Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS measurement
Answer:
Without more details about the nonconformity, what I can suggest you is to check which objectives were defined for the ISMS (see clause 6.2) and how you can ensure if they are being achieved (see clause 9.1):
- Which monitoring methods were defined?
- When monitoring must be performed?
- Who must perform the monitoring?
- When the results of monitoring must be analyzed and evaluated?
- Who must analyze the results of monitoring and evaluation?
These articles will provide you further explanation about measurement:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Incident management procedure
Record: Rules for the identification, collection and preservation of evidence
My question: What is the storage duration? The template doesn’t say anything about it.
Answer:
Retention time for evidences will depend mostly on laws and regulations your organization has to comply with, so you must consult those identified on the list of legal requirements to have a precise definition for this retention time, but a good start is to retain evidences for at leas three years (the period of a ISO 27001 certification)
This article will provide you further explanation about record management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
Cloud Services Agreement Guidelines
Answer:
I'm sorry about this confusion - the "Cloud Services Agreement Guideline" is not a document in the toolkit."
The term "Cloud Services Agreement Guidelines" refers to definitions (i.e., clauses) you can find in cloud services agreements you have signed with your hosting providers, applicable to a control (e.g., a clause defining how backup must be executed or where backup copies must be stored), so it can refer to one or more documents.
In the toolkit the document that can help you to include such guidelines in cloud service agreements is the Security Clauses for Suppliers and Partners: https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/
This article will provide you further explanation abou t security clauses:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
ISO 45001: A brief history
great information Mark
-
GDPR Questions
We've received additional questions:
>1. What is the difference between Privacy Notice and Personal Data Protection Policy?
Answer:
The GDPR increases the amount of information you need to include in your privacy notices. The information is provided to the data subject through Privacy Notices. Notices must also be concise and intelligible and provide the information required under art. 13 and 14 of the GDPR. On the other hand, the Data Protection Policy as stated previously is a statement of the company to process data in accordance with the GDPR and its principles. So both the purposes and the audience is different.
>2. What is the difference between Employee Privacy Notice and Employee Data Protection Policy?
Answer:
Keeping in mind the description and purpose of a Privacy Notice note that the Employee Privacy Notice is tailored as to be used for informing the employees what the company usually uses their personal data for. The Employee Data Protection Policy is a document which is setting up the rules for processing personal data by the HR department. -
Reporting a gap analysis
Answer
First, I would not use the word negative. You are starting to implement a quality management system (QMS), you need allies and people can become very upset when someone comes saying that they are wrong.
I would start by remembering all the reasons the organization wants or needs an ISO 9001 QMS. Then I would arrange ISO 9001 clauses (gap analysis questions and answers) in groups that anyone can relate to. People don’t know clause 8.4, but they know what purchasing or income inspection are. For example, you can group topics around commercial activities, around warehouse activities, around purchasing activities, ...
For each group I would present the gap analysis question, the answer and the why for the topic. Then, I would present a summary of the ISO 9001 requirement stressing that ISO 9001 does not give an answer about how to close the gap. For each group I would present a proposal about a team composition and timing for developing the way to close the gap. If y ou use our Free ISO 9001:2015 Gap Analysis Tool you can use the number at the bottom to monitor the progress impartially.
The following material will provide you more information about internal audits:
- Article - ISO 9001 – Bridging the communications gap with management in the context of ISO 9001 - https://advisera.com/9001academy/blog/2019/04/03/bridging-the-communications-gap-with-management-in-the-context-of-iso-9001/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Create a quality policy
Answer
An organization with a quality management system should have a quality policy. A quality policy is a set of intentions and direction for an organization as determined by top management. You will not see this in ISO 9001:2015, this is my practice. When I work with an organization’s top management in developing their quality policy I recommend thinking about some questions:
Who are our target customers and other very relevant interested parties?
What are the most important requirements for those target customers and other very relevant interested parties?
In what activities should our organization be excellent to be able to satisfy target customers and other very relevant interested parties?
After discussing the questions and answers and after arriving at some consensus, I invite the organization to write a text with the following structure:
To whom do we work (We work for clients that value …)
What are our top priorities. In what things we need to be exc ellent.
Add the commitments included and required by ISO 9001
That way you will write a guiding document that will focus your organization in a strategic way and translating that policy into objectives will be easier.
The following material will provide you more information about the quality policy:
- How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Context of an organization
Answer
Your organization is not an abstract entity living in a perfect world. For example, top management should not make decisions without considering what is happening now, or what can happen in the future of the economic, social, political or technological environment around the organization. Imagine an organization deciding to invest heavily in a technology that can become obsolete or deciding to open an office at another country that will impose greater import restrictions.
Organizations are not really free to decide what to do, they should take into consideration their past, their experience, their DNA, their strengths and their weaknesses. The set of internal and external issues that affect an organization is what ISO 9001 calls the context.
The following material will provide you more information about context of an organization:
- Free white paper - ISO 9001 – Case study for ISO 9001:2015 transition in a construction company - https://advisera.com/9001academy/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Training others to perform internal audits
Answer
An internal auditor must be competent to perform internal audits. Companies have the authority to determine what should be their requirements for competency. Normally, they are about knowing the standard and about knowing good audit practices and some previous experience.
With this course ISO 9001:2015 Lead Auditor Course you will get training about ISO 9001:2015 and about good audit practices (preparing, performing and reporting). This will give you knowledge that you can pass on to others through an internal auditor course performed by you in-house. Attention, this course is better suited to those that want to follow a career as Lead Auditors. Just to enable you to train internal auditors, if you don’t want to follow a career as Lead Auditor, perhaps our ISO 9001:2015 Internal Auditor Course is better suited to your needs.
The following material will provide you more information about internal audits:
- Article - ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Internal audit
# Type
# Scope
# Frequency
Is the documents of "10_Internal_Audit" covering this point?
Answer:
I'm assuming you are referring to ISO 27001 Annex A section A.18.2 Information security reviews. Considering that, your assumption is correct, the internal audit procedure is the document which covers the controls from this section.
The definition of scope and frequency will depend on factors such as the importance of the information system, related risks, results of previous audits, etc., but a good start to consider is to audit information systems in the ISMS scope at least once a year.
2. I´m having a problem to figured out this issue, do you have forms or a procedure to cover this point?
Answer:
To see how this internal audit document looks like, please take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
For further information also see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- ISO 27001:2013 Internal auditor course https://advisera.com/training/iso-27001-internal-auditor-course/