Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Register of Requirements — how detailed should it get?

    Please note that the "cybersecurity requirements" to be included in the register are those defined in the customer contracts (e.g., data backup, need for data segregation, right to audit, etc.). You can either write the requirements in the register or only refer to contract clauses.

    The link between the legal register and the Statement of Applicability will be the ISO 27001 Annex A controls applied to fulfill the contractual requirements. For example:

    • data backup: A.12.3.1 Information backup
    • need for data segregation: A.13.1.3 Segregation in networks
    • right to audit: A.12.7.1 Information systems audit controls

    In Conformio this is performed during risk assessment and treatment when you identify relevant risks of legal requirements compromise and define the necessary controls to be applied for risk treatment (these will be displayed in the SoA).

    Additionally, once security policies and procedures are being written, Conformio reminds users about the relevant requirements from the Register of Requirements.

  • How to find and choose a good certification body for ISO 27001

    Elements you should consider when selecting a certification body are at least these ones:

    • Reputation.
    • Accreditation.
    • Specialization in your industry.
    • Experience.
    • Integrated audit.
    • Flexibility.
    • Required maturity for certification.
    • Language.

    For further information, see:

    Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you a precise estimation.

    There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

  • Including opportunities in ISO 14001 register

    About risks and opportunities in ISO 14001:2015 I recommend reading Annex A.6.1.1. What does your organization want from the environmental Management System (EMS)?

    https://www.screencast.com/users/ccruz5284/folders/Default/media/251ea67c-cd40-4465-908e-14cddbd60f16

    How is this done? With a set of action plans:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/bf850849-e208-4f95-bb58-93fba4685729

    Risks and opportunities are:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/eade82e8-3d97-44e1-93b5-6ad8100ed605

    What A6.1.1 tell us is:

    • Look into your list of environmental aspects, which can create risks and opportunities. Your significant aspects can generate significant impacts and those can be seen as risks and opportunities
    • Look into your list of compliance obligations, are there risks of failing to comply, or opportunities to be better than compliance obligations?
    • Look into your context and interested parties, which can create risks and opportunities? For example, trends in environmental legislation, trends in neighborhood or client’s sentiment about your organization’s environmental performance.

    Currently I’m working with an industrial organization where we considered as opportunities:

    • Starting to use solar energy in order to reduce CO2 emissions
    • Starting to use water-based adhesives in order to reduce use of volatile organic compounds
    • Change waste operators in order to reduce amount of wastes going to landfill
       

    Think about your environmental objectives and determine actions that can improve your performance towards them.

    Please check this information below with more detailed answers:

  • How to drive opportunity reports by IQA team

    First you need to identify the opportunity. This can be done using a SWOT analysis where you look at the Strenghts, Weaknesses, Opportunities and Threats. Once you identify the opportunity, you will need to assess if it is significant or it is not. For that purpose you can use a simple criteria such as impact and probabibilty. If the opportunity is significant you will need to take the necessary actions to conduct it, defining resources needed, responsibilities, deadlines, etc. In addition you will need to assess the effectiveness of the actions taken in order to implement that oppotunity within your organization. This information should be included in the reports.

    For more information about how to drive oppotunity reports see the following materials: 

    - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

    - Enrol this free course - ISO 9001 Foundations course: https://advisera.com/training/iso-9001-foundations-course/

    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

     

     

  • GDPR Certification Exam

    1 - It is my intention to write the GDPR Certification Exam the end of this Month.

    I trust that this will create the Environment that will enable me to write both ISO 27001 Lead Implementor and Lead Auditor Exams.

    GDPR certification is not enough to cover all necessary knowledge for ISO 27001 Lead Implementor and Lead Auditor Exams (normally the certification path is the other way around).

    Please note that GDPR defines requirements for privacy protection, while ISO 2700 provides requirements for information security in general, so ISO 27001 is more comprehensive, and someone needs more knowledge before going for ISO 27001 Lead Implementor and Lead Auditor Exams.

    For further information, see:

    2 - I would really appreciate any Communications regarding progress on Creation of Advisers POPIA Content and an opportunity to present same to a number of Corporate and Government Clients in our portfolio.

    Please be assured of my commitment to broadening my ISO Certifications based upon the Advisers offerings

    We have POPIA (the South African law for data protection and privacy) in our product pipeline for development, but not for at least the next twelve months.

  • ISO 27001 - Capacity SaaS

    Even when using SaaS you can define capacity planning, but the performance indicators need to be related to the service, not hardware elements, because, as you said, these are not under your control.

    In this case, you should consider elements like the number of simultaneous users, or other elements you can measure from your side, like hours of use, requests per second. In all cases, you need to consider the impact of communication links in these measurements (a bad link can make it impossible for you to achieve all performance made available by the SaaS provider).

    But please note that capacity planning for ISO 27001 would be required only if relevant risks, or legal requirements, demand implementation of control A.12.1.3 Capacity management.

    For further information, see:

  • Information/data retention and destruction policy

    Template A.11.2 - Disposal and Destruction Policy is the template to be used to define a retention and destruction policy.

    This article will provide you a further explanation about information disposal:

    This material will also help you regarding information disposal:

  • DPIA’s and Clients' data

    Yes, you are right, DPIA is an obligation of the data controller, as a data processor you may suggest to your client to conduct a DPIA and help them in the process, but you don't need it if the controller does not require it. About data you process as a controller, you need to determine if the monitoring falls under the scope of Article 35 GDPR, if a DPIA is required, I would suggest you use the tool that the CNIL (the French Data Protection Authority implemented, it is in English and it guides controllers through the assessment process).

    Here you can find more information about the DPIA process:

    If you need to understand how to implement the EU GDPR you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

  • ISO 9001 Surveillance audit

    This is new for me. I never heard of such a situation. Your contract is with a particular Certification Body. So, your organization by changing the Certification Body must restart the certification process with a new Certification Body. If I were in your shoes I would contact the Accreditation Body mentioned in your certificate to ask them for guidance.

  • Impartiality

    There are many possible impacts to compromised impartiality, it all depends what the event issue is/ was. This is the reason a risk based approach is required. For the purposes of ISO 17025 the objectives of technical competency and consistent results and any other set objectives or mandatory requirements must be protected from lack of impartiality. This means that compromised impartiality is a nonconforming event and must be addressed as a a priority. Follow your process and determine root cause and suitable corrective actions. 
    For examples, and further information, have a look at my replies to similar questions:

    For more information on Impartiality, also have a look at the article How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ 
    and the ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
Page 151-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +