Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documentar un SGC
Respuesta:
La información documentada que exige la norma ISO 9001:2015 incluye:
a) La información documentada requerida por la norma ISO 9001
b) La información documentada que la organización determina como necesaria para el correcto funcionamiento del Sistema de Gestión de la Calidad.
Dentro de ISO 9001 hay una serie de información documentada obligatoria, estos son documentos y registros necesarios para cumplir con los requisitos de la norma. Aquí puede encontrar más información - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Además existen una serie de requisitos en cuanto al control de la información documentada que incluyen:
a) Acceso, distribución, recuperación y utilización.
b) Almacenamiento y preservación.
c) Control de cambios.
d) Conservación y disposición.
Para más información puede consultar los siguientes materiales:
- Artículo - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Artículo - Cómo estructurar la documentción en el sistema de gestión de calidad: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-estructurar-la-documentacion-del-sistema-de-gestion-de-calidad/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Controls measurement
Especially what is in the Access Policy with level of confusion responsibility for the implementation of this document
meant?
Acceptable Use Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
of incidents related to unacceptable or unauthorized use of information assets
number of incidents related to inappropriate employee training or awareness programs
Access Control Policy:
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once every six months.
When evaluating the effectiveness and adequacy of this document, the following must be considered:
number of incidents related to unauthorized access to information
delayed change of access rights in case of change or termination of employment / contract
number of systems not included in this document
level of confusion responsibility for the implementation of this document
Answer:
Examples of how to measure these items are:
- Number of incidents related to unacceptable or unauthorized use of information assets: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- Number of incidents related to inappropriate employee training or awareness programs: this information you must gather from evaluation of recorded incidents (filled in the Incident Log), compared to attendance lists from training and performed awareness activities (this way you can verify if people involved in incident have participate or not in training and awareness).
- number of incidents related to unauthorized access to information: this information you must gather from evaluation of recorded incidents (filled in the Incident Log).
- delayed change of access rights in case of change or termination of employment / contract: for evaluating this situation you must identify changes or termination of employment / contract performed by the HR team and track if access changes were raised, and when they where implemented (this second information will be normally found on IT area and the area responsible for physical access.
- number of systems not included in this document: In this case you must compare the information in the inventory of access with the content of the access control policy.
- level of confusion regarding responsibilities for the implementation of this document: In this case you must meet with personnel involved with the implementation of this policy and ask for their feedback regarding the policy implementation (e.g., if users requiring access know who to contact to ask for access to specific systems). -
ITSCM and BCM
Answer:
IT Service Continuity Management (ITSCM) relates its activities to the inputs from Business Continuity Management (BCM). That also means that if have implemented ITSCM - you did not cover BCM.
This article can help you further: "IT Service Continuity Management – waiting for the big one" https://advisera.com/20000academy/blog/2013/09/24/service-continuity-management-waiting-big-one/
and, here you can learn more about ISO standard related to the BCM "What is ISO 22301?" https://advisera.com/27001academy/what-is-iso-22301/ -
GDPR Controllers and Processors of personal data records
Answer:
Yes, where necessary there are different documents. For example, there are two versions of Data Processing Agreements, one which is more Controller oriented and the other which is more Processor friendly. However, consider that very seldom an organization acts exclusively as a Processor. -
EU GDPR and Data Processing
Answer:
The email communication would not be a problem. The question is if the software application you are providing support for processed any personal data and if while provi ding support you may access such data? If the answer is yes then you need to comply with some GDPR provisions.
If you want to find out more about the EU GDPR and what constitutes personal data check out the EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Toolkit content
Answer:
This "Information Security Risk Treatment Plan" is covered by template Risk Treatment Plan, located in folder 07 Risk Treatment Plan -
Managing information security incidents
Answer:
First it is important to note that if an information security occurrence has no impact on business n or in information security it is an information security event, not an information security incident.
This slightly difference makes a big difference on how to approach the situation, because handling events requires less effort than treating incidents.
In your situation, you must consider historical data (e.g., previous incidents) or market data (industry reports) to validate your idea that 3-4 events per day is a too high value of irregular email that your anti-spam does not block, leading to a greater risk of malware infection or data loss.
In case this quantity of events is in fact too high, then you must consider reviewing the rules of your anti-spam filter, or raise the awareness of your personnel. If not you can keep only recording and monitoring these events to see if they increase or not.
For raising awareness of your personnel I suggest you to take a look at our Security Awareness Training at this link: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security. -
Template content
Where is my question inside the document: 3.3 period of time
Question: What is meant by final report? The management review?
Answer:
Section 3.3 of the Risk assessment report says 'Final reports were prepared during [specify period].' - by these final reports it is meant the Risk assessment table and Risk treatment table that need to be presented as appendix (the best would be in PDF format) to the Risk assessment report. -
ISO 22301 audit
Answer:
The path for certification as auditor for ISO 22301 (either internal auditor or lead auditor) is the same as for auditor for ISO 27001 (you have to attend a course and be approved in a exam). However, considering that you already have an auditor certification for ISO 27001, you have two options here:
- Go for an ISO 22301 auditor course
- Go for an ISO 22301 foundations course, to acquire the knowledge specific about the ISO 22301 standard, since the standard used in the ISO 22301 auditor course is the same for ISO 27001
Considering that you already have experience auditing ISO 27001, this second approach is acceptable by auditors, because you can demonstrate experience on auditing ISO management systems. -
Separating AS9100 and ISO 9001
Answer:
The answer to this comes down to how you have defined the scope of your quality management system (QMS). If you have stated your scope in such a way that all of the QMS rules apply to every product then you will need to apply all rules to everything. If, however, you defined your scope to allow certain products to have ISO 9001 polices applied, with the additional aerospace requirements of AS9100 applied to only certain products or parts of the company, then you can separate what is applied where.
For instance, I have seen a company that had three assembly lines, two of which made automotive parts and were certified to IATF16949 and the final one which made other parts which was certified to ISO 9001. For this final assembly line the additional au tomotive requirements did not apply.
For a simple explanation of the AS9100 Rev D standard, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d