Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Continual improvement verification
Answer: You understanding is correct. Continual improvement can be verified in all clauses from 4 to 10. Questions to ask, to check if continual improvement should be considered for a clause, should consider changes in the environment, results of monitoring and measurement, or decision from management review, since these are the main sources of the need to improve processes, procedures and controls. -
Business continuity management certification
Answer: Yes, if you want to be compliant with the standard you need to comply with all its requirements. Of course, you can use some guidelines from other frameworks like ISO 22313, DRII or NFPA 1600, but at the end of the day you need to be fully compliant with ISO 22301.
2 - Does the certification body certify BCM implementation against other standard? I. e. Does the certification body certify against DRII professional standard?
Answer: As far as I know, certification bodies certifies BCMS only against ISO 22301, since as a international standard, it would be the logical choice for certification in a global economy. The certifications issued by DRII are for people, not organizations, but you have to contact the specific certification body to know if it works with personal certifications.
This article will provide you further explanation about business continuity management certification:
- ISO 27001 certific ation for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/
These materials will also help you regarding Business continuity management certification:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/ -
Organizational context identification
Answer: Following the sequence recommend to implement an ISMS, you should start identifying the organizational context, the internal and external issues considered most relevant to ISMS (e.g., geographical location, organizational culture, public infrastructure available, etc.), and the interested parties, the relevant people with interest in ISMS results (e.g., clients, suppliers, top management, employees, etc). By knowing the internal and external issues interested parties, you can start think about which kind of questions you should ask.
This article will provide you further explanation about recommend steps to implement an ISMS:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These articles will provi de you further explanation about organizational context identification:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding organizational context identification and recommend steps to implement an ISMS:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO Internal auditor vs Certified internal auditor
Answer: Internal auditor certification is basically appropriate if you intend to work as internal auditor, and it doesn't have such visibility as e.g. Lead auditor certification. Both are recognized internationally, but the difference is in the level of knowledge (and status). I'm not very familiar with the Certified Internal Auditor, so I couldn't compare them.
If you go for our ISO 27001 Internal Auditor Course, the certification exam is currently US$ 99 although we're preparing to change our pricing policy soon: https://advisera.com/training/iso-27001-internal-auditor-course/
See also these articles:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Quality policy in healthcare organization
Answer:
Requirements for quality policy are the same regardless of the type of business. The policy needs to be appropriate to the purpose and context of the organization and supports its strategic direction and to provide a framework for setting quality objectives. It needs to include commitment of the organization to satisfy applicable requirements and to continually improve the quality management system. The policy is usually written as a set of statements that address above mentioned requirements.
For more information about quality policy, see: How to Write a Good Quality Policy https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/ -
Documenting training and awareness
Answer:
Regarding competence of employees, the standard only requires you to retain records as an evidence of the competence. You don't even need to have documented procedure for training let alone documented modules for each position in departments. In order to meet requirements regarding the awareness, you do not need even records.
Actually, having competent employees enables you to decrease the volume of the documentation because they know exactly what they are doing and do not need documented procedures.
For more information about competence and awareness, see:
- How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- Using Competence, Training and Awareness to Replac e Documentation in your QMS https://advisera.com/9001academy/blog/2013/12/17/using-competence-training-awareness-replace-documentation-qms/ -
Interpretation of risks and opportunities
Answer:
The standard requirements are not too specific in order to enable companies to adapt the QMS to their own needs, but it doesn't mean that each requirement can be interpreted in different way. For example, regarding risks and opportunities, the organization needs to identify and address risks and opportunities emerging from the context of the organization related to quality of products and services, objectives and customer satisfaction. But, the standard allows organization to choose whether to document a procedure, use apply some risk assessment methodology and rec ords its risks and opportunities.
For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Demonstrating competence for ISO 9001:2015
Answers:
1) List of trainings which QA staff must undergo for successful transition
The QA staff doesn't have to undergo any training, they only need to get familiar with the standard. It can be done by attending some external training or conducting in-house training. Here you can find free ISO 9001:2015 Foundation online course https://advisera.com/training/iso-9001-foundations-course/ that can help your staff achieve the competence.
2) Can these trainings be self-study or must be certified training sessions?
There is no requirement defining the type of training, so you can choose any option that works best for you.
3) Once certified as internal auditor for ISO 9001: 2008, do the internal auditors still be trained for Internal auditor training ISO 9001: 2015.
Techniques of auditing haven't changed, o nly the requirements to be audited. Internal auditors should only get familiar with new requirements. If you like to get familiar with new requirements and refresh the knowledge on the auditing, I suggest you this free ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ -
HIPAA Compliance
Answer: I'm sorry, but the knowledge about compliance applications with HIPAA is out of our expertise. We are focused on ISO 27001, and this specific situation is not required by this standard. I would recommend you to look for expert legal advice. -
Information and Cloud security policies
Answer: Information security policy is related to a top management definition of what it wants to achieve with information security in a broader sense, providing the framework for managing the ISMS, while the cloud security policy narrows the focus, considering the definition of what it wants the ISMS to achieve with information security in cloud environments. In terms of implementation, you can have the Cloud Security Policy as a section in the Information Security Policy or as a completely separated document.
This article will provide you further explanation about Information and Cloud security:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- What should you write in your Informati on Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/