Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Transition from 2008 to 2015 of ISO 9001


    Answer:

    The most important thing about documentation in new version of the standard is that it refers to it as "documented information" and this term includes both documents and records. There are far less requirements for documentation in 2015 revision of the standard, there is no longer requirement for Quality Manual and six mandatory procedures as in 2008 revision.

    In order to conduct the transition, you need to update your existing documents to adapt them to new requirements. Almost every requirement is altered to some extent and clause numbering is changed so every document will require at least minor updates. Also you will have to decide whether to keep the documents and procedures that are not mandatory any more, for example although the manual is no longer mandatory, lots of companies decide to keep it because they find it useful for their QMS.

    For more information, see:
    - How to make the transition f rom ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
    - New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

  • Methodology for an IT audit


    Answer:
    ISO 27001 is developed for the establishment of an Information Security Management System, which means that this standard is for the protection of the information, so, basically ISO 27001 gives you a framework to identify risks and treat them implementing security controls, many of them are directly related to IT (but not all). So, this standard is not specifically developed to perform an IT audit, but you can use their security controls, although in the Annex A of ISO 27001 you can find a brief description of 114 security controls, while in the ISO 27002 you can find the same security controls but with a guide about how to implement each control.

    So, maybe you can use the Annex A of ISO 27001 to select a group of security controls that you want to audit (related to IT), and if you need more information about each control you can see ISO 27002.

    This article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    And this article about how to develop a checklist for an internal audit for ISO 27001 can be also interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    Finally, these materials will help you to know more about the security controls of ISO 27001 and how to audit them:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - free online training ISO 27001 Internal Auditor https://advisera.com/training/iso-27001-internal-auditor-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Implementing ISO 14001


    Answer:

    First, it would be better to implement ISO 14001:2015 because in this way you will avoid the transition process within next two years.

    The first step in implementation of ISO 14001 is to conduct GAP analysis to determine to what extent the organization already meets the requirements of the standard. The next step is to develop project plan with defined activities and documents to be created in order to achieve full compliance with the standard. Then you need to create documents and update your processes so they align with the standard.

    After the implementation, you need to conduct internal audit and management review to ensure that your EMS (Environmental Management System) is compliant with the standard and finally you can hire certification body to conduct certification audit and issue your company the certificate.

    For more information, see:
    - ISO 14001 Implementation diagram https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
    - 5 elements o f a successful ISO 14001 project https://advisera.com/14001academy/blog/2015/03/23/5-elements-of-a-successful-iso-14001-project/

  • Process owners

    The process owners are defined usually in the prat of the procedure that describes purpose, scope and users. In our documentation, it is the section 1 of each procedure.

  • OHSAS 18001 and transition to ISO 45001


    Answer:

    Purpose of both ISO 45001 and OHSAS 18001 is to help organization establish occupational health and safety management system. Currently, only OHSAS 18001 is published while ISO 45001 is in development, so at this point organizations can only implement OHSAS 18001.

    Once ISO 45001 is published (and this is expected in September 2017) organization will be able to choose between those two standards and tailor their system according to one or both of them. If you decide to implement OHSAS 18001 and later to make transition to ISO 45001, you will have to update your system in order to make it ISO 45001 compliant.

    In this way you will do most of the work during implementation of OHSAS 18001 and later you will have to update the system and this wouldn't take too much time but it is hard to say at this point since the ISO 45001 is not published yet and we are n ot certain how much will it differ from OHSAS 18001. Given the experience with transition of ISO 9001 and ISO 14001 the changes between OHSAS 18001 and ISO 45001 will be between 10 and 30% so the transition wouldn't require some big effort.

    For more information, see: First glance at ISO/DIS 45001 – How different is it from OHSAS 18001?https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/

  • Aspects and risks


    Answer:

    First difference is in fact that environmental aspects must be documented while risks and opportunities don't. Regarding environmental aspects the company must define methodology for their evaluation and criteria for determining their significance. The process of identification and evaluation of environmental aspects is focused primarily on processes and their environmental impacts while risks can emerge from any part of context of the organization.

    Addressing risks and opportunities according to ISO 14001 does not require documented procedure, established methodology or even a registry of records, it only requires to take actions to address them and to monitor effectiveness of these actions.

    For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/

  • Guide for the implementation of ISO 27001


    Answer:
    Of course! We have an easy method to implement the standard, composed by 16 steps. This method is applicable for any company, including a medium size insurance company:

    1.- Obtain management support
    2.- Treat is as a project
    3.- Define the scope
    4.- Write an ISMS Policy
    5.- Define the Risk Assessment methodology
    6.- Perform the risk assessment & risk treatment
    7.- Write the Statement of Applicability
    8.- Write the Risk Treatment Plan
    9.- Define how to measure the effectiveness of controls
    10.- Implement the controls & mandatory procedures
    11.- Implement training and awareness programs
    12.- Operate the ISMS
    13.- Monitor the ISMS
    14.- Internal audit
    15.- Management review
    16.- Corrective and preventive actions

    For more information about these steps, please read this article “ISO 27001 implementation checklist” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    And this diagram can help you to start the implementation of the standard in your organization “Diagram of ISO 27001:2013 Implementation (PDF)” : https://advisera.com/27001academy/iso-management/begin-the-implementation/

    Finally, these materials will help you to know more about how to implement the standard:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Approving the security policies


    Answer: ISO 27001 specifically calls these documents "policies", so if you select those controls as applicable then you should call them this way; of course, you can write also additional guidelines which would be much more detailed whereas you can leave policies rather general.

    The reason I ask is because our Board has to endorse all policies and for just ISMS, these are becoming quite heavy. As you can imagine, yearly endorsements of all policies within the company is a tremendous job anyway. Any advice would be helpful & appreciated.

    Answer: I'm not sure why would your board need to approve all the policies - you can define a rule by which they need to approve only the top-level documents like the Information Security Policy, implementation s trategy or the budget; you can specify in that rule that detailed policies can be approved by someone else in your organization.

    These articles might also help you:
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

  • Methodology for risk assessment in ISO 27001


    Answer:

    ISO 27001:2013 do not define risk methodology, only requirements on risk assessment and risk treatment process. There are many examples for risk methodologies, I would only generally divide them in quantitative and qualitative (or combine) risk assessment.

    This article give you couple of examples of qualitative methodology: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

    These materials will also teach you how to define the risk assessment methodology:
    - free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Page 974-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +