Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Time-frame for OHSAS 18001 implementation
2. How do I need to use local legislation? or will 18001 cover all ground?
3. What do I need to consider with KPI values?
Answer:
1. Usual time-frame for implementation of OHSAS 18001 is three to six months, but it depends o the size of the company, number of locations and the method you choose for the implementation. If you decide to do it completely by yourself, using only resources inside the company, it will take you from six months to a year. If you hire a consultant it will take from one moth to three moths and this is the fastest way. The third option is to use some online tools like ours (OHSAS 18001 Documentation Toolkit https://advisera.com/18001academy/ohsas-18001-documentation-toolkit/) and in this case you will do it by yourself with our online support and it takes up to three months.
2. OHSAS 18001 does not prevent organizations from applying legislation, on the contrary it provides a framework for identification of applicable requirements and co mpliance assessment. It relies on application of the legislation but it cannot replace them. For more information, see: How to identify and comply with legal requirements in OHSAS 18001 https://advisera.com/18001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-ohsas-18001/
3. A key performance indicator (KPI) is a measurement of a certain type of activity that a company or organization partakes in. Basically, you need to determine some values that relate to occupational health and safety, define aimed values and monitor and measure those values over the year. For more information, see: How to establish and evaluate key performance indicators for OHSAS 18001 https://advisera.com/18001academy/blog/2015/07/22/how-to-establish-and-evaluate-key-performance-indicators-for-ohsas-18001/ -
Backup
Answer:
Backup is not strictly required in ISO 20000. That's just one of the recovery options which are part of the IT Service Continuity and Availability process. So, when you are preparing IT Service Continuity plan - prepare backup options. And - don't forget data recovery i.e. tests where you will see how long does it take to recovery all data. -
Preparing for certification audit
Answer:
First thing the certification body will look for is documentation, and this includes mandatory documents and records required by the standard (for more details, see List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/) and the documents that you determine as necessary for operating your QMS. This is usually audited during 1st stage audit.
In the second stage, the auditors will visit you on site and they will audit your processes and whether you are following the procedures and filling in the records.
For more information, see: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/ -
Checklist during an internal audit
Answer:
It is not mandatory, I mean, a checklist during the internal audit can be a best practice, but it is not mandatory, so the external auditor cannot raise a non-conformity about this (he can raise a non conformity if you for example don’t have an internal audit program).
You can see a complete list of mandatory documents (and non mandatory) here “List of mandatory documents required by ISO 27001 (2013 revision)” : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Anyway, if you want to develop a checklist for the internal audit, this article can help you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, Finally, these materials will help you to know more about the internal audit:
- free online training ISO 27001 Internal Auditor Co urse https://advisera.com/training/iso-27001-internal-auditor-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Alcance de un SGSI
Tambien tengo la duda, sobre que tan detallado debo definir el alcance, como es una empresa pequeña pienso declarar en el documento que el alcance será toda la empresa, luego de manera detallada indicar cuales departamentos, cuales servicios y cuales procesos serán contemplados. Mi duda es si tengo que entrar en detalle de especificar por ejemplo: cuales equipos , dispositivos móviles, personas, documentos, serán incluidos?
Por último, ¿debo crear un apartado que se llame interfaces y dependencias? y que debo indicar en ese apartado? tengo la idea que se debe analizar todos los canales por donde fluye la información al exterior, como en el caso del router que conecta con el proveedor de TI .
Respuestas:
Con respecto a la primera pregunta, lo importante para la ISO 27001 es la protección de la información, independientemente de donde esté. Por tanto, tu router puede estar incluido en el alcance, pero también el servidor (si lo controlas tú), porque también contiene información, aunque algunas cosas son gestionadas por tu proveedor, puedes establecer algunas políticas a tu proveedor que tendrá que implementar. Y puedes incluir una sección "Conexiones e interfaces" en tu documento de alcance, incluyendo cómo está conectada tu infraestructura con la infraestructura de tu proveedor.
Con respecto a la segunda pregunta, no es necesario que especifiques personas, documentos. etc. simplemente puedes definir áreas, procesos o departamentos, etc.
Con respecto a la tercera pregunta, sí, puedes incluir en tu documento de alcance una sección "Interfaces y dependencias" (aunque esto no es obligatorio en el estándar), y básicamente tienes que considerar las interfaces y las dependencias entre el alcance de tu SGSI y el exterior. Por ejemplo, puedes dibujar en un diagrama tus procesos dentro de un círculo, y todos los procesos externos (proporcionados por tu proveedor), en otro círculo.
Este artículo te puede resultar útil “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Y también este otro “Problems with defining the scope in ISO 27001” : https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Finalmente, estos materiales te ayudarán a conocer más sobre cómo definir el alcance:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Meaning of "ISO"
Answer:
It is very common misconception that ISO is abbreviation of the full name of ISO organization that is International Standardization Organization. In fact it is a short from Greek word "isos" which means equal and the reason for that is the ISO organization wanted to emphasize it's mission of creating same set of rules for entire world. -
Inspection and traceability of implantable devices
Answer:
I assume you are asking regarding ISO 13485 and not ISO 9001 since requirements for inspection and traceability only exist in ISO 13485.
ISO 13485 requires organization to document procedure for traceability defining extent of the traceability in accordance with applicable regulatory requirements and the records to be maintained. Specific traceability requirements for implantable devices include records of components, materials and, in some cases, conditions for the work environment used. All requirements regarding traceability of implementable devices can be found in clause 7.5.9.2 in ISO 13485:2016.
The only additional requirement for inspection regarding implementable medical devices includes recording the identity of personnel performing inspection or testing, the rest of requirements for inspection and testing are located in clause 8.2.6 of ISO 13485:2016. -
Problems with very narrow ISMS scope
The company is divided into 2 main parts, the computer operations centre and the rest of the company. If the scope of the ISO27001 project was going to be for the Security operations Centre (SOC) exclusively then am i correct in stating that any dependencies that the SOC has on IT for example server infrastructure in the company domain would result in the company data centre having to to be included into the scope?
Answer: I'm not really sure if it makes sense to include only your SOC in the ISMS scope, but this is theoretically possible. In a case of such a narrow scope, the main thing is to make sure you have interfaces to the "outside world" - in your case this outside world would be the rest of the company. So if you include server infrastructure in the scope, it would be extremely difficult to create an interface towards other users in your company - therefore, it is better to exclude the server infrastructure from such scope.
If we put the AD and in fra structure the SOC needs into a DMZ that is shared by the SOC and company, than how does that effect the scope for the 27001 implementation?
Answer: Basically, the logic is the same as described above - probably the best idea is to keep the AD outside of the scope. Of course, this opens the question what would be included in the scope then? Which leaves us with the conclusion that such a small scope doesn't make much sense.
Also, if the scope is set to be exclusively for the SOC, than it can be extended to the rest of the company right? or is it best to have 2 separate isms's one for comapny and one for SOC?
Answer: Yes, your scope can be extended to other parts of the company; it is a very bad idea to have two separate ISMS's in a company.
See also these articles:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
This book will also help you with setting the scope: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Developing a cryptography policy
Answer:
You can include in this policy basic rules related to cryptographic controls, for example:it is necessary the use of software tools to encrypt hard disks, software tools to encrypt the information in emails, encryption for external connections, etc.
For more information, this article can be interesting for you “How to use the cryptography according to ISO 27001 control A.10” : https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
And our template can be also interesting for you (you can download a free version clicking on “Free demo” tab) “Policy on the Use of Cryptographic Controls” : https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/
Finally, these materials will help you to know more about the ISO 27001 and the cryptography controls:
- free online training ISO 27001 Foundatio ns Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/