Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • IS Manager role

    First is important to note that ISO 27001 does not require a company to nominate a person to manage information security (for small companies a specific role would be overkill), so this role can be performed by an existing role.

    Examples of what this person could do (divided by ISO 27001 sections) are:Compliance:

    • Develop the list of interested parties related to information security
    • Develop the list of requirements from interested parties

    Documentation:

    • Propose the draft of main information security documents
    • Be responsible for reviewing and updating the main documents

    Risk management:

    • Teach employees how to perform a risk assessment
    • Coordinate the whole process of risk assessment

    These articles will provide you further explanation about the IS manager role:

    These materials will also help you regarding IS manager role:

  • IATF 16949 Tool tryout

    Tool tryout is one of the process stages for manufacturing process approval. This stage is part of the 8.3  IATF requirement, namely 8.3.3.2 Manufacturing process design inputs and 8.3.5.2 Manufacturing process design output.

    Typically consists of a sequence of sample production with the objective of making corrections in the tool and placing the part according to the drawing specification. If the customer determines a method to perform the tryout, for example, run@rate or batch production, it must be followed.

  • Adapting QMS from Parent Company to Subsidiary

    There is not really a detailed procedure to migrate a parent company QMS to a subsidiary. In general, the steps you need to take would be:

    1. Identify the existing processes that are relevant to your QMS and transfer them over.

    2. Perform a gap analysis to see what else is missing from your QMS that is required by AS9100.

    3. Put in place the missing elements of the QMS.

    4. Ensure everyone is trained in the changes or additions to the QMS so that they know what they need to do.

    To help make sure you are not missing anything after the transfer, see this helpful listing of the mandatory documents: AS9100 Rev D List of Mandatory Documents, https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents

    You can also see our book on implementing AS9100: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

  • Safety

    Please check ISO 14001:2015 clause 0.5 where you can read “This Standard does not contain requirements specific to other management systems, such as those relating to quality, health and safety at work, energy or financial management”.

    Your question made me remember my ISO 14001:1996 Lead Auditor training. The trainer said something like: “people may be dying inside the organization, as long as there is no impact in the environment is outside the scope of ISO 14001. If you open a very small door, sooner or later you will be having a safety audit in the middle of what is supposed to be only an environmental management system audit. Perhaps this article could be useful - ISO 45001 vs. ISO 14001: Differences and similarities - https://advisera.com/45001academy/blog/2019/02/20/iso-45001-vs-iso-14001-differences-and-similarities/

  • ISO 14001 / Management Review

    You can merge those registers in order to save time and documentation and afterwards, quantitatively analyze those risks to find out which are significant and address them.

    Regarding the risks, you need not only to consider the environmental aspects in your EMS but also to your environmental legal requirements, feedback from your interested parties such as customers or employees and benchmarking your processes against other similar organizations. 

    I recommend you to create a Process Aspect Chart where you can register and evaluate environmental aspects and risks associated to each process following your selected criteria (e.g. probability, reach of impact) - For the opportunities you can use another register. Here you can find an example - Process Aspect Chart: https://advisera.com/14001academy/documentation/process-aspects-chart/

    These materials can help you to learn more about risks and environmental aspects:

    - Article - ISO 14001 risks and opportunities vs environmental aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/

    - Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/

    - Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

  • Document Control Procedure content

    1. Is this something that is needed for ISO?

    For ISO management systems, like ISO 27001, the management of external documents is mandatory.

    2. How do I know which external documents are necessary for ISMS  compliance?

    External documents are any documents not owned or controlled by an organization that are required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

    This material will also help you regarding control of documents:

    • Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

    3. Also is there an incoming mail register document as part of the templates?

    Incoming mail register is not a mandatory document, you can simply have a table where you register who received some important external document, or where such a document is stored.

    This material will also help you regarding document management:

    Please note that you can find helpful information about these and other potential doubts in the comments included in the template.

  • Security awareness training

    Yes, you do not need to document each and every control - in such cases, you will use awareness sessions and trainings to explain to your employees how particular security activities need to be done.

    In the SoA you cannot simply refer to the Training Plan - you need to explain in a sentence or two how the control is implemented - e.g. "The data recorded on media must be encrypted."


    Please note that some controls, when identified as applicable, require documentation (e.g., control A.9.1.1 - Access Control Policy).

  • Consequence and Likelihood after Risk Treatment

    Not all controls affect the consequence and likelihood at the same time. The controls you mentioned works only to prevent Unauthorized Physical Access. Once access is gained, they cannot provide any means to avoid damage to assets. Examples of controls you can consider to reduce the impact on information assets are backup and redundancy.

    This article will provide you a further explanation about controls selection:

    These materials will also help you regarding controls selection:

  • Internal audit after certification

    ISO 27001 requires an internal audit to be performed considering all mandatory requirements from sections 4 to 10 and all controls identified as applicable in the statement of applicability. Considering that, you have to audit section 5.1, regardless of the external auditors will audit this clause.

    This article will provide you a further explanation about surveillance audit:

    These materials will also help you regarding internal audit:

  • Power of Attorney

    Transfer of data outside the EU on behalf of the controller is made through a transfer data agreement and not through a general Power of Attorney. It is because the data controller must set instructions for the data transfer the data processor must comply with. In fact, the data controller will be liable for any infringement of GDPR rules and even for choosing the wrong data processor.Consider that the EU Commission adopted a Standard contractual clause to implement contracts concerning data transfers.

    If you are referring to the Power of Attorney in connection with a legal claim (i.e. transferring data outside EU for a legal claim), consider that establishing, exercising or defending legal claims is an exemption to GDPR rules. The Power of Attorney, in this case, can allow data controller or data processor to transfer data outside the EU (of course only data which are necessary for the legal claim.)

    Here you can find more information about this topic: - EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

    - 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

    - Standard Contractual Clauses - Free download: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes

    - Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
Page 446-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +