Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Queries ISO 27001

    Hello, I did a translation of a documentation that I found from English to Spanish and there are things that I do not understand what they refer to, for example:

    Information security risk assessment does not require...

    What would not be required in this case, define risk acceptance criteria, define sanctions for non-compliance in information security, identification of security risks or identification of risk owners?

    Taking into account ISO 27001, the following is required for risk assessment:

    • Define a risk assessment process (risk identification, risk analysis, and risk evaluation)
    • Define risk acceptance criteria
    • Define criteria for performing risk assessment
    • Identify risk owners
    • Retain documented information about the risk assessment process

    Considering that, from your examples, defining sanctions for non-compliance in information security is not required.

    For further information, see:

  • Query on ISO 27001:2022 SOA

    ISO 27001 does not prescribe that information about how a control is implemented needs to be included in the SoA (the four items you listed are the only ones mandatory to be included in the SoA).

    However, we highly recommend including in SoA this information, because since SoA is a document that summarizes security practices adopted by an organization, this additional information makes the SoA a more useful document.

  • Improvement Log

    Please note that ISO 27001 does not prescribe any specific document for logging improvements, but typically the improvements will be documented through Corrective actions.

    To see what fields to consider, please take a look at this template of a corrective form: https://advisera.com/27001academy/documentation/corrective-action-form/

    This article will provide you with further explanation about continual improvement:

  • Change Management and QMS

    Regarding your question about where change management procedures are captured in a QMS, if you are talking about changes for production or service provision please check clause 8.5.6. However, if you are talking about changes to the quality management system please check clause 6.3.

  • Should we have risk management procedure including FMEA for all product lifecycle?

    You can make a Risk analysis for your part of the life cycle (sales and storage??) but then claimed that other parts of the risk analysis are within a particular outsourced company. To allow your awareness of this, you need to have an exact number of documents and revisions of the risk analysis from your outsourced companies, and during your audits of the outsourced companies you need to audit their risk analysis as well. 

    All of this is of course part of the Quality agreement. Just have in mind that no meter that you outsource everything, you are responsible for the product because it is under your name. So, you need to have control over all processes. 

  • Second party audits for an ISO Certified company

    The ISO 9001:2015  standard does not have a clear expectation in this regard, you need to look at the customer-specific requirement. However, the IATF 16949 standard clearly stated its wishes for 2nd party auditors in article 7.2.4.
    In my opinion, first refer to the customer-specific requirements, then you can refer to article 7.2.4 of the IATF 16949:2016 standard if you want.
    Also, VDA 6.3 requirement is available for VW and Mercedes customer-specific requirements. 

     

  • Adapting GDPR material to South African context

    A lot of the documentation that is present in our EU GDPR Documentation Toolkits can be reused or adapted for POPIA compliance. Namely, all the documents related to Preparations for the Project, Personal Data Policy Framework, Privacy Notices, Mapping of Processing Activities, Managing Data Subject Rights, Security of Personal Data, and Personal Data Breaches can be used for POPIA compliance with minor adjustments. Regarding the other documents present in our Documentation Toolkit, they need some more customization related to specific POPIA articles. 

    Please consult these resources as well:

  • ISO Standard for KYC

    I’m assuming that by KYC you mean “Know Your Customer”, a set of processes that allow banks and other financial institutions to confirm the identity of the organizations and individuals they do business with, and ensure those entities are acting legally.

    From that perspective, we do not see a need for financial institutions to use ISO 27001 (nor any other standard from the ISO27k series) for the KYC process.

    For further information, see:

    • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

    • Gap analysis

      En primer lugar, es importante tener en cuenta que el kit de herramientas proporciona todos los pasos y documentos para la implementación, y la mejor manera para usted es seguir la lógica del kit de herramientas.

      Teniendo en cuenta eso, puede usar los resultados del análisis de brechas para decidir qué controles priorizar (una vez que comience a trabajar en la carpeta Plan de implementación), pero el análisis de brechas, en general, no es necesario para las organizaciones pequeñas, porque el esfuerzo para realizarlo no aporta una ventaja significativa al proceso de implementación (es mejor realizar la evaluación de riesgos durante la implementación).

      Tenga en cuenta que se utiliza un análisis de brechas para evaluar su situación actual con respecto a los requisitos de ISO 27001, por lo que puede usarlo ahora mismo. En este momento, el análisis de brechas le dará una idea del esfuerzo para implementar el estándar.

      Para obtener más información, consulte:
Page 29-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +