Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Intellectual property rights


    A) This is the document which is stipulating the requirement: It is being divided in different 'rights' so to say: Patents, Brands, Copyrights, etc. (Copyrights would be the 'Requirement' so to say)

    Answer: Your assumption is correct when you say that "Intellectuele eigendomsrechten" is the document stipulating the requirement. Patents, Brands, and Copyrights are not about requirements yet, because they not define what you must accomplish.

    As an example of requirement for copyright you may have something like "the organization must ensure the use of licensed software", because in this case it is clear what you must accomplish in terms of information security.

    B) The intellectual property rights law (the requirement) is a part of Economic Law Code (document stipulating the requirement) Which one do you think is more suitable?

    Answer: First it is important to understand that both are documents stipulating the requirement (only the Economic Law Code is a higher level document, embracing the intellectual property rights law). Regarding which one is more suitable, you should use the law which is more concrete on what needs to be done - therefore, it is probably your national law.

    c) One more question regarding this document: As for the regulation of cryptographic controls, we do not have a specific law for cryptography. However, cryptography is being used in the GDPR as you've mentioned a couple of days ago. Does this mean that the control A.18.1.5 is applicable?

    Answer: If the use of cryptography helps your organization to comply with GDPR , then controls A.18.1.5 is applicable.

  • Clause 8.3, documented information and risks

    1) where clause 8.3 applicable?
    2) how do you diifferentiate between documented info and documents
    3) do you give eg. Of risk and opportunity register of QMS? There is confusion. People are mixing environmental aspects in qms risk register. So pls differentiate iso 9001 and 14001 by risk and opportunity.

    Response:

    1) It is applicable when the company conducts any design or development process within the scope of the organization.

    For more information about clause 8.3, you can see this article:
    - What clauses can be excluded in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/

    2) Documented information is referred to all documents. According to ISO 9001:2015 documented information can be mantained, commonly known as procedures or documented information can be retained, commonly known as records.

    To learn more about document and record control, see this article:
    - New approach to document and record control in ISO 9001:2015 : https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

    3) Risks and opportunities in ISO 9001 are related to customer satisfaction while risks and opportunities in ISO 14001 are related to the protection of the environment, i.e. environmental aspects. For instance a risk in ISO 9001 can be a short assemblig capacity in a manufacturing company, while a risk in ISO 14001 in the same manufacturing company can be wrongdoing in waste classification.

    For more information about risks and opportunities in ISO 9001:2015, see these articles:
    - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - How to identify risk significance in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/

    These materials can also help you with IS 9001 requirements:
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Updating risk management process


    Response:

    There is a requirement in Clause 10.2.1 that requires to consider the validity of the risks and opportunities assesment and update it when a nonconformity occurs. Also you can consider to update the procedure when a relevant change happens within the scope of the QMS, e.g. change in technology

    Usually the process of risk evaluation is performed once a year, but there is not a mandatory requirement about this in ISO 9001:2015. It corresponds to the organization to determine the frequency of updating this process according to its needs

    To learn more about risk management in ISO 9001:2015, see these materials:
    - Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Article - How to identify risk significance in ISO 9001:2015: https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Changes & exclusions in ISO 9001

    2)is design and development of product and services applicable for production dept?

    Response:
    1) Clause 6.3 Planning of changes - ISO 9001 requires the organization to carry out changes in the QMS in a planned maner when it is determined the need of changes.

    Having a plan include tasks, deadlines, responsibilities, resources, needed information, etc.)

    Clause 8.5.6 - Control of changes - ISO 9001 requires the organization to review and control changes for products/service provision, to the extent necessary to ensure continuing conformity with requirements. Therefore it is necessary to stablish a process to manage changes, i.e. to review , approve and communicate that adequately changes have been implemented effectively. Also changes should be validated in order to not affect the QMS.

    Basically clause 6.3 is referred to planning while clause 8.5.6 is referred to stablishing controls

    Examples include : change in a process, change in exte rnal providers, changes in developing documented information, etc.

    For more information about changes in ISO 9001:2015, see this article:

    - QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/

    2) If you conduct in the Production Department some kind of Design and Development then requirements of clause 8.3.1 &8.3.2 apply. For example if your organization only accepts customer’s designs for manufacture then you can exclude this requirement from the scope of your ISO 9001.

    For more information about design and development in ISO 9001:2015, see this article:
    https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/

    Also these materials can help you to understand ISO 9001:2015 requirements:
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Policies levels


    Answer:

    High level polices are documents intended to be used by all organization, while low level policies, most known as operational policies, are intended to be used by specific areas or processes.

    So, an ISMS generally has one Information Security Policy, providing high level guidance on how to implement and manage information security as a whole, and several security policies for different aspects of operation, like the Access Control Policy, Backup Policy, Development Policy, etc. Legal requirements your organization must comply with and the results of risk assessment are the bases to identify which polices you need to implement.

    These materials will provide you further explanation about policies implementation:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
    - One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
    - ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Validity of a LA certificate


    Answer:

    The validity of a LA certificate refers to the period of time by which the certificate can be accepted as part of the process to become a certification auditor working for a certification body. For other purposes the LA certificate is valid as long as the version of the standard to which it refers is current. Considering that, if you are not going to apply for a certification auditor job you do not need to go for a LA course.

    Also, since the standard version has not changed yet, there is no need to go for a LA course.

  • Integrating ISO 18788 with other management systems


    Answer:
    The ISO 18788 management system standard for private security operations can easily be integrated with other ISO standards because it follows the same format. This means that there are many common requirements (which have the same clause numbers in all the standards) such as the context of the organization and interested parties, leadership, planning (including risk and opportunities) and legal requirements, support processes (competence, awareness, communication and documented information), performance evaluation (including internal audit and management review) and improvement (including corrective actions).
    The way you integrate these systems is to ensure that the common processes mentioned above include all the aspects from the different management systems. For instance, you will need to identify legal requirements for environment (ISO 14001), OH&S (ISO 45001), and Security (ISO 18788) but you can use the same pro cess for identification and management of legal compliance. You will also need to ensure that processes like internal audit and management review include all of the processes from all management systems.
    Finally, you will need to ensure that anything particular to ISO 18788 is included in the integrated management system if there is not an existing process. Most of these unique requirements are in section 8, Operations.
    For more information on integrating management systems, see the free whitepaper: How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

  • A.13 security controls from ISO 27001 Annex A


    Answer:

    A.13.1 refers to a subsection of ISO 27001 Annex A, which have three controls, A.13.1.1, A.13.1.2, and A.13.1.3.
    Control A.13.1.1 is related to the general need to manage and control networks, by definition of responsibilities and procedures, as well as by implementation of practices and technologies.

    Control A.13.1.2 refers to the need to identify and document applied security controls and service levels, as well as the need to periodically monitor network security performance.

    These articles will provide you further explanation about network security:
    - How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
    - Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
    - How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

    This material will also help you regarding network security:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • How contractors can help implement the OHSMS


    Answer:
    While it can be helpful to get some of this information from the contractors who are currently doing work, it is important to remember that this will not be the OHSMS of the contractor, but needs to be fully applicable to the company. For instance, it would be unreasonable for the contractors to be able to tell you the interested parties for your company, or to tell you what your OH&S policy should be. That being said, some of the clauses where the contractors might give valuable information would include:
    4.2 – expectation s of workers (since the contractors are currently the workers)
    6.1.2.1 - Hazard identification (for the processes that the contractors are using)
    6.1.3 – Legal requirements (the contractors should know the legal requirements of the processes they perform)
    7.2 – Competence (again, the competence requirements for the processes the contractors do)
    8.1.2 – Eliminating hazards (for the processes the contractors perform hey may have some ideas)
    8.2 – Emergency preparedness (the contractors may have plans in place for common potential emergencies that they can share)

    For help in understanding the ISO 45001 requirements, check out this free whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • Service Owner


    Answer:
    Service owner is someone accountable for the service throughout it's lifecycle. That includes defining requirements with the customer (together with Business Relationship Manager), design and transition inside the organization as well as maintenance and improvement.

    These articles can help you further:
    "Service Catalogue – Defining the service" https://advisera.com/20000academy/blog/2014/03/11/service-catalogue-defining-service/
    "Service Catalogue – a window to the world" https://advisera.com/20000academy/blog/2013/03/19/service-catalogue-window-world/
    Also, there is free webinar on this topic as well: "ITIL Service Catalogue from scratch " https://advisera.com/20000academy/webinar/itil-service-catalogue-from-scratch-free-webinar/
Page 574-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +