Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and treatment process
1- Are any of these documents filled and maintained in parallel? Or do they have to be filled strictly in sequence i.e. RISK TREATMENT TABLE then SoA then ACCEPTANCE OF RESIDUAL RISK then RISK TREATMENT PLAN etc.
Answer: Considering the risk of rework, you could fill in parallel the risk treatment table and the risk treatment plan. The advantage of filling them in parallel is that when presenting information for acceptance of residual risk, you can have more detailed information about risk treatments and this can facilitate the decision on accepting the residual risks and speed up your process. The disadvantage is that if the residual risk value is not accept ed you will lose all the effort and time you allocated. To minimize this risk I would suggest you to ask risk owners what information they would need to make their decision regarding residual risk, and when elaborating the risk treatment plan you start only with a general overview of the solution, focusing on what is to be delivered instead of what is to be done.
This material can provide you information on how to prepare an general overview of a risk treatment plan:
- ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS) https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/
2 - How can we comment upon “after treatment figures of likelihood and severity of risk” in RISK TREATMENT TABLE without ascertaining the method of control implementation as per SoA and without creating a RISK TREATMENT PLAN in parallel to assign cost and resources?
Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will just help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.
3- Can a single example case be shared on which these complete set of documents were filled from start till end?
Answer: Sure, if you watch the video tutorials that came with your toolkits, you will see for each of the documents (e.g. for Risk treatment table, for Risk treatment plan) how to fill out all the data. -
ISO 9001 internal auditor in health care domain
I would be grateful if you can provide me an insight into the role of a healthcare professional having 15 years of domain knowledge experience and carrying a PMP and Certified Lean Six Sigma Greenbelt certifications and a Certified Coding Professional certification,
1. What is the primary role of an ISO:9001 auditor in hospitals/healthcare organizations?
The role of the internal audit is the same as in any other type of business, to conduct internal audits and report on the audit results.
2. What are the roles that can be shouldered with an ISO:9001 auditing certification?
Having internal auditor certificate will demonstrate that you are familiar with ISO 9001 standard requireme nts and competent to conduct internal audits. This means that you can be management representative for QMS or Quality Manager. Basically you can do any activity related to ISO 9001 except conducting certification audits. For more information, see: What is the job of the Quality Manager according to ISO 9001? https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
3. What are the employment prospects and benefits having an ISO:9001 auditing certification.
As I mentioned above, with ISO 9001 auditing certificate you can be in charge of any activity withing the QMS, it is usually addition to the existing job position but in many cases it can be separate job, e.g. Quality Manager. Especially in bigger companies.
4. How would this role face competition with peers who have compliance certifications in healthcare?
Our ISO 9001 internal auditor course is accredited by third party so it has credibility, it is in line with other accredited ISO 9001 internal audit certificates.
I would sincerely appreciate your reply and this would certainly enable me to resolve my conflicts that I have with ISO:9001 auditor certification. -
Documenting EMS scope
Answer:
ISO 14001 does not require organizations to develop procedure for determining scope of the EMS (Environmental Management System), however, it requires organizations to document it. The scope can be documented within EMS Manual or as a separate document. Such document should contain information about all locations, processes and products and services covered with the scope of EMS.
For more information about EMS scope, see: How to determine the scope of the EMS according to ISO 14001:2015 https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/ -
Policies and procedures development
I mean at this initial stage without having gone through all the documents in details, how can I identify which documents would need direct involvement and input from the other departments in the scope? So that I could fill in those policies and procedures first and dispatch those to the concerning departments under scope, so that they could start sending me the inputs? (i.e. assets list etc etc).
Answer:
By reading the section one of each document (Purpose, scope and users) you can realize who to ask for information. For example for Backup policy (and other templates addressing information technology), you will need to ask the IT department, for Supplier Security Policy policy, you should ask your Procurement department.
By the way , in the video tutorials that come with the toolkit, you will see practical examples about to who should provide input for policies and procedures. -
Justification for Soa
Answer: Considering information systems life cycle, the introduction of new technologies in an already existent environment is part of the maintenance step, so to justify the adoption of security practices to minimize risks like poor systems compatibility (new systems working together with old ones) and lack of portability (migration of functionalities from old platform/solutions to new ones) issues, you could use as justification "process requirement". -
Annex A18 controls in the documentation toolkit
Answer: This A.18.2.1 control is covered in the toolkit by the internal audit procedure, which defines that internal auditors must be selected in such a way as to ensure objectivity and impartiality, i.e. to avoid conflict of interest, because auditors are not allowed to audit their own work. -
Annex A5 controls in the documentation toolkit
We only have from 6 onwards, or can we use the one in the following folder __ISO_27001_ISO_22301_Premium_Toolkit_EN�4_Information_Security_Polic y
Answer: Your understanding is correct. Reference for security requirements summary and the recommendations from the controls listed in the section A.5 from ISO 27001:2013 Annex A are included in the Information Security Policy, so by implementing this policy template you will be compliant with these entries.
You should also note that the controls in section A.5 are covered not only by the Information Security Policy, but also by all other policies in the toolkit. -
OHSAS SMART objectives
Answer:
Writing SMART objectives means writing Specific, Measurable, Agreed upon, Realistic and Timed objectives. Having such objectives will help organization to evaluate level of achievement of the objectives. In order to write such objectives, you must relate them to every process and this can be done by identifying some parameter of the process that will give you information on whether the process performed as it should. Such parameters are usually called key performance indicators.
For more information about the objectives, see: How to define OHSAS 18001 objectives and programs https://advisera.com/18001academy/blog/2015/11/11/how-to-define-ohsas-18001-objectives-and-programs/ -
ISO 9001:2015 and health care organization
1. Do we need to identify and define risks in all the core and support processes?
The organization must identify and address risks and opportunities not only in the core processes but also all risks and opportunities emerging from context of the organization. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
2. Does the documentation for ISO require TIER system like Manuals,policies,procedures,record ?
The standard explicitly requires only documents such as Quality Policy and Quality Objectives, other than that it basically requires only records. But besides the mandatory document there should be other documents that company determines as necessary for running its QMS. For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
3. For a Home Healthcare Company like Ours,the core processes would be mostly clinical in nature, so do we need to write SOP s for all the clinical protocols could we have generic documents on common processes?
No, there is no requirement to document every process and every activity, you should document only those where is a chance of nonconformities. For more information, see: Deciding Which Procedures to Document in QMS https://advisera.com/9001academy/blog/2013/11/26/deciding-procedures-document-qms/ -
Which clauses must be covered with particular documents?
What is needed for ISO 27001 certification?
Answer:
The article you are referencing to lists the minimum of the documents you need to have. However, in most cases you will need to implement some other documents as well, because this will be required by the situation in your company - here's the article that will help you with such decisions : 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
We have written our policies and procedures in such a way that makes it easy for you to delete any part of them - when you read this template for Acceptable Use Policy, you will find comments saying e.g. "Delete this section if you marked control xyz as inapplicable" - this means you have to assess if a particular control is needed for you, and if not you can simply delete a part of the document that describes it.
This article will help you with understanding the logic of when you can mark a control as applicable or not: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This article you might also find useful: How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
These materials will also help you regarding selection of controls and documenting them:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online ISO 27001 tool) https://advisera.com/conformio/