Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Setting up EMS in construction company
Answer:
The first step in implementation of environmental management system according to ISO 14001 is to conduct the GAP analysis to determine to what extent your organization is already compliant with the standard and to define activities to achieve the full compliance. You can find the free GAP analysis tool here https://advisera.com/14001academy/iso-14001-gap-analysis-tool/
Once you determine the gaps, you need to establish project plan where you will define all activities, resources, responsibilities and deadlines for the implementation. Here you can find free Project Plan for ISO 14001 implementation https://advisera.com/14001academy/free-downloads/ -
Implementing OHSAS 18001 in pharmaceutical industry
Answer:
The process of OHSAS 18001 implementation is the same for every industry. First you need to conduct GAP analysis to determine to what level your organization is already compliant with the standard and to identify gaps between existing occupational health and safety system in the company and OHSAS 18001.
Once you determine the gaps, you need to create a project plan that will help you during the implementation. This is not a mandatory step but it can be very helpful in avoiding missing something out. In the project plan you need to determine the activities, resources, responsibilities and deadlines and you can start with the implementation. Here you can find the free sample of Project Plan for OHSAS 18001 implementation https://advisera.com/18001academy/free-downloads/
The full list of the steps in the implementation process, you can find here OHSAS 18001 Implementation diagram h ttp://advisera.com/18001academy/free-downloads/
As far as the mandatory documents are concerned, here is the article that can be helpful: Which criteria to apply when deciding about OHSAS 18001 documentation https://advisera.com/18001academy/blog/2015/06/03/which-criteria-to-apply-when-deciding-about-ohsas-18001-documentation/ -
Risks and opportunities and context of the prganization
Answer:
Context of the organization and the risks and opportunities are closely related. Without proper definition of context of the organization there can be proper identification of risks and opportunities. The best way to start is to determine context of the organization and all its elements. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Next step is to determine methodology for identification and evaluation of risks and opportunities. At this moment, there is lot of discussion regarding the methodology and the most frequently mentioned methodology is FMEA. However, I thing that FMEA can not cover the entire scope of the clause 6.1 since the requirement is to address risks and opportunities emerging form the context and FMEA and other methodologies are focusing mostly on processes. So, I suggest to use more simple methodologies such as SWOT analysis and involve as many relevant people in the company as possible. In this way you will ensure that all elements of the context are considered during identification and evaluation of risks and opportunities. For more information, see Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/
Than you need to make plans to address risks and opportunities and this includes dedicating resources, assigning responsibilities and defining deadlines for the plans realization. The final step is to evaluate effectiveness of the actions taken and this is usually done during the management review. -
SLA violation
Answer:
I assume you would like to know how to calculate SLA time and, consequently, know whether the SLA is breached or not.
SLA clock starts counting as soon as incident is opened. It stops once the incident comes to status - resolved. User still should get an opportunity to confirm the resolution (if tool allow that).
But be careful with that - define, in SLA, maximum time allowed when user should confirm incident resolution (e.g. 48 hours or 72 hours). Otherwise, some incidents will never be closed (users just don't send any feedback).
Read the article "ITIL Incident Management – How does it influence customer satisfaction?" https://advisera.com/20000academy/blog/2016/03/22/itil-incident-management-how-does-it-influence-customer-satisfaction/ to learn more. -
The transition is not that easy
I am working now on interested parties and trying to get to the context of the organization but need some guidance. Since our audits have been so good, everyone in the company feels that the transition is simple and we don't need much guidance, as a result we have done pretty much nothing. I am afraid that the time is passing and we have not much accomplished.
Answer:
Since you have a good system in your company the transition can go smoothly but it doesn't mean that it wont require effort, especially because you are doing in by yourself. Identification of interested parties is a good way to start defining context of the organization, however it will require other aspects of the context to be defined and this can't be done without engagement of the top management. Defining context of the organization in now one of the most important steps because it will influence the way you identify the risks and opportunities and also other parts of your system so it is crucial to engage all relevant roles in the company to define the context correctly and with sufficient level of details. For more information, see How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
Also, this article might be helpful to you during planing of the transition How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Improvement and continual improvement
Thank you M. Strahinja for your answer :) -
A.7.2.3 Disciplinary process
Answer: Disciplinary process can take many forms - from verbal warning or written warning, decrease in salary, all the way to cancelling the employment contract. The appropriate option should be chosen based on the severity of the incident an employee has made.
We do not have a template that is focused on disciplinary actions, but they are briefly mentioned in these documents:
- Incident management procedure: https://advisera.com/27001academy/documentation/incident-management-procedure/
- Statement of acceptance of ISMS documents: https://advisera.com/27001academy/documentation/statement-of-acceptance-of-isms-documents/ -
QMS and ISMS
2. Can the MR of QMS can act as MR for ISMS also? Or only Software professional should be appointed as MR?
3. We have a procedure for Data and document control for QMS. Can this be amended to include the soft copy data / information and used for ISMS?
Answers:
1.- It is not mandatory, I mean, not only software professional can be trained as auditor. This article can be interesting for you “Qualifications for an ISO 27001 Internal Auditor” : https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
2.- From my point of view a MR (Management Representative) is a fundamental part in a QMS and in a ISMS, and this profile is necessary for both systems, but it is not necessary that has a specific profile like a software professional (remember that ISO 27001 is about information security, so it covers many areas: IT, HR, compliance, etc). So, yes the MR of QMS can act as MS for ISMS.
3.- For me data/document control and soft copy data/information are things completely different (I suppose that with soft copy data/information you mean the software to copy data/information, that in the context of ISO 27001 is a backup software), so from my point of view¸it is better if you separate their procedures in different documents, although it is only my point of view, and there is no problem if you decide to integrate both in a unique document.
By the way, our online course about internal auditor can be interesting for you to become internal auditor “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
Conocer aspectos de auditoría y metodologías
Respuesta:
Si quieres conocer los aspectos y metodologías para realizar una auditoría interna, puedes seguir nuestro curso online, el cual te dará toda la información necesaria para llevar a cabo una auditoría interna (aunque el curso actualmente está en inglés) “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Por cierto, también puedes desarrollar tu propia checklist para realizar una auditoría, por tanto este artículo también puede ser interesante para ti “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Security organizations and security roles
Answer: This is not entirely true - you have to build an Information Security Management System, the term "Security organization" is not mentioned in the standard. See this article: What is an Information Security Management System (ISMS) according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
How important are the roles? For example Can a person title be “Network Engineer” and role be information security officer ? Is this understanding correct organization should have security roles reflected as HR title as well.
Answer: It is very important to clearly define roles and responsibilities - in smaller companies it does make sense to give a role of information security management to an employee who will perform this role together with his other regular duties. The standard doesn't require this, but you can give a title to this security role - e.g. Chief Information Security Officer, Information Security Officer, Security Manager, or similar.
See also these articles:
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/