Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Auditor Questions Allowed

    When preparing for an audit of the OHSMS it is important to realize that the management system can not simply meet the requirements of ISO 45001, it also needs to incorporate legal and other requirements of interested parties which is why the standard asks that you identify these as part of clause 4.2. What this means is that during an audit you are not asking questions about the standard, since people in the organization may not know what the standard says, but rather questions about the process this is implemented which will include all requirements including ISO 45001.

    This means what you need to do is to review the process in place to see what questions you need to ask to assess if the process is implemented as planned. If people are doing the process as planned, and the process meets the requirements of ISO 45001 and the needs and expectations of interested parties, then you are assessing if the requirements of the process are met in your audit.

     

    You can learn more on how auditing works in the article: How to perform an internal audit using ISO 19011, https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

  • UK -GDPR

    If you are working in the company, this would be considered as a transfer of personal data (Transfers of personal data to third countries or international organizations) falling under Chapter V in UK GDPR. So there should be a legal basis to be used. In your case, it depends on where your employment contract is. If your employment contract is in the UK but you reside outside the UK, that is not a problem. If your employment contract is outside the UK, but not in EEA, then there should be a transfer mechanism in place, like standard contractual clauses or binding corporate rules that should be signed between the UK company and your employer.

     

    Please find more links here (references are for EU GDPR, but the text is the same):

  • Data transfers to 3rd countries

    If the headquarter of the organization is in the United Kingdom, then UK GDPR would apply mainly. According to article 3 – Territorial scope – from EU GDPR, the Regulation would apply only if the company would offer goods or services to people in EEA, or if it monitors the behavior of people in EEA. If the data is stored in Serbia, then a transfer takes place from the UK to Serbia. According to UK GDPR, which is almost the same as EU GDPR (with EU references removed), a suitable transfer mechanism should be used for compliant personal data transfer. In this case, the best transfer mechanism would be UK Standard Contractual Clauses. ICO, UK’s Data Protection Authority issued some new SCCs, called IDTAs (International Data Transfer Agreement) that can be used starting March 21, 2022.

    You could explore developing Binding Corporate Rules (BCRs) for intra-group personal data international transfers, but they need to be approved by the supervisory authority (ICO in this case).

    Please consult these links to find more details:

  • Maintenance requirements of IATF

    Items 8.5.1.5, 8.5.1.6, and 6.1.2.3 of the IATF 16949:2016 standard are generally related to maintenance. 

    I recommend that you review these requirements.

  • How to become an BIA expert

    I have a question "an organization is AS9100 Rev D certified but organization has no production since one year from any customer then how can compliance of QMS can be interpreted? How internal audits be conducted? How KPI be translated ? What standard say that if an organization have no customer since long time then how QMS compliance be evaluated?

  • Partial certification

    Certification is possible only if you fulfill all clauses from sections 4 to 10, and the applicable controls from ISO 27001 Annex A, so it is not possible to be certified against only part of ISO 27001 clauses.

    What you can do is define an ISMS scope covering only part of the organization, a part for which you can fulfill all requirements of the standard.

    For certification we suggest you take a look at these Advisera’s resources:
    - ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
    - Conformio (online tool for ISO 27001) https://advisera.com/conformio/

    These articles will provide you a further explanation about ISO 27001 implementation:
    - ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  • Question about how to identify ISO 27001 ISMS Assets

    Your understanding that an asset needs to have a security element for it to be considered in the ISMS scope is correct.

    To ISO 27001 an asset is anything of value to the organization in terms of confidentiality, integrity, and availability of information.

    Considering that, if the asset is related to information that your ISMS needs to protect, then it needs to be considered. In your examples, users' passwords need to be protected, making the work instruction procedure to change users' password part of the scope, while marketing brochure, that does not need to be protected, would not be considered.

    In the Risk Assessment Sheet included in the toolkit there is a list of assets you can use.

  • Contestation

    We have the same understanding.

    The correct understanding of the assets, and related threats and vulnerabilities, is a critical factor for a successful risk assessment and treatment.

    To handle them properly, you need to consider involving personnel that works with such assets during the assessment.

    This article will provide you a further explanation about risk assessment:

  • Clause 7.2 (Competence)

    Great, thanks. I have a training and awareness plan policy already so I guess this should cover it.

     
Page 100-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +