Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR and processing of personal data
Answer:
The GDPR applies regardless if the personal data is processed internally or shared with third parties outside the company.
2. Also, are we able to stored IP addresses for the purpose of mitigating DDoS attacks or must we anonymize or use GEO location
Answer:
You may be able to retain IPs based on "legitimate interest" for security purposes such as DDoS attacks. However, the users need to be informed about the processing of their personal data according to art. 13 an 14 of the EU GDPR.
If you need to find out more about the EU GDPR please check out this EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
ISMS in QMS?
Organizations with a quality management system may want to avoid problems. For example, with intellectual property theft, production and commercial disruption. You can find more information in this two articles: Using ISO 9001 for implementing ISO 27001 - https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ and How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/ Check also this free webinar on demand ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
CMMI and ISMS
Answer:
Unfortunately we do not have such material consolidated, but from these links you can build an understanding about their relation:
- Mapping from ISO 9001:2008 to CMMi v1.2: https://cmmiinstitute.zendesk.com/hc/en-us/articles/115004587567-Do-ISO-standards-and-CMMI-work-together-
- Mapping from ISO 9001:2008 to ISO 9001:2015 https://committee.iso.org/files/live/sites/tc176sc2/files/documents/ISO%209001%202015%20-%20Implementation%20guidance%20docs/ISO9001_2015_Correlation_Matrices.docx
- ISO 27001 vs. ISO 9001 matrix https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix -
ISO 27001 in designing projects
(I would like to better understand how ISO27001 can help me in designing projects for physical security - hardware - I am a manufacturer.)
Answer:
Como uma norma voltada para segurança da informação, a ISO 27001 pode auxiliar na elaboração de projetos para segurança física de hardware ao:
- prover uma sistemática para a identificação de requisitos e seleção de controles a serem implementados para proteger as informações que este hardware irá tratar. Por exemplo, se as informações que serão armazenadas ou transferidas através deste hardware requerem alto nível de proteção, um possível requisito de hardware seria a implementação de funcionalidades que permitissem a identificação de tentativas de violação do hardware (um bom exemplo são leitoras de cartão de crédito).
- ao prover controles específicos para a implementação de segurança física (controles da seção A.11), incluindo proteção específica para eq uipamentos (controles da seção A.11.2)
- auxiliar na identificação e implementação de controles para a proteção das informação do projeto (por exemplo, controle de acesso às especificações de tecnologias a serem implementadas no hardware, definição de responsabilidades, etc.).
(As an information security standard, ISO 27001 can assist in designing projects for physical hardware security by:
- provide a system for identifying requirements and selecting controls to be implemented to protect the information that this hardware will handle. For example, if the information that will be stored or transferred through this hardware requires a high level of protection, a possible hardware requirement would be the implementation of features that allow identification of attempts to breach the hardware (a good example is credit card readers. ).
- by providing specific controls for the implementation of physical security (section A.11 controls), including equipment-specific protection (section A.11.2 controls)
- assist in the identification and implementation of controls for the protection of project information (e.g., access control to technology specifications to be implemented in hardware, definition of responsibilities, etc.).)
Estes artigos podem prover informaçao adicional sobre a ISO 27001 em projetos:
(These articles can provide additional information about ISO 27001 in project: )
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/ -
New company logo and controlled documents
Answer
If your logo is part of the documents’ identification and if your logo was changed, your organization will have to update documentation. Since your next surveillance audit will take place in less than a month perhaps that update should be planned to take place not in a moment but along a period of time. So, easier documents to update can be updated right away, for other documents you can develop a plan start to implement it and show it during next surveillance audit. For example, auto companies sometimes make changes in their component drawings and allow suppliers to use previous versions until stock of those versions goes to zero.
The following material will provide you more information about ISO 9001 and document control:
New approach to document and reco rd control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
ISO 9001 and shipping companies
Answer
Just googling “shipping iso 9001” I found a set of ISO registered shipping companies. Perhaps the big ones are so well known that they do not need certification to improve their credibility.
The following material will provide you more information about ISO 9001 and shipping companies:
Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
How ISO 9001 improves shipping procedures - https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Use of encryption and ISO 27001
Answer:
According to ISO 27001, you only have to implement any kind of encryption, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control (i.e., based on the risk assessment results)
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Identificar riesgos en ISO 14001
Respuesta
La organización debe prepararse y responder ante situaciones potenciales de emergencia que están relacionadas con los riesgos identificados en el apartado 6.1.1.
Estos riesgos y oportunidades pueden estar relacionados con:
– aspectos ambientales (cláusula 6.1.2) -
– requisitos legales y otros requisitos (cláusula 6.1.3);
– otras cuestiones y requisitos identificados en los apartados 4.1 y 4.2
En cuanto a los riesgos asociados a los aspectos ambientales debe de identificar cada uno de los procesos del ciclo de vida del producto o servicio, e identificar sus entradas y salidas para poder posteriormente identificar de manera apropiada sus impactos y evaluar mediante una serie de criterios establecidos por la organización los aspectos ambientales significativos.
Para más información sobre cómo identificar los aspectos ambientales y sus riesgos puede ver los siguientes artículos:
- 4 pasos en la identificación y evaluación de aspectos ambientales: https://advisera.com/14001academy/es/knowledgebase/4-pasos-en-la-identificacion-y-evaluacion-de-aspectos-ambientales/
- Catalogue of environmental aspects: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
- ISO 14001:2015 how to set the criteria for environmentas aspects evaluation: https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/
Por otro lado, los riesgos pueden aparecer como consecuencia de requerimientos legales o de los cambios en ellos, por lo que debe establecer un sistema de identificación de esos requisitos y sus posibles cambios para llevar a determinar los riesgos asociados.
Y por último los riesgos asociados al contexto de la organización, ara los cuales le recomiendo que lleve a cabo un análisis DOFA, en el que identifique las debilidades, oportunidades, fortalezas y amenazas que derivan de las cuestiones internas y externas de su compañía. Para ello puede organizar una reunión en la que se lleve a cabo este análisis con la gente relevante de su organización, como los gerentes, CEO, etc.
Para más información sobre riesgos y oportunidades en ISO 14001 puede ver los siguientes artículos:
- Gestión de riesgos en ISO 14001:2015: qué por qué y cómo: https://advisera.com/14001academy/es/knowledgebase/gestion-de-riesgos-en-iso-140012015-que-por-que-y-como/
- ISO 14001 risks and opportunities vs environmentak aspects: https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
Estos materiales pueden también ayudarle con la identificación de riesgos y oportunidades en ISO 14001:
- Libro - The IsO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Curso gratuito en línea - Fundamentos ISO 14001: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ -
Making an effective audit
Answer
Effective means successful in producing a desired or intended result. What is the desired or intended result for your audit? What are the audit objectives? What have your client told you about the purpose of the audit? If the objective is mainly about conformity you should collect findings that will help you answer in your report if the company is conforming with performance targets and procedures or work instructions. I think you will need to check if:
inputs into production are identified, traceable and controlled;
people are competent;
production process is under control;
quality is under control;
production performance is under control;
non-conformities are identified and treated;
corrective actions are developed and effective;
And at the same time, you have to look into significant environmental aspects and impacts and check if they are under control, monitored and decisions made and implemented. Same for health and safety.
The following material will provide you more information about internal audits:
ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
Free webinar on demand – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Overcoming the language barrier
Answer
If top management is interested in the implementation of a quality management system (QMS), it is because there are some kind of benefits for the organization.
My advice is translating those benefits into practical positive consequences for middle management persons like:
Implementing a QMS -Certifying the QMS -More international credibility -More orders -More production -Higher wages
Implementing a QMS -Less quality problems -More efficiency -Less costs -More production and competitiveness -Higher wages -Higher status
If language is a barrier use simple messages, tell them a story, make them play a game, something that pass the message.
The following material will provide you more information about QMS benefits:
Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
Benefits of ISO 9001 implementation for small businesses - https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/