Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is customer consent needed?
thanks a lot for your replay. that was helpful. Kind Regards, Elina
-
EU GDPR form and permission
The personal data you are going to collect is considered as sensitive data and are ruled by Article 9 GDPR because they refer to individuals’ health. You need to ask the consent of the interviewed person for collecting and showing results to the moderator.
Pseudonymization can be a good solution to protect the identity avoiding to show their name and calling them as “case 1” and “case 2”. Moderators can have access to full documentation upon request. You must specify that in the privacy notice you are going to submit to your individuals before interviewing them. You can also establish a data retention period and inform the interviewed individuals about how long the project will last and you are going to keep their data.
Here you can find some articles about privacy policy and consent:
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
EU GDPR document template Privacy Notice: https://advisera.com/eugdpracademy/documentation/privacy-notice/
You may also consider enrolling in this online EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
Clarification of terms used in ISO
ISO 19011, the most used ISO audit standard uses the term "recommendation" to refer to results that are not a non-conformity but the organization must take a look at to see if they can lead or not to an opportunity for improvement.
This article will provide you a further explanation about the opportunity for improvement:
- Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/
These materials will also help you regarding audits:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course
-
Gap analysis
1. I have a question to ask. Do we do the gap analysis first or IT risk framework?
I'm assuming your questions are about ISO 22301 implementation and the management of IT-related risks.
Considering that, first is important to note that ISO 22031 does not require a gap analysis to be performed, while the risk assessment is mandatory. Second, gap analysis is not recommended for smaller companies, because in general, it is not worth the effort due to their size and complexity. So, for smaller companies, it is better to perform only the IT risk framework, because will give you more specifics about handling risks in your IT environment.
For bigger companies, the gap analysis will provide you a quick and comprehensive view of how much of the standard you already have implemented, and the results of gap analysis can be used as input for the IT risk framework.
2. Which is easier to do? Looking forward to your feedback.
Because gap analysis requires an overview of the situation, and the IT Risk Framework involves a deeper knowledge of risk management steps, the gap analysis would be easier to perform for a beginner.
This article will provide you a further explanation about the gap analysis and risk assessment (although the article is about ISO 27001 the concepts also apply to ISO 22301):
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
-
Surveillance audit
The approach for the surveillance audit is basically the same for a certification audit, the difference being in the fact that in the surveillance not all ISMS scope is audited. Considering that, for the surveillance audit you should check:
- the documents required by the ISO 27001 standard and any document that exists in the ISMS
- the records used to evidence compliance with the documents (policies, procedures, etc.)
- the status of raised internal and external nonconformities, so they are closed, or on schedule before the surveillance audit starts
These articles will provide you a further explanation about preparing for an audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
These materials will also help you regarding preparing for an audit:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
-
ISO 9001 and calibration
As far as I understand your situation and questions:
- Your company was certified according to ISO 9001:2015.
- Can your company internally calibrate a monitoring resource, use it to make measurements, and send the report of that measurements for the customer? Or should your company need a calibration lab?
Your company can calibrate monitoring resources internally and use those monitoring resources to make measurements and issue reports for customers. However, to perform that calibration your company must use measurement standards. Those measurement standards must be calibrated against measurement standards traceable to international or national measurement standards. Normally, that traceability requirement makes mandatory to calibrate measurements standards at a calibration lab.
You can find more information about calibration below:
- Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
NIST framework
I'd suggest you t take a look at ISO 27004 (https://www.iso.org/standard/64120.html), a supporting standard that provides guidelines to help organizations in evaluating the performance and the effectiveness of an ISMS.
These articles will provide you a further explanation about performance evaluation:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
-
Procedure for determining context of the organization
Yes, the procedure for determining the context of the organization is not mandatory. Please, check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
The following material will provide you information about the context of a quality management system:
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Processes in Risk assessment vs. business impact analysis article
We do not know your local regulations, but for example, as a customer, it would be unacceptable not being able to perform payments for more than 12 hours (and most probably there may be some sort of law or regulation for the banking industry defining fines for such a failure).
-
General Information Security Policy
Previously, with ISO 27001: 2005, I used the general information security policy and right there I defined the scope and assembled it in a policy manual, separating the security policy, today I see that it is necessary to do an ISMS scope, which I have no doubt if it should be three documents, General Information Security Policy, Policy Manual (A whole set) and the scope of the ISMS separately.
ISO 27001 (even the previous 2005 version) does not prescribe how to document the Information Security Policy, the ISMS scope, and other developed policies, so organizations are free to document them in a single or separate document as best fit their needs.
Regarding policies, our recommendation is that these are documented as separate documents, because the information security policy is a high-level policy, while other policies are more specific, and developing them as a single document would only create a document too big and too complex to read and manage.
These articles will provide you a further explanation about developing policies:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
These materials will also help you regarding developing policies:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/