Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Convergence of ISO 27001 and ISO 22301
Answer: First of all, you need to understand that you cannot achieve convergence with a single document. Both management systems are composed by many different subprocesses that would make unpractical and very confusing to centralize them in a single document.
That said, ISO 27001 and ISO 22301 have many similar requirements, which makes easier to integrate them. Considering the possibility of integration, I suggest you to take a look in the free demo of our ISO 27001 & ISO 22301 Premium Documentation Toolkit, which can help you implement both standards. You can access the free demo at this link: https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ .
This article w ill provide you further explanation about integrating management systems:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
These materials will also help you regarding ISO 27001 and ISO 22301 integration:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
HIPAA and ISO 27001
Answer: Basically, HIPPA is not so strong on information security management requirements as ISO 27001, and ISO 27001 is not so strong on privacy controls required by HIPAA. So, you can speed up your ISO 27001 compliance in the implementation phase where you perform the risk assessment and implement risk treatments, since besides privacy and incident management controls, other controls implemented to fulfil HIPAA's requirements can be mapped to ISO 27001 Annex A and help build ISO 27001 Statement of Applicability. Besides that, you can make use of ISO 27799 (ISO standard related to personal health information) to cover privacy controls. Unfortunately at this moment we do not have a mapping between ISO 27001 and HIPAA)
This article will provide you further explanation about ISO 27799:
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/ -
BIA and risk assessment
1 - The BIA includes a risk assessment?
Answer: The risk assessment process is independent of the BIA process, but BIA can make use of the results of risk assessment to help improve the reliability of its results (by identifying the risks you’re most exposed you can focus on consequences of those incidents). You should note that ISO 22301 documentation toolkit does not include the risk assessment documents, but they can be purchased separately
2 - Should The BIA questionnaire be different for every business unit into the company?
Answer: The general framework of the questionnaire is the same (what are the critical processes, how long you can support an disruption of the process, in how much time you have to resume minimal and normal operations, etc.), but some questions may be adjusted accordingly each business unit (for example, a production unit may have specific questions about equipment, while research and development should add more questions related to information protection). You also should note that answers will be different from one department to another.
This article will provide you further explanation about BIA and risk assessment:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding BIA and risk assessment:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
-
ISO 27001 clause 7
Answer: Clause 7.1 refers to provision of resources used by the ISMS, and you can find examples of those defined on risk treatment plans, plans to achieve security objectives and plans for corrective actions. So, I suggest you to read these articles:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
For information about ISO 27001 clause 7.2 I suggest you read these articles:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Sec urity Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
These materials will also help you regarding ISO 27001 clause 7:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Auditor support material
Answer: First of all, I'd like to thank you for attending our course. I hope that information will help improve your skills and satisfaction of your clients.
For assistance in your assessment, I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit has everything you need to plan, perform and report an audit activity. To find the free demo tab you only have to scroll down the screen a little.
This article will provide you further explanation about audit activities (you can adapt the concepts of this article to an internal audit context):
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questio ns-will-the-iso-27001-certification-auditor-ask/
This material will also help you regarding audit activities:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Quality manual and procedures in small company
Answer:
There are basically two options when writing the documentation. you can ether put your procedures into quality manual or make reference to them in the manual and write them as separate documents.
Since you are implementing the standard in a small company, maybe it would be better if you include the procedures in the manual instead of having them as separate documents. These procedures don't have to be too detailed, you can shortly describe how the processes are carried out and what records are used within the process.
For more information, see: Writing a short Quality Manual https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/ -
Auditing marketing and sales against ISO 14001 and OHSAS 18001
We are preparing now for ISO 14001, OHSAS 18001 certification and we are conducting the internal audits now, does marketing and sales operations should be involved in the internal audit cycle?
If yes, what are the references that I can conduct my audit based on it? And what are the type of questions that should be asked?
Answer:
If the marketing and sales departments are part of the scope of your implementation of ISO 14001 and OHSAS 18001, you should definitely audit them. Unlike ISO 9001 where you have specific requirements that relate to these requirements, ISO 14001 and OHSAS 18001 have more general requirements that can apply to any process or department.
First thing to be audited is whether the identification and evaluation of environmental aspects and occupational health and safety hazards is conducted for these processes and then whether the operational controls for environmental protection and occupational health and safety are implemented.
For more information, see: Internal Audits in the EMS: Five Main Steps https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/ -
Inventory of assets
Answer: Sorry for the inconvenience. Please try this link: https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
2 - The problem I am having is that, from the different assets categories, e.g. people, applications and databases e.t.c. I do not know if there is a certain procedure to follow to fill the categories in the given template.
Answer: No, there is no such procedure to be followed. I suggest you to click the 'Checklist of assets' sheet, which contains examples for each category, to guide you which category you should apply to your asset. -
HIDRAC and identification of environmental aspects
Answer:
HIDRAC (Hazard Identification, Risk Assessment and Determining Control) is general approach and methodology for identification and evaluation of hazards, risks and dangers and determining control to threat them. Identification and evaluation of environmental aspects can be done in the same way, you only need to apply the HIDRAC to the environmental aspects and impact and you will meet requirements from both clause 6 and 8 of ISO 1401:2015.
For more information about environmental aspects identification and evaluation, see: 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ -
Risks assessment in ISO 9001
I would like to discuss some important things regarding ISO 9001:2015 documentation as I am working on Risk Assessment Matrix.
What I need to know is that is there need of formal documentation regarding risk assessment?
Because we have integrated management system and I think that we have already addressed many risks in the form of HAXCCP Matrix and Environmental Aspect & impact.
As per my understanding what additional thing we have to do in QMS is, that keeping in view the context of the Organization & needs and expectations of the interested parties existing risk assessment will be reviewed and revised accordingly.
Kindly guide me in this regard.
I would like to share the document on which I am working now a days.
I am interested to hear back from you.
Answer:
ISO 9001 does not require formal documentation regarding risk assessment, but it is beneficial to have at least the registry or list of risks and opportunities. HACCP and Environmental Aspect/Impact risk assessment are coveri ng different types of risks, one is for food safety and the other is for environment. ISO 9001 requires you to address risks and opportunities related to quality of products and services, achieving quality objectives and customer satisfaction.
The risk and opportunities assessment for ISO 9001 can be done in more simple way than those to above mentioned methodologies. You can conduct SWOT analysis or arrange a brainstorming session with relevant people in the company and talk about the risks. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/