Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification of remote companies


    Answer:

    In terms of certification you can state as location (company's headquarters) the home address of the founder / CEO of the company or the address of the office where the people accountable for the company can be found (you should ask the certification body what their preference would be in such situation). You can present this address as company's address and all other locations can be considered remote locations and can be audited accordingly.

  • Result of review

    We’re thinking we need to add a “Review Record Form” that we would fill out and sign before submitting our proposal to the customer; this form would be used to meet ISO requirements. However, we don’t otherwise see value in retaining the document. Couldn’t we just call our signed contract the “…documented information… on the results of the review…” that ISO 9001 requires in section 8.2.3.2 and not add another form into the mix?

    Answer
    When reading your description I was thinking in your proposal at the end. Why not consider both the proposal and the signed contract as evidence of review? I just see one possible problem: what if the client in the RFP does not include relevant legal or implicit requirements? If that is the case your proposed form could be useful to ensure that they are considered in the proposal.

    The following material will provide you information about documented information:
    - Article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Keeping records


    Answer
    Is each organization certified? Is the common project under the scope of each certified management system? Let us suppose the answer is yes to both questions. Minutes can be kept on paper or on digital format. Even if minutes are written by an organization, the other, upon receipt can check the content and formally approve it or not.

    The following material will provide you information about documented information:
    - Article – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ course/
    - Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • ISO 45001 Measurement requirements


    Answer:
    While I can’t write your report for you, some things you need to understand about he OH&S policy, OH&S objectives and OH&S legal requirements is that they will each have an aspect of measurement associated with them. The OH&S policy is the overall goal of the OHSMS, and as such the overall OH&S performance needs to be measured in accordance with the policy.
    The OH&S objectives need to be in line with the policy, and are intended to be measurable improvement goals for the company. For instance, an objective could be to reduce near miss accidents by 20% in the next 6 months. So, for this objective you will need to be monitoring and measuring the near miss accidents so you know if they are reduced.
    As for the legal requirements, there is a clause in the ISO 45001 s tandard which requires you to measure your compliance to your obligations, and legal requirements are obligations. Not only do you need to measure how complaint you are to these obligations, some legal requirements may also require measurement as well, such as the amount of air emissions.
    For more information on these topics I would suggest you look into our blog which covers many of these topics in more detail (https://advisera.com/45001academy/blog/) and to learn more about the ISO 45001 requirements see our free whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • GDPR and the privacy policy


    Answer:

    A Privacy Policy or a Privacy Notice is compulsory regardless if the data which is collected is processed for marketing purposes. The requirement comes from article 13 of the EU GDPR.

    The content of a Privacy Notice is described in art. 13 and 14 of the EU GDPR.

    You can find more information about the contents of a Privacy Notice from our webinar "Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

  • Secure Development Policy

    - A.14_Secure_Development_Policy_Premium_EN
    - A.14.1_Appendix_1_Specification_of_Information_System_Requirements_Pre mium_EN
    This refers to various controls A.14.2.x which are not in the pack which are also referenced from https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/ which was posted last year. How do I get access to these, please?

    Answer:

    If you note on section 2 (Reference Documents) of the Secure Development Policy, except for control A.14.2.4 (Restrictions on changes to software packages) all other controls mentioned in the article are covered by this policy. These are the control from ISO 27001 covered by this policy: A.14.1.2, A.14.1.3, A.14.2.1, A.14.2.2, A.14.2.5, A.14.2.6, A.14.2.7, A.14.2.8, A.14.2.9 and A.14.3.1

    Control A.14.2.4 is covered by template Security Procedures for IT Department, located in folder 08_Annex_A_Security_Controls A.12_Operations_Security

  • Risk Registers


    Answer: ISO management standards do not prescribe how to implement risk register, so both approaches are acceptable. A single risk register can show you a systemic view of all risks the organization is exposed to, but it is also more complex to analyze. A risk register for each aspect helps you focus on relevant risks for each aspect, but it will require more administrative effort to maintain. You have to evaluate these situations to identify which approach is better for your organization.

    2. I also see that the risk assessment that came with the pack is asset based risk assessment.... is that mandatory?

    Answer: ISO 27001 does not prescribe a methodology, only that one must be defined and documented, so you can adopt the methodology that best suits your needs. The asset-based risk assessment is includ ed in the toolkit because it is the most common approach used for information security risk assessment, and this is also the one that provides the best balance between precision and needed effort.

    This article will provide you further explanation about risk assessment:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

  • Internal auditor requirements


    Answer:
    The ISO 14001 Lead Implementer course has two parts: one with the foundations of the standard, and another about planning, implementing and controlling a management system implementation project.
    The ISO 14001 Lead Auditor course has two parts: one with the foundations of the standard, and another about auditing. If you want to be Lead Auditor in your company, you have to fulfill the internal requirements for internal auditors. Normally, those requirements consider knowledge about the standard and good audit practices. For being internal auditor, I recommend the Internal Auditor course. The Lead Auditor is more for those that foresee working as external auditors, even working for a certification body in the near future.

    The following material will provide you information about internal audits:
    - ISO 14001 – Internal Audits in the EMS: Five Ma in Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - free online training ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • EU GDPR and non-profit organizations


    1. I am running an charity NGO. Are there any specific GDPR rules I need to consider?
    2. The NGO is supporting people with disabilities and we have a data base of the persons that received help from us. Am I allowed to hold this data base?
    3. The data base contains also the disability and medical condition. Do I need consent to keep this data?
    4. We also have copies of medical prescriptions which we reimburse to some of our members. Is this ok?

    Answers:

    1. There are no specific requirements for NGOs or Charities the same GDPR requirements apply across the board.
    If you want to find out more about the EU GDPR requirements check out this EU GDPR Foundations Course ( https://advisera.com/training/eu-gdpr-foundations-course//).

    2. Health data falls under the special category data and you need to be extremely careful when processing it. There are specific requirements relating to the processing of special category data.

    3. First of all if you rel y on consent the "express" consent is necessary which is more strictly regulated by the GDPR. Basically you would needed a statement from the data subject that you can process health data.

    4. The same rule around express consent applies if you want to keep the prescriptions. However you should find ways not to keep the prescription or maybe anonymize the content to remove any medical information.

  • Questions about ISO 27001


    1. Realizar un manual práctico o paso a paso donde explique la norma ISO27001:2013
    2. Realizar un cuadro comparativo entre la iso27001:2013 y por lo menos diez (10) normas de seguridad de la información.
    3. Que relación o diferencia existe entre la NTC y la iso27001:2013?
    4. Que empresas son las encargadas de certificar en Colombia bajo la norma iso27001:2013

    I need your valuable collaboration: I am doing an investigative work and I need this information

    1. Make a practical or step by step manual explaining ISO27001: 2013

    Answer: For this purpose I suggest you the following material:
    - Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    2. Make a comparative table between the ISO27001: 2013 and at least ten (10) standar ds of information security.

    Answer: Unfortunately without more details about the other standards all we can offer you are articles comparing ISO 27001 with laws and regulations which can be related to information security:
    - How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
    - Does ISO 27001 help CCPA compliance? https://advisera.com/27001academy/blog/2018/10/16/does-iso-27001-help-ccpa-compliance/
    - How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

    3. What is the relationship or difference between the NTC and the iso27001: 2013?

    Answer: The NTC ISO 27001 is the Colombian version of the international ISO 27001. It has translated the English text of ISO 27001 to official Colombian language and included some local information regarding this country specifics, but these additions do not conflict with the international text.

    4. Which companies are in charge of certifying in Colombia under the standard ISO 27001: 2013

    Answer: Examples of certification bodies in Colombia are:
    https://www.abs-qe.com/
    https://www.dqsus.com/
    https://www.nsf-isr.org/
    https://www.schellmanco.com/
    https://www.us.sgs.com/systems_and_services_certifications_us
Page 556-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +