Search results

Monitoring and measuring reports

Thank you so much, this has been a huge help! :)

EU GDPR compliance on websites

The minimum documentation you need is the Website T&C, Privacy Policy, and the Cookie Policy.

You can find readily available templates for websites within this Mini GDPR Toolkit for Websites -https://advisera.com/eugdpracademy/eu-gdpr-mini-toolkit-for-websites/

ISO 9001 implementation and QMS

1. Can you please help me with the list of documents required for ISO 9001:2015 certification?

In the following articles you can find a list of mandatory documents required by ISO 9001:2015 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ and - Checklist of Mandatory Documentation Required by ISO 9001:2015 - https://cdn2.hubspot.net/hubfs/1983423/9001Academy/9001Academy_FreeDownloads/Checklist_of_ISO_9001_2015_Mandatory_Documentation_EN.pdf

2. I need to build a QMS right from scratch so need to draft appropriate policies, procedures, forms etc.

If you are in a hurry to draft your documentation perhaps one of our ISO 9001:2015 Documentation Toolkits -  https://advisera.com/9001academy/iso-9001-documentation-toolkit/ could be helpful. Please consider following this advise for the structure - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

3. And also, I would like to know is it mandatory for us to buy a software for maintaining QMS? Can we not do it in Grand avenue?

Implementing and maintaining a QMS can be easier with the help of software. However, ISO 9001:2015 does not mandates buying or using any particular software. About Grand Avenue, I never worked with it but based on what I saw in internet I believe it can be used and be useful.

The following material will provide you more information from Advisera about implementing a QMS:

• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Project Plan for ISO 9001 implementation - https://info.advisera.com/9001academy/free-download/project-plan-for-iso-9001-implementation-ms-word
• Free webinar on demand - Free webinar – Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Documents from an external origin

First, it is important to note that as for "Documented information" the standard means both documents and records. Second important point is that the standard does not prescribe documents from external origin to be controlled, only that if the organization identifies such document they must be controlled. In short, it is your organization that must define which external documents are necessary to ensure your ISMS is properly planned, implemented and operated.

Regarding types of documents, your own question covered the most basic ones (considering the needs of your ISMS):
- Documents and records from legal authorities or regulators (including your certification body): your ISO 27001 certificate, the ISO 27001 standard, EU GDPR (so you can have access to information security-related clauses from Article 32), official letters from government agencies, etc.
- Documents and records from customers, suppliers, and partners: contracts, service agreements, product/service specification, operation manuals, etc.

This article will provide you a further explanation about the document management:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

Risk transfer

Part of the XXXX company's network of operations is managed by an external company, called XXXX, located within the XXXX company's facilities: personnel, systems, and information.

All the assets of this network are critical assets and all with a very high risk of threats. Some of these assets have measures applied, some are insufficient and should improve. I have identified the owner of the asset the company XXXX, owner of the risk, the external company XXXX.

As we commented, we would have two options:

• From the XXXX company, treat the risks and implement the controls
• From the XXXX company, transfer the risk to the XXXX company which is the one who must implement the controls but following the criteria of the XXXX company.

I'm lost!!!

I need you to advise me on the most effective way to do it. If we transfer the risk to the company XXXX, we lose control of the controls and it will not be defined what are the controls to be applied… .. and we should not.

Can you please help me at this point?

When you transfer risk treatment to a third-party the best way to do that is by means of contract or service agreement, so you can enforce, through security clauses, the third-party to keep the same or higher level of security you would implement by your own, as well as to present evidence you need to not lose sight of the controls you want implemented.

These articles will provide you a further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/