Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Privacy of customer data


    Answer:

    Even though you do not have access to data processed by the customer, you still have access to some kind of data from your customer, like email addresses for support contact, personal data of the person responsible for the contract/ service agreement, financial data for billing process, etc.

    So, you have to consider this kind of data on your your Policy for Data Privacy.

    The main tip here is the question: which information the customer has to send me so I can setup his service and billed him?

    If you have any specific doubts in mind please contact us, so you can help you with them.

  • Handling risk


    Answer
    Organizations determine risks and then evaluate them. ISO 31000:2018 presents several options to handle relevant risks:
    * Avoid risk by deciding not to start, or not to continue, with an action that raises it;
    * Accept or increase the risk in order to pursue an opportunity;
    * Remove the source of the risk;
    * Lower the probability;
    * Change the consequences;
    * Share the risk with another party or parties;
    * Maintain risk based on informed decision;
    * Take advantage of opportunities.

    Your “preventive” interpretation is applicable when avoiding risk and when lowering the probability, for example.
    The “correct and fix” interpretation is less common but applicable when removing the s ource of risk. So, both, in certain way are correct. Although the “preventive” approach is much more common.

    The following material will provide you more information about risk management:
    - How to identify risk controls in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/21/how-to-identify-risk-controls-in-iso-90012015/
    - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
    - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 45001: Processes vs Procedures


    Answer:
    The root of both of your questions is the difference between processes and procedures, so it is best to answer them together. A process is anything that you do that takes inputs, does something to them, and creates outputs (this does not mean that the activities need to be in a specific order). A process does not need to be documented. A procedure is a set way of doing a process, so when the activities need to be done in a certain order (this does not mean that the procedure needs to be written down). A documented procedure is when you choose to write a procedure down. If will give you an example using a purchasing process; I like using purchasing because it is easy to understand.

    So, as an example: If you have a process that states that your purchasers will get a purchase request, choose some vendors from the approved vendor list, find prices online, and then place an order of the best value; you have a process (i n this case you may then find prices online first and then look at the vendor list to make sure the vendors are approved because the order doesn’t matter).

    If you decide that the order matters and you want to do the steps in the order listed (purchase request, approved vendor list, find prices, place order) then this becomes a procedure. Note that if you only have a few purchasers, and don’t think you need to write this down because it is not complex, you now have a procedure that is not documented, but it is still a procedure.

    By writing down the procedure you have a documented procedure. You can do this an any way that works for you; flow chart, text document, etc. The important thing to remember is that if by not writing down the procedure you could have a process nonconformity, you should write down the procedure.

    For more information on the difference between processes and procedures, see the 9001Academy article: Watch Your Language! Don’t confuse processes with procedures, https://advisera.com/9001academy/blog/2014/11/04/watch-language-dont-confuse-processes-procedures/

  • Becoming an ISO 27001 consultant

    1. I am at a cross road in my 30+ year career in Accounting and I'm looking for a change. What are the requirements to become an ISO 27001 lead implementer and how can I become an independent consultant?

    To be qualified as an ISO 27001 Lead Implementer you have to attend an ISO 27001 Lead Implementer course, and for this course there is no previous requirements, so you can start your implementer career with ISO through this course.

    To become a consultant, you should first acquire experience in this field, and the most common ways are to work inside your current company implementing information security, or working for an established consultant.

    For more information about the ISO 27001 Lead Implementer course and how to become a consultant, please read:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - How to become an ISO 27001 / ISO 22301 consultant https://advisera.com/27001academy/blog/2014/07/21/how-to-bec ome-an-iso-27001-iso-22301-consultant/

    2. Will your course prepare me to take the ISMS with Exemplar Global?

    Answer: If I understood your question correctly, you want to know if our ISO 27001 Lead Implementer Course can prepare you to the Exemplar Global exam for ISO 27001 Lead Implementer. Considering that, it is important to note that Exemplar Global currently does not accredit Lead Implementer exams (only ISO 27001 Foundations, Internal Auditor, and Lead Auditor exams, like the ones offered by Advisera), but our course covers all topics related to ISO 27001 Lead Implementer.

    See more information about our ISO 27001 Lead Implementer course at this link: https://advisera.com/training/iso-27001-lead-implementer-course/

  • Roles and Responsibilities of the Board in Cyber Security


    Answer:

    Basically the main roles and responsibilities or the board are:
    - ensure that cybersecurity supports the company strategy;
    - definition of objectives to be achieved;
    - definition of specific related responsibilities and authorities to cyber security;
    - provision of resources;
    - general performance review.

    For more information about roles and responsibilities of Board in Cyber Security I suggest you these materials:
    - Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
    - Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
    - How to document roles and responsibilities according to ISO 27001 https://advisera.c om/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
    - Privacy, cyber security, and ISO 27001 – How are they related? https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

  • Requirement from ISO 27001 for calibration

    If yes, how a "Software development" company do calibration? We don't use any tools or machine. Just PC.

    Answer:

    ISO 27001 does not prescribe requirements for calibration, but information security requirements from the own organization, or from third-parties, may define the need for calibration to be included in the software under development.

    For example, for a biometric-based access control software, you need to perform calibration during development to ensure the proper degree of confidence on biometric readings, as well as make this feature available for software users to adjust the system when needed (e.g., when a new hardware is used).

    In this case, to ensure such requirements are identified and handled properly, you can apply the control A.14.1.1 Information security requirements analysis and specification.

    This article will provide you further explanation about Software Development Life Cycle:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  • Independent review

    Can this requirement for 'Independent Review' be satisfied internally? That is, review of the ISMS policies and procedures by an in-house team that is not directly attached to the ISO 27001 effort?


    Answer: You understanding is correct. The ISMS review by anyone with proper competence (i.e., knowledge, education or experience on ISO 27001 requirements) that is not related to the ISMS scope, or does not review his/her own work, is a way to fulfill this requirement.

    Can this requirement be satisfied through the ISO 27001 Certification process, citing the 2 minor audits between major certification as our Independent Review?


    Answer: You assumption is correct, it is possible to achieve compliance with A.18.2.1 by means of certification / surveillance audit.

    Otherwise, what is the best course of action to meet this requirement, and could we gain and keep certification without using this control?


    Answer: The certification / surveillance audit is the best course of action because internal audits are mandatory.

    This article will p rovide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    For further information about internal audit, please see:
    - ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Corrective Action Plan

    In fact the three alternatives can happen:
    - a Corrective Action Plan (CAP) can be elaborated after an audit, when the auditor formally states the nonconformities
    - in some cases, depending on the auditor approach, a CAP can be elaborated during the audit
    - a CAP can be elaborated after someone reports a nonconformity during normal operations, i.e., not associated to an audit activity

    Please note that on all cases the purpose of the CAP is the same, to eliminate the causes of identified nonconformities

  • Identifying and documenting the context


    Answer
    Clause 4.1 of ISO 9001:2015 is about determining those internal and external issues that can be relevant to influence your organization’s future. You can think about political, economic, social, technological, environmental and legislative as external issues, and about performance, complaints, experience, market presence as internal issues. For example, can you think about technological trends that can influence your organization’s economic sector? Consider banks vs the financial internet startups. As an example of political trends imagine that your organization is in France and exports to the UK. Will Brexit influence sales?
    Clause 4.2 is about determining who are the relevant interested parties for your organization’s business ecosystem: customers; customer’s customers; regulators; influencers; universities; suppliers; unions; competitors, employees (please check ISO 9001:2015 Annex A3 – it is up to your organization who are the relevant interested parties and what needs and expectations are considered relevant)
    Documenting this topics is not required by ISO 9001:2015. So, organizations are free to develop their own methods. Normally, when working with organizations during the implementation of the QMS I document these in meeting minutes and management review records.

    The following material will provide you more information about context and interested parties:
    - (This case study has a clear example) Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
    - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    - How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - (This webinar gives some of examples) Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Software development and calibration


    Answer
    Let us focus just on what is mandatory in ISO 9001:2015. Calibration is mandatory just for those resources that are used to decide if the final product/service is according to specifications. So, go back to your organization’s outputs, the applications, and check if there is any specification that needs to be tested with some monitoring and measurement resource. Let me speculate. If your organization’s application gives GPS coordinates with some stated degree of error, for professional services, perhaps you should calibrate that. If your organization’s application gives temperature readings or measures light intensity, or moisture level… as important attributes, then perhaps calibration should be needed. Other examples of calibration needs can be around biometrics as facial recognition and fingerprint reading in order to be aware of performan ce and error levels. And perhaps tests with different hardware to set the borders as a function of hardware used and your applications. Since we are entering a “Star Trek” world, with more and more use of non-invasive ways to diagnose situations. This will be the future.

    The following material will provide you more information about calibration:
    Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
    - Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    - Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 517-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +