Search results

Home / Search

Category:
Select
Select

11268 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification benefits


    Answer: Information security means the protection of information regardless the medium it refers to , and this goes well beyond IT environment (e.g., information flows through physical reports, people talk about them, etc.), and ISO 27001 can help you to ensure proper information protection in all these situations. As practical examples, I can mention that pharmaceutical companies must protect their research information , and banks must protect information about their customers. Both are non-IT organizations to which ISO 27001 is perfectly applicable.

    So, I strongly recommend you to seek for certification, because besides complying with a customer demand, by implementing an Information Security Management System (ISMS) based on ISO 27001, you can achieve other benefits like enhanced competitiveness, reduction of operational costs, improved internal organization, and easiness to maintain conformity with legal requirements.

    This article will provide you further explanation about certification benefits:
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding certification benefits:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - ISO 27001 benefits: How to obtain management support [free webinar] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/

  • How many threats and vulnerabilities to display


    Answer: Theoretically, you should include every possible option, i.e. combination of threats and vulnerabilities related to each threat, even if their value is 0. However, in my opinion you shouldn't list more than 5 threats for each asset, and more than 2 vulnerabilities for each threat.

    This article will give you more explanation: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  • Documenting the context in internet service provider company


    Answer:

    The standard does not require organization to document context of the organization neither the process of determining the context. The company itself can decide how to document the context if it chooses to document it. But, since it is a new requirement, I suggest to document procedure for determining the context containing all elements of the context to be considered and using SWOT or PEST analysis as a tool for determining the context. Having documented information on context of the organization will facilitate demonstration of compliance with the requirements.

    There is n predefined list of internal and external issues, the company can decide by itself what issues are relevant to its QMS. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/

  • Procedure for document control based on ISO 9001 and ISO 22000


    Answer:

    Requirements for document and record control in ISO 22000 are located in clauses 4.2.2 and 4.2.3 while requirements for documented information in ISO 9001:2015 are located in clause 7.5. ISO 9001 has more precise requirements for document and record control than ISO 22000 therefore, the procedure for document and record control compliant with ISO 9001:2015 will meet requirements for document and record control in ISO 22000. All you need to do is to add reference to ISO 22000 relevant clauses in the Procedure for Document and Record Control, here you can find free preview of the document https://advisera.com/9001academy/documentation/procedure-document-record-control/

  • Check within the process vs. checks of product

    I was wondering if we have checks within the process to ensure the product is good, do they need to be calibrated even if we check the final product with calibrated instruments?

    Answer:

    The company must demonstrate that the measuring equipment is fit for purpose, therefore the measuring equipment must be calibrated or verified, or both, at specified intervals, or prior to use. Rationale that the final measures of the product will ensure its conformity and the measuring within the process doesn't have to be 100% reliable practically means that the measurement within the process is redundant. For more information, see: Monitoring and Measurement Equipment Control https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/ the article is written based on ISO 9001:2008 but the requirements are the same

  • Quality Manual referencing to document management software


    Answer:

    The Quality Manual is no longer required by ISO 9001:2015, therefore the requirements for Quality Manual no longer exist. The article you are referring is written according to 2008 version of the standard and that is why it states all these requirements regarding the manual. For more information, s ee: The future of the Quality Manual in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/

    The fact that the manual is no longer required does not mean it's forbidden, the company can decide to keep the manual but now it has more freedom to tailor it according to its needs. So you can reference to the certain parts or features of your software in the manual or to reference to the software as a whole.

  • Environmental controls in virtual company

    provides an outsourced customer service function including bespoke, personal and intelligent handling of inbound and outbound calls / emails / Livechats as well as outsourced telemarketing.

  • Determining environmental context


    The best way to get inputs for environmental conditions is to contact relevant local authority, in most cases they already have some study or some document that describes environmental conditions in your region. As far as events are concerned, the best way to approach it is to examine your processes and see what can influence them and what are the consequences, for example in case of fire or flood. Another important thing is to consider the immediate surroundings of the company and how it can affect your environmental performance, for example if there is a chemical industry nearby, how would their environmental incident affect your company. For more information about the context in ISO 14001, see: Determining the context of the organization in ISO 1400 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/

    2) where can I find a sample that shows how it is implemented- from SWOT analysis to determination of issues and identifica tion of interested parties and their needs and expectations?

    Unfortunately, we do not have any examples available, but the SWOT analysis is very simple. It basically represents a table with four cells, each cell for strengths, weaknesses, opportunities and threats. The good thing about the SWOT analysis is that provides direct link to risks and opportunities.

    When identifying interested parties, the best is to think about all instances that can affect or be affected by your company's operations in sense of the environment. Then you need to define what interested parties are really relevant and to determine their needs and expectations. For more information, see: How to determine interested parties according to ISO 14001:2015 https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/

  • External auditor questions


    Answer: I suggest you take a look at the free demo of our Internal Audit Checklist (https://advisera.com/27001academy/documentation/internal-audit-checklist/). Even though it is oriented to internal auditors, it can provide you a good basis on what an external auditor can ask.

    These articles will provide you further explanation about audit questions:
    - Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
    - Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

    These materials will also help you regarding audit questions:
    - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

  • How to develop SOPs

    - context of the organization
    - risk and opportunities management
    - organizational knowledge
    - awareness

    Answer:

    Quality procedures or SOPs can have different formats and structures. They can be narrative, i.e., described through text; they can be more structured by using tables; they can be more illustrative, i.e., flow charts; or they can be any combination of the above.

    SOPs should include the following elements:
    - Title – for identification of the procedure;
    - Purpose – describing the rationale behind the procedure;
    - Scope – to explain what aspects will be covered in the procedure, and which aspects will not be covered;
    - Responsibilities and authorities of all people/functions included in any part the procedure;
    - Records that result from the activities described in the procedure should be defined and listed;
    - Document control – identification of changes, date of review, approval and version of the document should be included in accordance with the established practice for doc ument control;
    - Description of activities – this is the main section of the procedure; it relates all the other elements of the procedure and describes what should be done, by whom and how, when and where. In some cases, “why” should be clarified as well. Additionally, the inputs and the outputs of the activities should be explained, including the needed resources.
    Appendices may be included, if needed.

    This approach should be used when developing any procedure, including the ones you stated. Here you can find free previews for the procedures you've mentioned:
    - Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
    - Procedure for Addressing Risks and Opportunities https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/
    - Procedure for Competence, Training and Awareness https://advisera.com/9001academy/documentation/procedure-human-resources/
Page 939-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +