Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question about documents

    1 - Are documents covered by the document control policy only security-related E.g. regulation, or is it any company document?

    I’m assuming you are referring to the Procedure for Document and Record Control.

    Considering that, you can choose which documents will be covered by this procedure(e.g., only security-related or any company document). You only need to ensure that documents related to the ISMS scope are managed according to clause 7.5 of the ISO 27001.

    2 - Is there a clear definition of external documents? The concept seems nebulous. Maybe a sample policy we can look at with some examples of what other organizations do may help.

    For ISO 27001, you can consider external documents any documents owned or controlled by other organizations that you need for your ISMS operation.

    Regarding examples from other organizations, such information is protected by confidentiality agreements and cannot be presented, but general examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, emails, etc.).

    3 - For example, an email is an external document, so would someone be tasked to archive them somewhere in this policy?

    This is an acceptable solution, but a simpler one would be that someone simply tags emails that need to be controlled, so that they can be easily found if needed. Such a procedure for handling external documents can be defined in section 4 of the Procedure for Document and Record Control (Documents of external origin).

    This material will also help you regarding control of documents:

    • Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

    This article will provide you a further explanation about document management:

    This material can also provide support:

  • New version of ISO 27001 standard

    1 - I just want to confirm until the standard goes through the next version there is nothing I need to do on annual basis to maintain my certification? 

    Answer: To keep your ISMS certification, you need to maintain the ISMS and undergo surveillance audits at scheduled times, or your certification will be suspended, and in case of prolonged delay (that will be less than two years), the certification will be canceled, and you will need to undergo all the certification process again.

    For further information, see this material:
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ 
    - ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/

    2 - Are there any annual certification fees? I just want to get my expectations in place.

    Answer: Costs related to surveillance audits need to be questioned directly to your certification body. Normally contracts with certification bodies are set considering a full certification cycle (i.e., certification audit and surveillance audits), so this information about costs may be included in the contract clauses (the recertification cost is similar to the certification cost).

    Additional costs you need to pay attention are related to the auditor’s travel costs (if he or she is out of your town), as the client will be responsible for his or her lodging, and the auditors’ fee related to his or her experience in the client's industry because their feedback is considered more valuable.

  • Is ISO 27002 part of ISO 27001?

    ISO 27002 is an independent document from ISO 27001. It provides detailed guidance and recommendations for the implementation of controls from ISO 27001 Annex A, but it can be bought and used independently from ISO 27001.

    These articles will provide you a further explanation about ISO 27002:

    This material will also help you regarding ISO 27002:

  • Fiber optic cable risk

    Considering the asset-threat-vulnerability approach for risk assessment, some risks can be raised by the combination of the following threats and vulnerabilities:

    Threats:

    • breakdown of communication links
    • damage caused by third-party activities
    • deterioration of media
    • fire
    • information interception
    • unauthorized physical access
    • vandalism

    Vulnerabilities:

    • cable placing
    • inadequate maintenance
    • inadequate supervision of the work of employees
    • location sensitive to natural disasters
    • unauthorized access to facilities allowed

    For example, damage caused by third-party activities due to cable placing, or unauthorized physical access due to unauthorized access to facilities allowed

    These articles will provide you a further explanation about risk assessment:

    This material will also help you regarding risk assessment:

  • Help on knowledge management implementation

    Perhaps organizational knowledge in ISO 9001 (clause 7.6) can be useful for your purpose. Please consider this image:

    https://www.screencast.com/t/XS7rxCzRoa

    The first and second paragraphs of clause 7.1.6 are about quadrants 1 and 2.

    Quadrant 1 is about what we know that we know – that is written in procedures, work instructions, tables, specifications. Normally, is listed or codified in job descriptions and when someone starts in a new position Human Resources plans an integration program for that knowledge transfer.

    Quadrant 2 is about what we don’t know that we know – that is work experience not codified, you know, unwritten rules. Normally, is transferred through coaching with more experienced job partners.

    What I recommend is to: look for each process and list the functions that participate and determine what kind of knowledge someone with that function need to be autonomous and make good decisions, aligned with the quality policy and objectives.

    The third and fourth paragraphs of clause 7.1.6 are about quadrants 3 and 4.

    Quadrant 3 is about what we know that we don’t know – that is information that when an organization realizes that is missing can be obtained through training, books, seminars, consultants, suppliers, technical magazines. For example, this question fits in this quadrant.

    Quadrant 4 is about what we don’t know that we don’t know – I call it the radar. How does the organization keep a radar working relevant information that can change the future of the business? Normally, organizations keep track of anything new through books, magazines, blogs, conferences, networking, suppliers, …

    The following material will provide you more information about organizational knowledge:

  • Is it necessary for calibration lab to carry out interlab comparisons or join a PT scheme?

    On the one hand that approach is the best you can do and it is anyway, all about assurance – that the result is valid. On the other hand, there are additional specific criteria that Calibration laboratories have to meet, established by the accreditation body. The reason, understandably, is that the calibration laboratory is issuing a certificate were the risk is that any errors will be  transferred to the testing laboratories. I suggest you discuss this with your accreditation body as it may be suitable and appropriate to seek accreditation as a testing laboratory where the lab effectively does quality control and verifies the performance of the produced equipment.

  • Clauses 8 & 10

    I think it will be easier when you start mapping processes and drawing flowcharts about what happens in your organization around patients.

    Some weeks ago, I went to the doctor to see my eyes. I as a patient followed a process like this:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/b7844ece-409f-488e-9cec-8b7e58ba9678

    Your organization draws a flowchart representing a process and can ask: What can go wrong? What needs to be improved? With this, you apply the risk-based approach and can determine week points that need to be handled. Please check slide “Risks and processes” in the free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ way your organization determine the need for process or service control, determine the need for work instructions, determine the need for changes.

    Now, let us see section 8:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/c6747372-2be0-4818-bcb2-bffa494ac6eb

    8.1 – is a general clause

    8.2 – is about understanding what the needs and requirements of patients are and reaching an agreement on conditions to perform the service

    8.3 – is about developing a new service

    8.4 – is about purchasing products, services or processes – it may be cleaning services, administrative services, analysis services, other doctors specialized in particular conditions. It may be buying chemicals or consumables for equipment or tests

    8.5.1 – is about having procedures, having specifications for the process, having qualifications for the job, having specifications for the service

    8.5.2 – is about identification of the patient, doctor, and lots of consumables used

    8.5.3 – is about patient property that may be lost or damaged while he/she is at the facilities

    8.5.4 – is about preservation of chemicals or consumables while stored

    8.5.5 – is about any guarantees or scheduled calls from organization to follow-up patient condition

    8.5.6 – is about changes that need to be done when an equipment is malfunctioning, or a consumable is missing, and the usual procedure cannot be performed

    8.6 – is about quality control to ensure that what can go wrong is not wrong

    8.7 – is about dealing with nonconformities – when what can go wrong go wrong – giving the wrong prescription, for example

    Section 10 is about developing corrective actions (clause 10.2) when a nonconformity occurs or when a relevant process indicator has a bad performance. For example, patients are waiting too much to be seen by a doctor. Clause 10.3 is about deciding to improve even when there are no no-conformities.

    You can find more information below:

  • External audit

    Sem mais informações sobre as não conformidades identificadas (ex.: cláusula(s) impactadas e o que foi observado), o que podemos informar é que os templates disponíveis no kit de documentos da ISO 27001 estão em conformidade com os requisitos da ISO 27001, tendo sido aceitos por auditores de certificação em todo o mundo.

    Para ver uma demonstração deste kit, por favor acesse este link: https://advisera.com/27001academy/pt-br/kit-de-ferramentas-da-documentacao-da-iso-27001/

    Este material pode prover mais informações sobre o uso do kit de documentos:

Page 241-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +