have to admit that your templates/documentations were so handy and helped me well, however I would like to know if what I have already, is up to date and would help me implement the BCMS, or do you have any updated version?
Answer: The toolkit available in May 2015 at Advisera was already compliant with version 2013 of ISO 27001 and it is perfectly integrable with ISO 22301, which will make it easier for you to implement a BCMS ISO 22301 compliant.
This article will provide you further explanation about implementing ISO 22301:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- How to implement integrated manage ment systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
These materials will also help you regarding implementing ISO 22301:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
Risk assessment and BIA
Answer: In fact BIA and Risk assessment are two different processes with different purposes that can't be merged, although they exchange information between them. They main question between practitioners is in which sequence they should be performed. I particularly follow the thought that risk assessment should be performed before the BIA and the BIA questionnaire, because this way both BIA and questionnaire can make use of the results of risk assessment to help improve the reliability of their results (by identifying the risks you’re most exposed you can focus on consequences of those incidents and the main assets that are under risk).
These articles will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analys is https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding risk assessment and BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Product safety - clause 4.4.1.1
Does it have to be in the contract, or in the customer salable drawing, or somewhere? Or is just "common sense"?
In my company we design and manufacture several automotive components, for example, harnesses and stereos. I would assume that the stereo is not "product safety", but the harness?
I looked for the definition of the term and couldn't not find anything.
regards.
Answer:
There is no universal rules for safety of all products. Safety requirements for some products are defined by legislation or CE mark, or by customer requirements. It is not common to define requirement for product safety in contracts, simply because such requirements are implied. Or, it can be part of customer requirements as requirement for raw materials to be used or features of the product to be demonstrated.
In you case the product safety can be demonstrated by providing attestation of safety of raw materials or by testing durability of t he product (harness) on strain or other product features. Basically, you need to demonstrate that your product is safe for use and fit for its purpose and, maybe, you can consult your customer on how to demonstrate this. -
Implementing OHSAS 18001 and ISO 14001
Looking forward your response.
Answer:
Six months is a reasonable period for the implementation, but you can also save time by identifying common requirements of both standards and implement them at the same time. For more information bout common requirements see: ISO 14001 vs. OHSAS 18001: What is different and what is the same? https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-vs-ohsas-18001-what-is-different-and-what-is-the-same/
I would start with gap analysis to determine what needs to be done to achieve full compliance with the standards and then develop project plan for implementation. When developing a pr oject plan, you should assign roles and responsibilities within the project to as many people as possible to decrease the time and also to ensure that the most relevant people are involved in implementing requirements of the standard.