Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Confidentiality levels
ISMS Scope Document: Public (As customers might have to know for what you are certified) ?
Information Security Policy: Public
Inventory of Assets: Restricted
Security Procedures for IT Department: Internal
IT Security Policy: Internal
Password Policy: Internal
Access Control Policy: Internal
Mobile Device & Teleworking Policy: Internal
Bring Your Own Device Policy: Internal
Incident management procedure: Internal
Statement of Acceptance of ISMS Documents: Internal
NDA for Suppliers: Restricted
NDA for Employees: Restricted
Security Clauses for Suppliers and Partners: Internal
Information Classification Policy: Internal
Competence (document describing what your profile and responsibilities must be as a potential employee): Public
Internal Audit Report: Internal
Internal Audit Checklist: Internal
Training and Awareness Plan: Internal
Results of access rights review: Internal
Results of the management review / Management Review Minutes: Restricted
Incident Log: Internal
Measurement Report: Internal
Records of monitoring and reviewing suppliers and partners: Internal
Erasure & destruction records: Internal
Records of testing backup copies: Internal
List of Legal, Regulatory, Contractual and Other Requirements: Internal
Corrective Action Form: Restricted
Answer:
The confidentiality level of particular document is directly related to the potential damage if such document leaks to the unauthorized persons. Therefore, I cannot provide you a concrete feedback because I do not know what your risk assessment results are.
For example, if NDA for suppliers contains no sensitive information then it could be classified as Public, but if it contains highly sensitive information then it should be classified as Restricted.
See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Environmental aspects versus environmental impacts
Answer:
Look the example below.
At the maintenance warehouse, lubricating oils are handled to apply in preventive maintenance activities. Because people handle lubricating oils there is the possibility of spillages or leakages. If a spillage or leakage occurs, there is the possibility of contamination of soil or water.
The potential spillage or leakage is an environmental aspect, an element of an organization’s products, services and activities which can interact with the environment. Other examples of environmental aspects are, for example, discharges to water, emissions to air, use of natural resources and materials, or generation of wastes. Environmental impacts are the consequences of the environmental aspects.
At the example above, the environmental aspect is permanent but the environmental impact depends of the context, depends on the use of preventive and responsive measures.
The following material will provid e you information about assessment of environmental interactions:
- ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISO 45001:2018 Opportunity determination and assessment
The idea of the entire clause 6.1 is to assess the hazards, identify risks associated with the hazards (OH&S risks) as well as other strategic risks that could affect the OHSMS. Then you identify OH&S opportunities that could help the hazards as well as other strategic opportunities for the OHSMS. Following this you identify the legal requirements that could affect your OH&S and then plan to address all the previous items. This planning will include the controls needed for the hazards, and this is where the hierarchy of controls in section 8 is planned.
As for the risk assessment process ISO 45001 does not dictate how this is done as it may differ from industry to industry, and location in the world. Where you don’t have a direct legal requirement on how to assess risks you can certainly use ISO 31000 if you wish.
You can learn how the process works in the article: The basics of ISO 45001 hazards, risks, and opportunities, https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/
-
Can ISO 45001 have a global scope?
Q1. the client doesn't want us to make other policy rather global policy only. Do we have to create our own QHSE policy stipulating scope of COO is within the warehouse operation even if the signatories representing the site only?
Answer:
The ISO 45001:2018 standard does not make a specific statement about how you write your policy, so it is acceptable to have one global policy that is applicable to your organization. The important thing is that the you use the policy to guide your management system as it is intended to be the overall focus for the company.
To better understand the requirements of the ISO 45001:2018 standard, see this free whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
What form of signature does ISO 13485 accepts
Yes, it can.
-
Applicability of ISO procedures
Answer:
If you want to find out if the employees are complying with the written rules, you have to find some evidence of what they are doing - for example, if your Backup Policy defines that the backup needs to be performed every 6 hours, then you have to look for the backup logs and see how often the backup is made.
The best method to verify is something is done is through an internal audit - here you will find a free online training to learn auditing techniques: ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 27017/27018 controls
Answer:
The best way to see which controls are specific for ISO 27017 and ISO 27018 is to open a template Statement of Applicability (folder 06 Applicability of Controls in the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit), and scroll to sections "3.2. ISO 27017 specific controls cloud services" and "3.3. ISO 27018 specific controls for processing Personally Identifiable Information (PII)" - there you will see controls from both of these standards.
To see which of the controls is covered in which of the templates in the toolkit, open the "List of documents" (a PDF document located in the root folder of the toolkit) - in the column "Relevant clauses in the standard" you will find the necessary information. -
Reporting in the toolkit
Answer:
Reporting is related to all processes in the toolkit. Therefore, in scope of every process document there is a section "Measurement and metrics" where reporting is defined and metrics that will be reported.
This article can help you also: "Service Reporting: get the picture, big and small" https://advisera.com/20000academy/blog/2013/09/16/service-reporting-get-picture-big-small/ -
How to Monitor/Update the Risks in Risk Register?
Here are the answers:
1) ISO 27001 does not prescribe how to version your risk register - therefore, you can use a new version number and/or you can simply use a date to define the latest version.
2) You should keep all your risks in the risk register, even though they are mitigated - of course, this means that the risk level for such risks will be lower.
3) You should definitely add new risks; you should retain “old” risks if they still exist however you need to assess again their likelihood and impact.
4) You should update your risk register at least once a year, but also more often if there is some big change - e.g. new product, new technology, new process, change in the environment, etc. -
ISO 27002
Answer:
If you're looking for a detailed description of each control, the best way is to purchase ISO 27002 standard, you can find it here: https://www.iso.org/standard/54533.html
This article might also help you: ISO 27001 vs ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/