Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 9001 Ho to write quality manual
ISO 9001:2015 does not mention the existence of a quality manual. Please check this article about mandatory documentation - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
So, it is not mandatory to have a quality manual, neither is forbidden to have one. I recommend organizations to have a quality manual, but it is just a recommendation. You can find a suggestion for the quality manual content in this article - The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
The following material will provide you information about the quality manual:
- Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Is Privacy Shield deemed illegal by European Court of Justice?
The European Court of Justice declared invalid the Privacy Shield stating that it did not provide an adequate level of protection to personal data for data transfer between the EU and the US.Therefore, data transfer between the EU and the US cannot be based on the Privacy Shield. Controllers need to implement additional and appropriate safeguards. The European Court of Justice left as other legal basis for data transfer the Standard Contractual Clauses and the Binding Corporate Rules.
If you need to know more about how to transfer data in third countries under the EU GPDR here you can find more information:
- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
- Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
Risk Assessment Table
You can create a single asset named "laptop" associated with all the common threats and vulnerabilities they face. In case you have risks specific to certain laptops, you can create additional assets, like "sales laptop" or "development laptop", and associate to them the specific threats and vulnerabilities.
This article will provide you a further explanation about managing assets:- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
By the way, included in the toolkit you bought, you have access to a video tutorial that can help you fill in the risk assessment table.
-
IT Security Policy
ISO 27001 does not prescribe how to write a document, so both approaches (to have two documents or a single one) are acceptable by the standard.
In this case, your decision should be based on how big and complex a single document would be because this can make it more difficult for people to read, understand, and use it properly.
To see how an Information Security Policy and Information Technology Security Policy compliant with ISO 27001 look like, please access the free demo of these templates:
- https://advisera.com/27001academy/documentation/information-security-policy/
- https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
- https://advisera.com/27001academy/documentation/it-security-policy/
These articles will provide you a further explanation about how to develop documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
ISO 14001 sample selection and audit planning
"what questions to ask management when planning the audit?”
Answer:
ISO 14001:2015 requests top management example, commitment, and leadership. Think about auditing top management about management review, environmental policy and objectives, compliance evaluation results, context, risks, and strategic orientation. I wrote this article about the topic of auditing top management - How to perform an ISO 9001 audit of top management without fear - https://advisera.com/9001academy/blog/2019/05/15/iso-9001-top-management-audit-how-to-perform-it-successfully/ - perhaps it can be useful for you.
What system to use to select sample or anyone can just select sample he/she think is right?
Answer:
An auditor may choose between a statistical and a nonstatistical approach to audit sampling. Normally, during internal audits, you don’t need to follow a standard like ISO 28590 to determine sample size. You need to pick a sample not biased, for example, if you are auditing environmental practices of an organization that works 24 hours a day, the audit also the night shift. And you need to pick a sample size that gives you confidence for a conclusion. If you have 20 containers for segregating wastes, you don’t just check one to conclude that everything is OK or NOK.
You can find practical information in the links below:
- Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
- Free webinar on-demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
- You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
-
ISO 9001 Internal Auditor qualifications
Does it mean the Certification body cannot raise any NCR during certification if the company internal audit was conducted via non-qualified auditors?
Answer:
Attention! Any certification body, and I as an auditor too, will raise an NCR during an audit if the company internal audit was conducted via non-qualified auditors.
Any organization has to use qualified auditors. Perhaps what is generating some confusion is: each organization has to determine what are its qualification requirements for internal auditors, and each organization has the authority to determine what is its competence requirements. Then, during the certification audit, organizations have to evidence that their auditors comply with the requirements.
The following material will provide you information about internal auditors:
- ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
-
Controls a.15.10.2 and a.13.2.4
In case the NDA identified in the SLA you have with your provider fulfills all your needs (you should confirm that with a legal expert, based on the results of risks assessment and applicable legal requirements), and is regularly reviewed, then this situation is compliant with requirements of control A.13.2.4 - Confidentiality or nondisclosure agreements.
Regarding control A.15.1.2 – the identification of the NDA in the SLA provided by the supplier is acceptable, but please note that you also need to verify if other relevant risks related to this supplier are also covered by security clauses in the SLA.
These articles will provide you a further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding supplier management:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Lead Auditor Certification
You should ask this information from the certification body with who you plan to work with because it is the certification body that plans the audits you will be included in (e.g., you may be included in three audits in sequence or one audit per month, etc.). In general, a single certification audit may last between 3 to 5 days, depending on the size and complexity of the scope.
For further information, see:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
-
Data Protection for clients
The data protection policy is an internal document that shows how the company deals with personal data and it is not published in contracts, so maybe you are referring to clauses on data protection in your contracts (yes, you should have) or to a data protection agreement as an annex to contracts signed with clients or suppliers (it is required if the contract involve the transfer of data between the two subject). The privacy policy on the website, usually, describes how personal data collected through the website are processed, it may involve also data processing made by the company with personal data of clients (i.e., there is an online shop).Of course, if your privacy policy on the website describes how your company processes data of clients, employees, and suppliers, you can state in your contract that data are processed according to the privacy policy available on the website (remember to insert the link).
Here you can find more information about the privacy notice.
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
- List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
Documented Information
Normally, those documents are issued over digital support. So, to control those documents you need to control the software that issues them. That way you don’t need to show identification numbers, revision and revision date.
By the way, you use the wording “external documents” please check this article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/
You can find more information below:
- How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/