Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/includes/App/Repositories/Topic/TopicRepository.php on line 602
Search results for:

Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal auditor qualification

    ISO 27001 requires that people are competent to perform activities related to the Information Security Management System (ISMS), and for internal audit, this would mean knowledge or experience on ISO 27001 and the audit process.

    Considering that, for an internal audit to be an ISO 27001 internal auditor would be sufficient.

    These materials will provide you a further explanation about internal auditor qualification:

  • Conformio documentation access

    First is important to note that unless you have specific requirements demanding the use of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), controls available in ISO 27001 are sufficient to cover cloud security.

    Considering that, please note that the application of ISO 27017 and ISO 27018 controls follow the same principles as for ISO 27001: controls are selected according to the results of risk assessment, applicable legal requirements, or as a top management decision.

    As a result, to be compliant with ISO 27001 when using ISO 27017 and ISO 27018:

    • you need to implement controls identified as needed to treat relevant risks and defined by legal requirements
    • you can skip controls for which you do not have legal requirements or not have relevant risks demanding their implementation
    • you can implement the ones top management considers as a good practice.

    This article will provide you a further explanation about controls selection:

    These materials will also help you regarding controls selection:

  • Implementation of GDPR & ISO 27001

    First of all, sorry for this situation.

    By your question, I’m assuming you are also implementing ISO 20000.

    Considering that, in case your ISO 20000 scope includes information that is in the scope of the ISO 27001 and GDPR implementation, the best approach would be to use the Information Security Policy from the ISO 27001 & GDPR Integrated toolkit, including the specific information from the ISO 20000 Information Security Policy in it.

    If the ISO 20000 scope is not related to the information that is in the scope of the ISO 27001 and GDPR implementation, then you can use separated policies, because this way you would not define too strict limitations in your ISO 20000 implementation.

    This article will provide you a further explanation about the integration of ISO 27001 and ISO 20000:

    These materials will also help you regarding ISO 27001 and ISO 20000:

  • Question about SaaMD

    Our ISO 13485:2016 & MDR documentation toolkit covers the requirements required in the standard itself and general requirements from the MDR. It does not cover the requirements of other standards required for a particular type of medical device. Thus, the Toolkit does not cover the documentation requirements of IEC 62304: 2006 Medical device software - Software life cycle processes. 

    There are many types of medical products and it is impossible to cover with one toolkit absolutely all the requirements for all types of medical products.

  • ISMS & BCMS risk assessment

    ISO 27001 does not prescribe how to evaluate risks, so you can choose the approach that better fits your needs.

    Considering that, you can use different scales for your ERM & BCMS and ISMS. This difference is not a reason to raise a nonconformity, but the auditor may inquire the reason for using a different scale, since using a single scale can make your risk management process easier (you wouldn’t need to convert values to compare risks from different frameworks).

    These articles will provide you a further explanation about risk assessment:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    This material will also help you regarding risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • How to write a proposal for ISO 27001& 9001 and Partnership

    Generally, the proposal is based on terms of time, so you need to calculate the estimated time for the implementation. For the estimation of the time, see:
    - How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits

    I suggest you use as a basis our free template "Project proposal for ISO 27001 / ISO 22301 implementation" . You can download a copy at this link: https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword), and include some information related to ISO 9001:
    - ISO 27001 vs. ISO 9001 matrix https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

    Additionally, you can prepare a presentation based on the template "Project proposal for ISO 27001 implementation" (you can download a copy at this link: https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint).

    This set of documents aimed to help consultants may help you: https://advisera.com/27001academy/consultants/

  • Specific German legal requirements

    Since we are not legal experts, in cases like yours we recommend that organizations hire local legal advisers to guide them in this requirement identification.

    What we can tell you is that the ISMS itself does not have legal requirements. These requirements are identified in relation to entities that are affected by or can affect, your ISMS (e.g., employees, customers, suppliers, partners, government agencies, etc.).

    For further information, see:
    - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
    - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
    - Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001 

  • indicators

    As far as I understand your situation, you can develop indicators about the implications of designing and developing the molds and the aim of producing the plastic parts.

    For example, amount of defects related to mold design, cycle time related to mold design, amount of material going to waste/recycling related to mold design, actual cost of part vs budget cost.

  • ROPA applicability

    If we are storing special categories of data for our own employees only and personal data of customers should we maintain ropa ? 

    Yes, you should. ROPA is one of the most important accountability instruments that the GDPR offers in case of inspection from the Surveillance Authority.

    "And is processing of personal data of employees such as payroll processing is considered " ocassional" ? "

    No, it is periodical, so it is not occasional.

    The European group of experts who developed the GDPR and gave interpretation on the previous directives, the so-called WP29, stated that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor.

    Therefore, payroll is not occasional processing.

  • Internal audit

    1 - In the ***, there is only one person actively working, but he is (of course) also shareholder. Would it be okay if he does the internal audit? In ***, we want to have the CTO as internal auditor. He doesn’t have shares, but he is part of Management. Would this be okay?

    ISO 27001 does not prescribe who must perform the internal audit, only requires this person to have the proper competencies for auditing, and that any situations that can lead to a conflict of interest are avoided (e.g., a person should not audit his/her own work).

    Considering that:

    • for your first scenario, you should consider hire an external auditor or send a trained employee to perform the audit of the work performed by this single person
    • for your second scenario, you should consider hire an external auditor, or use a trained employee to perform the audit on the processes the CTO works on

    This article will provide you a further explanation about internal audit:

    This material will also help you regarding internal audit:

    2 - What would be the cost of an online training for these internal auditors?

    Advisera’s ISO 27001 Internal Auditor course is free to enroll (you only have to pay in case you want the course’s certificate). For more information about this course, please see:

Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/vendor/jasongrimes/paginator/src/JasonGrimes/Paginator.php on line 154

Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/vendor/jasongrimes/paginator/src/JasonGrimes/Paginator.php on line 214

Warning: A non-numeric value encountered in /www/expertadvicecommunity_719/public/wp-content/plugins/advisera-press/vendor/jasongrimes/paginator/src/JasonGrimes/Paginator.php on line 217
Page 178-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +