Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Data Protection Officer

    Yes, you can appoint an internal Data Protection Officer (DPO) who should have knowledge in GDPR and data protection legislation. 

    Article 38 GDPR does not prescribe the position as internal or external, the choice is left up to the controller. It is important the person appointed has the independence from the board and the professional skills to perform tasks listed in Article 39 GDPR.Our course and the final exam can demonstrate that the appointed DPO has sufficient knowledge to perform the tasks.

    Here you can find more information on the role of DPO:

    To have a deeper idea of the list of requirements of GDPR and the role of DPO you can consider enrolling in our free online courses:

  • Management reviews (Option A)

    Morning Tracy, thank you very much.

  • Risk assessment

    General steps for risk assessment and treatment are:

    • Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
    • Risk analysis (i.e., the definition of risk value, considering any already implemented controls
    • Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
    • Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

    Here is an example considering a scenario where a power generator is no longer needed, and possible power failures will be covered by UPS, and the use of the asset-threat-vulnerability approach:

    • Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
    • Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before the normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to the normal power supply to be reestablished to value the risk).
    • Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
    • Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.
      Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.

    To see how documents for performing risk assessment and treatment compliant with ISO 27001 look like, please access the demo templates in this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

    These materials will provide you afurther explanation about risk assessment and treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk assessment and treatment:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk assessment

    When you assess the impact and the likelihood of a set of asset-threat-vulnerability for which you already have implemented controls, you have to take into account the existing controls (because they decrease the probability of your risk). In such cases, you need to include in your assessment the information about the "existing controls" (e.g., you can use a plain description of the control, without referring to ISO 27001 or ISO 27002).

    For further information, see:
    - Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Setting up a Microbiology Lab and getting cannabis GMP certification

    You asked

    "Is it possible to get GMP certification on cannabis testing within a laboratory without having GMP certification in the Microbiology dept.

    GMP is Good Manufacturing Practice (GMP) and relates to the production and control of products (and facilities) through quality standards. Typically in larger companies, the company / production facility will be GMP certified, not the quality control / testing Laboratory. This does, of course, depend  on the company structure (the company and laboratory may be the same entity).  As the company must maintain reliable testing laboratories, this means all quality aspects, including the quality control microbiology laboratory; must be GMP compliant. The laboratory  functions as an inhouse testing facility so must comply with the requirements of GMP, as relates to what it does.

    You also asked

    If not, then if the laboratory is ISO 17025 accredited, then presumably we will have to get GMP accreditation first for the Microlab and then for cannabis testing, or can we combine the two?

    Regulations vary greatly with Cannabis products – some countries / States require testing laboratories to be ISO 17025 accredited. GMP is more commonly a compliance requirement.  Yes, you can certainly combine the GMP and ISO 17025 implementation. I would suggest you start by developing a ISO 17025 implementation / GMP compliance plan and incorporate accreditation for the laboratories as part of that plan. Identify and address all the laboratory requirements and expand and documentation and requirements to meet GMP as well.

    It will depend on your customer and regulatory needs whether you apply for ISO 17025 accreditation or GMP certification first. Have a look at the following articles for further overview of ISO 17025 The Toolkit may be a suitable start .

  • Relationship between ISO 22301 And ISO 9001

    The two standards have a common structure. Many clauses have the same number and name, what is different is the scope. In a certain way, and I’m not an expert in ISO 22301, ISO 22301 handles with detail a particular risk that can be determined while preparing a quality management system according to ISO 9001:2015. If your organization already has implemented a ISO 22301 at least you already know what most of the topics are about, as I wrote before, the difference is in the scope and detail for normal operation.

    The following material will provide you more information:

  • Environmental aspect and impact procedure

    Please check this article - List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/

    As you can see a procedure for identification and evaluation of environmental aspects is not mandatory. I think it can be useful, particularly when organizations have complex evaluation schemes or when people change with some frequency, or when you want the exercise done by several people without necessarily the presence a central Environmental Manager.

    Please check this information below with more detailed answers:

  • ISO 20000 benefits in building companies

    Most probably you are supporting your business with IT services, like:

    ·        Supporting daily activities in your offices (desktop, network infrastructure, WLAN/LAN access, printing, file storage, email, etc.)

    ·        You have other services in your company which use IT services (e.g. finance – ERP, sales – CRM, HR, marketing – web presence, digital marketing, etc.)

    ·        If you have a project office where they deal with CAD tools – they also need your support

    ·        On-site (on construction site) – IT services are also used

    ·        Mobility of the workforce

    ·        Etc.


    These are examples of how IT services support the business, so there are many benefits where efficient IT Service Management (ISO 20000 will help you achieve that) can support the business.

    More about the benefits in the article „5 key benefits of ISO 20000 implementation“ https://advisera.com/20000academy/blog/2016/02/09/5-key-benefits-of-iso-20000-implementation/

  • Question about documents

    1 - Are documents covered by the document control policy only security-related E.g. regulation, or is it any company document?

    I’m assuming you are referring to the Procedure for Document and Record Control.

    Considering that, you can choose which documents will be covered by this procedure(e.g., only security-related or any company document). You only need to ensure that documents related to the ISMS scope are managed according to clause 7.5 of the ISO 27001.

    2 - Is there a clear definition of external documents? The concept seems nebulous. Maybe a sample policy we can look at with some examples of what other organizations do may help.

    For ISO 27001, you can consider external documents any documents owned or controlled by other organizations that you need for your ISMS operation.

    Regarding examples from other organizations, such information is protected by confidentiality agreements and cannot be presented, but general examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, emails, etc.).

    3 - For example, an email is an external document, so would someone be tasked to archive them somewhere in this policy?

    This is an acceptable solution, but a simpler one would be that someone simply tags emails that need to be controlled, so that they can be easily found if needed. Such a procedure for handling external documents can be defined in section 4 of the Procedure for Document and Record Control (Documents of external origin).

    This material will also help you regarding control of documents:

    • Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

    This article will provide you a further explanation about document management:

    This material can also provide support:

  • New version of ISO 27001 standard

    1 - I just want to confirm until the standard goes through the next version there is nothing I need to do on annual basis to maintain my certification? 

    Answer: To keep your ISMS certification, you need to maintain the ISMS and undergo surveillance audits at scheduled times, or your certification will be suspended, and in case of prolonged delay (that will be less than two years), the certification will be canceled, and you will need to undergo all the certification process again.

    For further information, see this material:
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ 
    - ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/

    2 - Are there any annual certification fees? I just want to get my expectations in place.

    Answer: Costs related to surveillance audits need to be questioned directly to your certification body. Normally contracts with certification bodies are set considering a full certification cycle (i.e., certification audit and surveillance audits), so this information about costs may be included in the contract clauses (the recertification cost is similar to the certification cost).

    Additional costs you need to pay attention are related to the auditor’s travel costs (if he or she is out of your town), as the client will be responsible for his or her lodging, and the auditors’ fee related to his or her experience in the client's industry because their feedback is considered more valuable.
Page 241-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +