Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Project Manager as internal auditor


    Answer:

    The project manager is involved in most of the activities related to the implementation of the ISO 27001, and since one requirement to be observed for an auditor is impartiality (an auditor cannot audit his own work), this person will not be able to perform the auditor role. The same applies to CISO, since he is responsible for reporting the ISM performance.

    The best course of action would be to train an employee to perform internal auditor or hire an external auditor.

    These articles will provide you further explanation about internal audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

  • GDPR question


    Answer:

    I don`t see a problem with this as long as there is no sensitive information disclosed about the student.

  • ISO 27001 and ISO 27002


    Answer:

    The main differences are:
    - ISO 27001 is a certifiable standard that defines the requirements for an Information Security Management System (ISMS), as well as provide, on its Annex A, suggested security controls to be implemented, according to results of risk assessment or legal obligations.
    - ISO 27002 is a non certifiable standard that provides details and guidance on the implementation of the controls from ISO 27001 Annex A.
    - ISO 27002 is not mandatory to be certified against ISO 27001.

    These articles will provide you further explanation about ISO 27001 and ISO 27002:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • Mandatory list of processes


    Answer
    No, there are no mandatory processes in ISO 9001:2015. Each organization should design a model about how it works based on the process-approach.

    The following material will provide you information about the ISO 9001 and ISO 13485:
    - Article – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
    - Free Course ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Process vs procedure

    - Training procedures.
    - Procedures for customer satisfaction.
    - Procedures for review by management.
    I don't know whether I should distinguish between process and procedures. What would be ur answer if we substitute the word "Procedure" with "Process".


    Answer
    First – ISO 9001 has no mandatory requirement for any procedure – please consider the first link below.

    Second – Attention! Process and procedure are two different things don’t use the words interchangeably. Please check the second link and the webinar on demand.

    The following material will provide you information about process vs procedure:
    - Article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - ISO 9001:2015 process vs. procedure – Some practical exemples - https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/
    - Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • New FMEA Handbook


    Answer:

    The FMEA handbook is both released and effective from June 2019. AIAG and VDA released a standard and common practice is that there will be a transition period. Your OEM will give you more detailed guidelines.
    Question:

  • ISO 27001 and GDPR

    Personal Data Protection Policy, Website Privacy Policy, Data Retention Policy, Data Retention Schedule, Data, Protection Officer Job Description, Cookie Policy, Inventory of Processing Activities, Data Subject Consent Form, Data Subject Consent Withdrawal Form, Parental Consent Form, Parental Consent Withdrawal Form, DPIA Register, Standard Contractual Clauses for the Transfer of Personal Data to Controllers, Standard Contractual Clauses for the, Transfer of Personal Data to Processors, Supplier Data Processing Agreement, Data Breach Response and, Notification Procedure, Data Breach Register, Data Breach Notification Form to the Supervisory Authority, Data, Breach Notification Form to Data Subjects, Data Subject Access Request Procedure, Data Subject Access Request Form, Data Subject Disclosure Form, Data Protection Impact Assessment Methodology, Cross Border Personal Data, Transfer Procedure, IT Security Policy, Access Control Policy, Security Procedures for IT Department, Bring Your Own, Device (BYOD) Policy, Mobile Device and Teleworking Policy, Clear Desk and Clear Screen Policy, Anonymization and Pseudonymization Policy, Policy on the Use of Encryption, Disaster Recovery Plan.

    Answer:

    Here you can find a list that specifies which documents cover the requirements of ISO 27001, and which are focused on GDPR: https://advisera.com/wp-content/uploads//sites/15/2019/04/List_of_documents_EU_GDPR_ISO_27001_Integrated_Documentation_Toolkit_EN.pdf

    For example IT security policy complies with clauses ISO/IEC 27001 A.6.2.1, A.6.2.2, A.8.1.2, A.8.1.3, A.8.1.4, A.9.3.1, A.11.2.5, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.12.5.1, A.12.6.2, A.13.2.3, A.18.1.2 if they are marked as applicable on the ISO 27001 Statement of Applicability.

    This article will provide you further explanation about ISO 27001 and GDPR:
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

  • Implementation of ISO 27002


    Answer:

    First it is important to note that ISO 27002 is a support standard to implement ISO 27001, and it is not certifiable, which makes difficult to track the organizations which have implemented it.

    On the other hand, since ISO 27001 is a certifiable standard you can track which organizations have implemented it, but it requires some effort, because there is no central list of certified organizations (you must consult each certification body to track which companies are certified by them).

    However, the ISO site provides an ISO survey where you can find general information about certifications, like total quantity, quantity per country, quantity industry, etc. It does not nominate organizations.

    You can find this survey at this link: https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1 />
    This article will provide you furthe r explanation about ISO 27001 and ISO 27002:
    - ISO 27001 vs. ISO 27002     https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • Certification of remote companies


    Answer:

    In terms of certification you can state as location (company's headquarters) the home address of the founder / CEO of the company or the address of the office where the people accountable for the company can be found (you should ask the certification body what their preference would be in such situation). You can present this address as company's address and all other locations can be considered remote locations and can be audited accordingly.

  • Result of review

    We’re thinking we need to add a “Review Record Form” that we would fill out and sign before submitting our proposal to the customer; this form would be used to meet ISO requirements. However, we don’t otherwise see value in retaining the document. Couldn’t we just call our signed contract the “…documented information… on the results of the review…” that ISO 9001 requires in section 8.2.3.2 and not add another form into the mix?

    Answer
    When reading your description I was thinking in your proposal at the end. Why not consider both the proposal and the signed contract as evidence of review? I just see one possible problem: what if the client in the RFP does not include relevant legal or implicit requirements? If that is the case your proposed form could be useful to ensure that they are considered in the proposal.

    The following material will provide you information about documented information:
    - Article – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Page 556-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +