Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Could your toolkit be applied to public second-floor bank?

    Yes, the EU GDPR Documentation Toolkit can also be applied to a bank. The EU GDPR Documentation Toolkit was designed to help any organization become GDPR-compliant by following a step-by-step approach, filling in the templates in each directory. The toolkit contains all the documents needed for GDPR compliance, what is really important is to follow the steps indicated in the project template document, to map all the personal data processing operations in the organization, identify all the risks related to personal data processing, perform DPIAs and address all the risks with technical and organizational measures. We also have articles and courses that can help you better understand GDPR requirements.

    Please also visit these links:

  • ISO 27001 change process: 2013 to 2022

    Your positive energy and enthusiasm radiate through your writing It's obvious that you are truly passionate about what you do

  • Confidentiality Level & the ISO 27001 Standard

    1 - Should all documents have a confidentiality level?

    First is important to note that defining confidentiality level for documents is necessary only if control A.5.12 Classification of information is identified as applicable in the Statement of Applicability.

    Considering that, only documents with information considered relevant to the Information Security Management System scope must have a confidentiality level.

    For example, in case financial information is not included in the ISMS scope, then documents with financial information do not need to have a confidentiality level.

    This article will provide you with a further explanation of information classification:

    2 - Also in the standard Annex A there is a table of 'A' numbers, example A.12.1.3 how do I link these to the clauses in the standard? Example 9 Performance evaluation?

    Please note that there is no connection between individual clauses to particular controls.

    This is so because the purpose of the main part of the standard (clauses 4 to 10) is to manage security (e.g., risk management, internal audit, etc.), whereas the purpose of Annex A is to decrease risks with controls. 

    For further information, see:

  • MSA for multi measurement function equipment

    I would like to higlike for this topic, If the mesaurement equipment has been associated in control plan(s) and CPs specified mutliple measurement function unit you have to undertake MSA study for each functinal unit.

  • Trying to map additions

    1 - I have the new Advisera ISO 27001 2022 Toolkit. I am trying to map additions caused by the new version of the ISO 27001 2022 standard’s main part (clauses 4 to 10) from the Toolkit, e.g., 6.3 and 8.1 among others, but cannot seem to find them.

    Are the standard’s changes such in nature that they can be seemed already included to the old version of the document templates? or why I cannot find them? 

    Answer:  Your first assumption is correct. Please note that changes in the main clauses of the standard are minor and require no changes in the templates like ISMS Scope, top-level Information Security Policy, Risk assessment methodology, etc. 

    2 - Can ISO 27001 2013 certified company make all the changes required for the new ISO 27001 2022 version, and if compliant, certify against 2022 version in the middle of the 3 year validity period in one of the surveillance audits?

    Answer: Yes, you can make the transition to the 2022 revision during a surveillance audit, but latest by October 2025.

    For further information, see:
    - ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

    3 - It probably is required to have internal audit done against 2022 version before certification?

    Answer:  Your assumption is correct. You will need to perform an internal audit against the 2022 version before certification.  

  • Procedure for document and record control

    Please note that in the text you presented, the fields represent the way you use to record external documents used by the organization, considering physical and electronic forms (details about how to fill in the document can be found in its document wizard).

    For example, for physical media, you can use a register of external correspondence, and for electronic documents, you can use Customer Relationship Management software.

    In case you have a small number of external documents to manage, you can use Conformio to make such control.

  • Code of Conduct

    First is important to note that ISO 27001 does not require a Code of Conduct.

    Regarding information security, all necessary security rules to be compliant with ISO 27001 are already covered through Conformio documentation (the document that covers general security rules for all employees is IT Security Policy), and writing another document to cover security rules would only increase administrative effort. 

    In case you want to create a Code of Conduct to cover non-security topics, you should:

    • identify the practices and behaviors the organization expects from its employees, contractors, customers, and suppliers.
    • define how to approach these requirements considering the organizational culture and available resources

    To help you with that you can assess legal requirements (e.g., laws, regulations, and contracts) the organization needs to fulfill, as well as map internal and external relationships you need to maintain.

    Examples of topics to be considered are:

    • Unacceptable behaviors and their consequences
    • Legal compliance
    • Employee rights
    • On-the-job training guidelines
    • Internal practices (e.g., dress code, inclement weather policy, etc.)
    • External practices (e.g., contact with authorities, etc.)

    This article will provide you with further explanation about developing documents (it is focused on the development of ISO 27001 documents, but you can apply these concepts for non-information security topics):

  • Implemention of ISO 17025

    You asked

    How we merge the two system in records and procedures and we have to point it out  in the quality manual , or every system ISO 9001 and ISO 17025  should be separate in their  records and procedures.

    This will depend on your organisational structure and whether ISO 9001 applies to just the laboratory, or to other departments in the organisation. If the same person is responsible for both systems and you wish to integrate them then, just add the required document and record you need for ISO 17025. I then recommend rewriting the Quality Manual to have one manual to cover both ISO 17025 and 9001 systems.  If there are different people responsible for each then keep the manuals separate and in the ISO 17025 quality Manual refer to the ISO 9001 manual for overlapping approaches such as handling complaints, procurement, and certain personnel requirements (e.g recruitment). Have a look at a previous question and answer for more information at https://community.advisera.com/topic/design-development and https://community.advisera.com/topic/are-there-any-things-in-iso-9001-not-covered-by-iso-17025

    You also asked

    The second question :  we want to participate in PT ,Profechency Test  in food analysis ,cosmetic ,detergents , paints ,lubricants oil  , textile, leathers, paper , construcure analysis field , could you recommend  some of PT service  providers.

    This is a very broad scope. I suggest you speak to your selected or an accreditation body in your region. You can also search for accredited u Proficiency Scheme providers on the accreditation body websites .
    You should also have a look at the Proficiency Testing (PT) scheme database, EPTIS. at https://www.eptis.org/about.htm. This should be helpful.

    You also asked

    could I see a simplified way to write a plan to implement the international standard ISO 17025

    Have a look at the Project Plan for ISO/IEC 17025 implementation as well as the very useful Project checklist for ISO 17025 implementation. They are available to download for free at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation and https://info.advisera.com/17025academy/free-download/project-checklist-for-iso-17025-implementation.

    Lastly, you asked

    If a new employee occupies a quality manager, should it be within his plan to make sure that the work in the laboratory is done correctly and to follow up to what extent the previous quality manager applied the requirements of ISO 17025 to know what has been achieved and what needs to be completed, or works directly on preparation for proficiency tests According to the administration's request, and this is specified in his plan.

    This will depend on your organisational structure and the job profile. For example, what other positions are there in the laboratory ? Typically a laboratory or technical manager is responsible for day to day operations and quality control and the quality manager (or a number of designated people) performs the role of ensuring the overall QMS is functional. This involves, as example, Internal Audit management, arranging or overseeing the proficiency testing schemes and the Management review process.

  • Annual Review Templates

    Please note that ISO 27001 does not prescribe how to record the reviews of supplier security documents, so you can adopt the record that better fits your needs. Examples are a report, an e-mail, or a meeting minutes.

    Information you should consider for this record are at least: documents reviewed, by whom, when, review criteria (e.g., what you planned to look for), review results, and who approved the review. 

    For further information about backup, see:

    • Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • Starting the implemetnation

    1 - I have now opened the zip folder ISO 27001 & ISO 22301 and found two folders for ISO 27001:2019. Ask for explanation.

    From your question I, understand that you are referring to folders “27001_2013_and_22301_2019_EN” and “27001_2022_and_22301_EN”, included in the toolkit zip file. 

    Considering that, please note that 2019 refers to the ISO 22301 standard, not ISO 27001.

    There are two folders for document templates because each folder refers to different versions of the standard (2013 and 2022, respectively). There is no ISO 27001:2019.

    We suggest you implement the 2022 revision of ISO 27001 unless you have a specific reason to go for the old 2013 revision.

    2 - When I opened the first folder, I found documents that probably allow both standards to be processed in an integrated manner, is that correct?

    Your assumption is correct. The documents were developed considering the requirements of both standards. In each document, you will find comments explaining where the requirements of each standard are applicable and which adjustments you need to make to adjust the document according to the standard you want to implement.

    3 - I actually wanted to start one project after the other, and not both at the same time. I wanted to start with ISO 22301 separately, how is this possible please?

    To start your implementation first with ISO 22301, you should use folders 01, 02, 03, 10, 11, 12, 13, and 14, adjusting the documents in these folders according to the comments included on them to keep references only to ISO 22301.

    To start with ISO 27001, you should use all folders except folder 10.

    For further information, see:

Page 49-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +