Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question about ISO 27001 and ISO 22301

    Implementing ISO 27001 and ISO 22301 considering only internal needs is acceptable for certification purposes. In this case, the “customers” can be some of the organization’s own internal departments (e.g., Projects department as a customer of IT department, Accounting department as a customer of the Sales department, etc.).

    Later, when and if you identify the need, you can expand the certification scope to cover the organization’s Customer’s security and Service availability requirements.

    These articles will provide you a further explanation about the scoped definition and interested parties:

  • Annex A Controls in Conformio

    1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.?

    Please note that organizing documents as you suggest only makes them more difficult to read and maintain.

    Considering your example, instead of a single document defining how incident management is implemented you would have to keep seven independent documents.

    Additionally, when you have a document that refers to controls from different sections (e.g., the Supplier Security Policy refers to controls from sections A.7, A.8., A.14, and A.15), reading and maintenance become even more difficult.

     For further information, see:

    2. Is there a Tool JUST on Risk Assessment?

    To perform just risk assessment we have the Risk Assessment Toolkit (https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/) which comprises of the following documents:

    • Risk Assessment and Risk Treatment Methodology
    • Risk Assessment Table
    • Risk Treatment Table
    • Risk Assessment and Treatment Report
    • Statement of Applicability
    • Risk Treatment Plan

    This article will provide you a further explanation about risk assessment:

    These materials will also help you regarding risk assessment:

  • Using ISO 27001 for implementing ISO 9001

    1 - Do you have a presentation that shares some insight on the opposite route - Using ISO 27001 for implementing ISO 9001?

    These materials can give you the insights you are looking for:

    2 - And would there be any value in going down that route, given our customers do not normally require ISO 9001?

     Please note that besides benefits for the customer (which are the main drive for ISO 9001), the organization itself can benefit from implementing ISO 9001:

    • Better process integration
    • Improve your evidence for decision making
    • Create a continual improvement culture
    • Engagement of employees

    So, even if customers do not require it, implementing ISO 9001 can bring value to the organization.

    For further information, see:

  • Documents - Classification plan & storage for process documents like policies

    1 - Here is the practice I've found (part 1) : After reading one of your article (https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/) I found that I just had to cut thinks in smaller pieces. Your article is also a nice argument since the architect manager had told me he prefers bible documents, and my manager doesn't like the idea at all. That article really is a great help for me. Thanks for writing it. You're the only expert to provide such information on policies organization. After reading an article from another expert  I've also decided to cut the documents per Management System and to respect an integration logic. Here are the systems to integrate at the document level I've already listed : QMS, SMS, ISMS, PMS, UMS, CMS, OHSMS, FSMS, EMS. I hope this is the good logic since your article is not covering the integration aspect of policy management. What's your opinion ?

    Your logic is sound because you are separating the systems according to their core processes.

    Regarding integration of policy management, ISO management systems have a lot of requirements in common, which allow using single documents with minor adjustments to cover core issues from several management systems (e.g., document and record control, internal audit, management review, corrective actions, etc.).

    For further information, see:

    Here is where I'm stuck : For the moment I've found that documents storage should be organized with a classification plan that should reflect the processes logic. It sounds quite reasonable even if it is hard to visualize a SharePoint site design per processes. I've also found that policies are produced by pilot processes. So OK but policies are also used by operational managers as entry points when designing their own processes. From that on I'm stuck. How do classification plans manage the documents that are shared between processes owners ? I've not been able to find example of IT documentation storage yet to help me find the answer to that question or to find out if the "process logic" was the correct goal for IT processes document classification. Is there something about classification plans of processes documents in security standards ? Can you give me hints or advice so I can start writing a classification plan that can be used by SharePoint experts to build a nice & secured documentation site to host the old documents and the new policies ? Thanks.

    If I understood correctly, you are asking about access control management. ISO 27001 does not prescribe how to do that, only main guidelines on what you need to achieve, so you can use any logic that fits the organization's needs.  

    Considering that, to build the structure you need to allow people to have access only to the documents they need to do their work, you should consider developing access control profiles according to required needs. In this case, you should:  

    1. list all documents that need to be accessed
    2. identify which roles/persons need to access each document, and with which rights
    3. group documents that have similar access requirements in profiles

    As for roles/persons you can have, for example, developers, managers, architects, a specific person, etc. As for access rights you can have, for example, read access and edit access.

    As for the idea of “process logic”, you can use them as a base for your profiles. Something like:

    • Pilot processes: roles/persons that need to develop/edit all documents
    • Pilot processes – step 1: roles/persons that need to develop/edit documents related to step 1
    • Pilot processes – step 2: roles/persons that need to develop/edit documents related to step 2
    • Pilot processes – step n: roles/persons that need to develop/edit documents related to step n
    • Operational processes: roles/persons that need only read access to all documents
    • Operational processes – step 1: roles/persons that need only read access to documents related to step 1
    • Operational processes – step 2: roles/persons that need only read access to documents related to step 2
    • Operational processes – step n: roles/persons that need only read access to documents related to step n

    Since you’ve mentioned international access, you can further detail profiles by classifying them according to countries (e.g., Operational processes – step n – country m)

    To see how this can be defined in terms of a policy, please take a look at this template: https://advisera.com/27001academy/documentation/access-control-policy/

    For further information, see:

  • DPO questions

    1.Can DPO have another role in the company except this one?

    Yes, as long as the role is not in a conflict of interest with the DPO role. Namely, the DPO shouldn’t approve his or her own processing operations. The DPO cannot be someone from marketing, or from sales, or from operations, or from legal department and so on. This is mentioned in article 38 – Position of the data protection officer – in GDPR, paragraph 6: “such tasks and duties do not result in a conflict of interests”.

    2.Can a DPO be an external consultant/contactor

    Yes. Article 37 - Designation of the data protection officer – paragraph 6 mentions that “The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”

    You can find more details at these links:

  • Resource Requirements

    You asked

    about Resource Requirements, 5.5 Metrological Traceability. As we are testing laboratory and not offering any calibration services does 5.5 need to stay in our Quality Manual or can I delete this?

    No, you cannot delete clause 6.5. Metrological traceability relates to measurement results, i.e in your case, your test results. All testing laboratories must establish and maintain metrological traceability of their measurement results. This is done via a documented unbroken chain of calibrations. For example, when you weigh a sample on a laboratory balance, the balance must  have a calibration with certificate where the calibration was performed according to ISO 17025 calibration requirements (e.g traceable weight set).This is one link in the chain.

    I suggest you read through the standard carefully – especially clause 6.4, 6.5 and Annex A and have a look at a similar question at https://community.advisera.com/topic/preparing-procedure-on-meteorological-traceability/. There are some links there that will help you.

    You also Asked

    17025 clause 8.1.3 Option B, our lab complies with option B so does that mean I can delete 7.2-7.9 from my Quality manual?"

    No, you can not delete clauses 7.2 to 7.9. If the laboratory already has ISO 9001 certification, then Option B applies. Clause 8.1.3 states two things. 

    Because an ISO 9001 QMS is in place, at least the intent of the management system requirements of ISO 17025, specified in 8.2 to 8.9 is met. The laboratory must include the management of tests on their scope in the 8.2 to 8.9 process, e.g. audit your test methods, and manage nonconformances and corrective actions as per your established (or modified) processes.
    The laboratory must also establish and demonstrate the consistent fulfilment of the requirements of Clauses 4 to 7. i.e add the requirements of clauses 4 to 7 to the existing ISO 9001 QMS.

    For more information and resource links, see a similar question and reply to ISO 17025 Quality Manual Option B at https://community.advisera.com/topic/iso-17025-quality-manual-option-b/

  • QMS Preventive Actions

    ISO 9001:2015 does not explicitly mention the term preventive action. However, the standard includes, in practice, the development of preventive actions by introducing the concept of the risk-based approach. When you assess the risks of a product or a process, and you decide to act, you are actually taking preventive action.

    You can find more information below:

  • Certification for some of the company's departments

    year enlarge that scope. For example, many hospitals do it. They start with a service like blood analysis, and then enlarge with radiology, and then with urology, and so on.

    So, if you use the word departments in this way, your company can do it.

    You can find more information below:

  • Available state statistics

    Processing personal data for statistics, even though the personal identifiers are removed, is still considered a personal data processing operation and it falls under GDPR, if the state is a member of EEA or if the affected data subjects are on EEA territory. However, the publishing of de-identified personal data is not considered processing of personal data, unless the data can be used to identify a data subject. The key to understanding this is the definition of “personal data” in article 4 GDPR: “any information relating to an identified or identifiable natural person (‘data subject’)”. So if the information published by a state leads to the identification of a natural person – either by another person or by an algorithm – that information is considered personal data. 

    You can find more details at this link:
Page 111-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +