Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documentation versioning

    ISO 27001 does not prescribe version control of documents, only that changes must be controlled (as applicable).

    Considering that, version control is one way to fulfill these requirements, but if you can fulfill this control of changes by other means (e.g. track change feature), you do not need to implement version control.

    This material will also help you regarding document management:

  • SoA justification for selection (of control)

    First is important to note that before you elaborate the SoA you need to perform the risk assessment and risk treatment steps, because these are required by the standard.

    The second topic of notice is that, broadly speaking, justifications to apply or not control are based on:

    • results of risk assessment
    • legal requirements (e.g., laws, contract, or regulations)
    • top management decision

    Considering that, if you do not have relevant risks or legal requirements to justify applying a control, you can state that the control is considered relevant to be applied by top management, as a good practice.

    These articles will provide you a further explanation about risk management and SoA:

  • ISO 27001 PCI DSS mapping

    We're not experts in PCI DSS, but this article from ISACA can provide you a comparison between ISO 27001 and PCI DSS: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-1/comparison-of-pci-dss-and-isoiec-27001-standards

    These articles will provide you a further explanation about ISO 27001 and PCI DSS:

  • How to become GDPR compliant?

    There are plenty of solutions on the market that allow you to build email marketing, pop up, and online booking services. You should discuss it with your web designer. You need to remember to describe the process in your privacy notice, ask for consent from the client in order to send newsletters and publish terms and conditions on your website.

    The GDPR allows the data controller to establish the right place where to store data: his internal servers, in the cloud, purchasing hosting space, and so on. You need to verify your service provider's compliance.

    You can find more information in the following articles:

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR compliance

    Personal information under GDPR includes addresses, so if you want to show your work on your website you can ask consent to the client by inserting a clause in the agreement. Otherwise, you can insert the town where the work has been realized without any personal information about the client. In this case, the project will be anonymous and it will not be any more under GDPR prescription because Paragraph 26 in the Preamble states: “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not, therefore, concern the processing of such anonymous information, including for statistical or research purposes.”

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • IATF 16949 Certification

    I work in a company certified for ISO9001. Now we want to get also automotive customers so it is necessary to be certified for IATF. My question is: is it possible to get IATF if we do not have any automotive customers?

    For companies that have not yet automotive customers but who wants to receive an IATF 16949: 2016 certificate, IATF rules revision 5 offers the option of obtaining the letter of conformance.

    According to IATF Rules revision 5; the purpose of the letter of conformance is to confirm that processes exist that satisfy the requirements of IATF 16949 and these "Rules" and where the client is not able to achieve IATF 16949 certification because of:

    a new site without twelve (12) months of internal or external performance data for the automotive production and/ or service parts in the scope of certification.an existing site that can demonstrate it is on an active bid list fora customer requiring IATF 16949 certification or compliance.

    Also, how to prove all requirements specific for automotive if we do not have it?

    In any case, you should comply with all articles of the IATF 16949: 2016 standard. However, if you are not designing products, your scope will be excluded from product design input and product design output items. Also, if you have no automotive customer-specific requirements; you can determine the main issues and get approval from your customer. The main issues are briefly including PPAP, core tools, process capability requirements, special characteristics definition, record-keeping conditions, etc.

    Here you will find all the templates for automotive QMS implementation:

  • IATF 16949 Documentation Toolkit https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

     

     

  • Cumplimiento de requisitos

    Para demostrar las responsabilidad de la alta dirección debería presentar las siguientes evidencias para cumplir con los requisitos de la norma:

    - Demostrar liderazgo y compromiso con respecto al enfoque al cliente: la alta dirección debe conocer las necesidades y expectativas del cliente, los requisitos legales y reglamentarios y los riesgos y oportunidades que pueden afectar la conformidad de los productos y servicios de la organización. Ejemplos: registros de actas de reunión que incluyen información de quién estuvo presente, qué se discutió y cuáles fueron los temas tratados. 

    - Establecer, implementar y mantener una política de calidad: la alta dirección debe establecer una  política coherente con la misión, visión y valores, que integre los procesos relevantes de la organización, la estrategia de la organización y sus objetivos de calidad. Ejemplos: participar activamente en el establecimiento de la política y los objetivos de calidad.

    - Asignar responsabilidades y autoridades a los roles relevantes dentro de la organización: la alta dirección debe asignar las responsabilidades sobre los diferentes procesos y proyectos y evaluar la competencia de dichos roles. Ejemplos: Tener documentos y registros para demostrar que los roles, responsabilidades y autoridades están definidos.

    - Asegurar que el SGC sea adecuado para el contexto de la organización y coherente con la dirección estratégica de la organización. Ejemplos: Participar activamente en la revisión del contexto del SGC de la organización, demostrándolo con actas de reunión en las que se lleve a cabo un análisis FODA; contar con una lista de acciones para enfrentar los riesgos y oportunidades.

    Para más información sobre cómo demostrar que la alta dirección cumple con los requisitos de ISO 9001:2015, vea los siguientes materiales: 

    - ISO 9001 top management audir: how to perform it successfully: https://advisera.com/9001academy/blog/2019/05/15/iso-9001-top-management-audit-how-to-perform-it-successfully/

    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    - Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Denial of Service Attack

    The main assets you must consider as affected by a Denial of Service Attack are the information you need to access through the systems under attack (not necessarily documents). 

    For example:

    - if the attacked system is an e-commerce website, among other information, the information it provides about products on sale are affected (customers won't know what to buy)
    - if the attacked system is an internal financial system, the information about invoices are affected (you cannot charge customers or pay suppliers)
    - if the attacked system is your file server, then, in this case, your documents are affected

    This article will provide you a further explanation about DDoS:
    - Can ISO 27001 help your organization in a DDoS attack? https://advisera.com/27001academy/blog/2017/12/04/can-iso-27001-help-your-organization-in-a-ddos-attack/

  • Retention time of documents

    As long as there are no legal requirements, and as long as there are no customer requirements, for example on contracts, organizations are free to determine the retention time for their records.

    Normally, in these cases, I advise keeping records for 3 or 4 years, to assure that records generated during a certification cycle will be available.

    The following material will provide you information about retaining records:

  • Questions to ask during ISO 14001 audit

    About auditing HR you can focus your attention on competence requirements for employees:

    • Are competence requirements defined?
    • Are competence gaps determined?
    • Are actions to close those gaps defined?
    • Are those actions implemented?
    • Is the effectiveness of those actions evaluated?

    About the other departments, use the list of environmental aspects as the basis for developing your checklist:

    • What significant environmental aspects were determined for each department?
    • What kind of actions were defined to control operations, or to improve prevention and response to emergency situations?
    • What kind of monitoring is being followed?
    • Any nonconformities? How were they treated?

    You can find more information below:
Page 401-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +