Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Right of erasure


    Answer:

    Both work just the same as long as the deletion or anonymization is permanent.

  • Official versions


    Answer:
    That E stand for the official version in English. For example, the French version has EN ISO 9001:2008 (F) where the F stand for the official version in French.

    The following material will provide you information about ISO 9001:
    - ISO 9001 – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Processes and environmental management system


    Answer:
    The basis for an environmental management system is your list of environmental aspects and impacts, the way your organization interacts with the environment. You can relate each environmental aspect and impact with the processes where they are originated. So, you only need to plan for the processes where relevant environmental aspects and impacts occur, and for those associated with compliance obligations even if they are not considered significative.

    The following material will provide you information about assessment of environmental interactions:
    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 im plementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Process mapping

    We've received other questions:

    > 1. On the process map will follow turtle diagram of each processor flow chart ok?

    Answer 1:
    Turtle diagram and flowchart are both useful for describing different topics about a process.
    The turtle diagram systematizes a whole set of information about a process:

    See - https://www.screencast.com/users/ccruz5284/folders/Default/media/df217339-8683-4c05-ad46-a78a76be4820

    The flowchart describes the flow of activities and who participates between the inputs and the outputs:

    See - https://www.screencast.com/users/ccruz5284/folders/Default/media/540b7a2a-2f8b-438f-bd25-1866521c79ee

    > 2) process Acquire materials and services we will have even if we don’t buy any material for production ok?

    Answer 2:
    Perhaps the name is not the best one, but the idea is to capture the activities about Picking up the materials and everything until assembling starts. Besides the materials and components, are there not any important products or services that your organization acquires from suppliers?

  • ISO 9001 and nonprofit organizations


    Answer:
    Yes, nonprofit organizations can apply for ISO 9001 certification. You can look into hospitals and governmental organizations, for example.

    The following material will provide you information ISO 9001:

    - ISO 9001 – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
    - Free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/iso-standard/iso-9001/

  • Internal auditor competence


    Answer 1:
    Each organization has the authority to determine its competency requirements for its internal auditors. Normally, organizations consider that internal auditors should have knowledge of the audit criteria (ISO 14001:2015 in this case) and should have training in internal audits. So, your internal quality auditors should be prepared to audit your environmental management system after the training with ISO 14001:2015.

    Question 2.
    What would I need to conduct internal audits myself?

    Answer 2:
    I would recommend training about ISO 14001:2015 and an internal audit course. As a plus I would recommend that you participate as auditor, making part of an audit team, in 2 or 3 internal audits. Attention, I don’t recommend that internal auditors perform global internal audits. Normally, they don’t have time and experience for t hat, I recommend splitting the scope of the environmental management system into 3 or 4 audits along a year.

    Question 3.
    What is needed for me to train auditors for internal auditing?

    Answer 3:
    If you want to be the trainer; I recommend that first, you gain some experience as an internal auditor. Perhaps after 3 or 4 internal audits as a lead internal auditor.

    Question 4.
    Is an internal audit conducted by someone without proper certification a non-conformance?

    Answer 4:
    Yes, it is a nonconformance.
    A possibility is to contract an external auditor to perform your internal audit before having competent internal auditors.

    The following material will provide you information about internal audits:
    - ISO 14001 – What competencies should an ISO 14001 internal auditor have? -https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
    - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - Free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

  • Data Processor Articles in GDPR


    Answer:

    The responsibilities of data processors are set out in Art. 28 - "Processors" of the EU GDPR.

    These obligations include:

    •The processor may only use a sub-processor with the consent of the controller. That consent may be specific to a particular sub-processor or general. Where the consent is general, the processor must inform the controller of changes and give them a chance to object (art. 28(2), art. 28(3)(d));

    •The processor must ensure it flows down these obligations to any sub-processor. The processor remains responsible for any processing by the sub-processor (art. 28(4));

    •The processor must assist the controller to comply with requests from individuals exercising their rights to access, rectify, erase or object to the processing of their personal data (art. 28(3)(e));

    Also, be aware that is impossible to be only a processor if you have employees you will be a controller as regards to the data of your employees the same goes for the data collected via your website (if you have one).

  • Performing risk assessment


    My reasoning is based on the understanding that risk assessment (where assets and their associated threats and vulnerabilities are defined and evaluated) are then treated by controls. Therefore, Annex A is a collection of controls used to treat risks associated with certain assets.

    As an exercise to improve my understanding, I have tried to link the Annex A controls back to assets but I’m finding that a bit challenging. For example, what asset(s) would be tied to control A.5.1.1 (“A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.”)? Working backwards using an Asset, Threat, Vulnerability approach, I came up with:

    Control: A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

    What vulnerabilities would warrant such a control? Lack of or uncl ear Policy. Lack of support for Policy by Management. Lack of awareness of Policy with employees and relevant external parties.

    What is the threat? Lack of management direction and support. What asset? Any information security asset with risks controlled by Policy.

    Could you give some advice on how you see the Annex A controls relating back to assets in need of protection?

    Answer: First it is important to note that for ISO 27001 the final purpose of risk assessment and treatment is to protect information and related assets, not implement controls (for risk treatment control implementation is only one available alternative), so working backwards on the asset-threats-vulnerabilities methodology, by identifying which assets can be tracked to controls from ISO 27001, is a non-productive work that should be avoided (this approach will definitely not work on an implementation project).

    Working this way you will be involved in an effort to identify assets for controls that you may not even need to implement, because there will be no relevant risks or legal requirements demanding its implementation, spending time and resources.

    So, you should focus on first identifying information and assets your organization deems important to protect, and then go for identification of controls to treat relevant risk.

    Considering that, risks you can relate to control A.5.1.1 involves assets vulnerable to user's error or improper behavior due to unclear or non existent rules or guidance (as you can see, a lot of assets can be included in this scenario, so the best approach is for you to identify which ones exist on your ISMS scope).

    This article will provide you further explanation about performing asset-threat-vulnerability risk assessment:
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you:
    - Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Implementing regulatory requirements against cyber-threats


    Answer:

    When implementing regulatory requirements overall points you must focus on are:
    - identification of which requirements you must comply to, so you can map requirements that must be fulfilled, related cyber-threats, and required controls (this will save you time, effort and costs).
    - prioritization of requirements implementation, considering related cyber-threats, needed resources and impacts of non compliance.
    - records you need to gather to evidence the requirements are fulfilled.

    This article will provide you further explanation about controls implementation:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Mandatory and non-mandatory documents


    Answer:

    In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
    - Scope of the ISMS (clause 4.3)
    - Information security policy and objectives (clauses 5.2 and 6.2)
    - Risk assessment a nd risk treatment methodology (clause 6.1.2)
    - Statement of Applicability (clause 6.1.3 d)
    - Risk treatment plan (clauses 6.1.3 e and 6.2)
    - Risk assessment report (clause 8.2)
    - Records of training, skills, experience and qualifications (clause 7.2)
    - Monitoring and measurement results (clause 9.1)
    - Internal audit program (clause 9.2)
    - Results of internal audits (clause 9.2)
    - Results of the management review (clause 9.3)
    - Results of corrective actions (clause 10.1)

    Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
    - There are unacceptable risks that justify the application of the control
    - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    - There is a top management decision to implement the control, by considering it as good practice.

    If none of the above conditions happen, there is no need to implement a document related to that control.

    Besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

    These articles will provide you further explanation about ISO 27001 documents and selection of controls:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Page 571-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +