Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Procedure for document and record control


    Answer:

    ISO 27001 allows you to use Procedure for document and record control in a way that suits you best - if you want it can be applied only to your ISMS, or you can use it for all the documents in your company if you find it useful.

    Learn more here:
    - Document management in ISO 27001 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  • Management review meeting


    Answer:

    Top management will need to review at least the following inputs during the the process of management review:
    - Audit results
    - Customer Feedback
    - Process Performance and product conformity
    - Status of Corrective Actions
    - Follow-up Actions from previous Management Reviews
    - Changes that could affect the Quality Management System
    - Recommendations for Improvement

    Other inputs could be added as desired by the company and also, you can choose how to organize your management review, either through routinely scheduled meetings or through a more continuous review process,

    For more information about management review you can see see these materials s:
    - Article - How to make management review more useful in your QMS: https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
    - Book – Discover ISO 9001: 2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • Book Secure & Simple


    Answer:

    The book Secure & Simple is not necessary for completing Advisera's ISO 27001 Foundations Course, however if you want to use them both I would suggest you finish the course first, and then start reading the book - this is because the course gives you an excellent overview of the standard, while the book is much more detailed, and gives you more implementation tips.

  • An organization cannot be certified without clients


    Answer:
    An organization cannot be certified without clients. I already worked with a client that could not be certified until the company had clients. Best advice is: please contact your certification body to see how you can manage the situation.

    The following material will provide you information about audits:
    - ISO 9001 – How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/
    - Free webinar – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/we binar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar/
    - book - Preparing for ISO Certification Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

  • Subject to GDPR

    Answer:

    All processes that involve the processing of personal data will fall under the EU GDPR.

    To learn more about the EU GDPR check out this EU GDPR Foundations Course; (https://advisera.com/training/eu-gdpr-foundations-course/)

  • Use of electronic signature


    Answer:
    Yes, an organization can use digital/electronic signatures to approve documents rather than hand written signatures. ISO 9001:2015 and ISO TS 9002:2016 both mention that an organization can use hard copy, electronic or both to provide documented information. Just a warning, certain regulators or official bodies like FDA can request a formal validation of the system for electronic signatures.

    The following material will provide you information about document control:
    - ISO 9001 – How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
    - see this example - What kind of Document Management System (DMS) do you need for handling ISO documents? - https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
    - Should you keep your ISO documents in the cloud or on paper? - https://advisera.com/conformio/
    - book - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Toolkit content

    1. Attached please see the excel sheet and let me know if you have something like this in the toolkit or if it can be produced?
    Answer: Most of documents you identified are included in the toolkit (e.g., Information Security Policy, Teleworking Policy, etc.). To see which documents are included in the toolkit, and which clauses of the standard are covered by them, please access the List of documents file on this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    Regarding other documents not included in the toolkit, included in it you will find a blank template that you can use to develop them. We do not develop customized documents, but also included in the toolkit, depending on the package you choose, you have a limited number of documents you can submit for our review, where we provide you feedback regarding corrections or improvement to be made. You also can count with an unlimited support through email, and some hours of face to face online meetings, where you can clarify some of your doubts.

    2. What goes in "Justification for"? (please see the png attachment)

    Answer: In the "Justification" column in the Statement of Applicability document you have to fill in why you are using or not a given control. General justifications for implementing a control are "to treat unacceptable risk XXX", "to fulfill legal requirement from law/regulation/contract YYY", or "implementation required by top management decision". As for justification for not implementing a control you can state that "there are no unacceptable risks or legal requirements demanding to implement this control".

    This article will provide you further explanation about Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Information classification


    Answer: ISO 27001 does not prescribe which categories to implement, so organizations are free to define the ones that best suit their needs, and these can either be based on legal requirements the organization must comply with (e.g., laws or regulations which define or recommend lists of categories), based on a framework developed by the organization itself, or based on market best practices.

    2 . Are there any other categories we can put the information into?

    Answer: Other examples you can find are:
    - Secret and Top secret
    - Unclassified
    - non sensitive

    For further information, see:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

    3. How do we really choose which categories we would put out information into

    Answer: Information is classified according its value to the organization, and the impact to the organization if the information is compromised, and these are some criteria you can use to valuate it:
    - cost to replace the information
    - cost to acquire the information
    - loss of market share
    - loss of competitive advantage

  • OHSAS 18001 vs IMS certification


    Answer:
    The integrated management system (IMS) is intended to include more than one management system standard, but which standards are included in your IMS is up to you. For all of the standards that you have included in your IMS, your certification audit should include a certification audit of all the different standards. A certificate should be issued for each standard that is included, since not every IMS includes the same standards (e.g. one IMS may include quality and environmental, another may include quality and OH&S, a third may include IT safety and environmental, etc.)
    So, for your example above, if your IMS included OHSAS 18001 then your IMS audit should have included certification to this standard and you do not need to do it separately. If you are adding an OH&S management system into your IMS where it was not there before, then you will need to do this implementation and then have the certification audit completed for the new OHSMS.
    If you are only now adding an OHSMS, you should really look at the ISO 45001 standard as the OHSAS 18001 standard has been replaced by this new standard and will become obsolete in the near future with companies transitioning over. You do not need to maintain certification to both standards, nor should you.
    For more information on integrating management systems, you can see the free whitepaper: How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

  • GDPR data controller or processor

    We've received another question:

    >Thank you, sir, for your prompt reply.
    >My company is planning to move towards the cloud and wants to provide the billing feature as Software As a Service. Will this change my role as a data processor?

    Answer:

    No, this won't change role as a data processor.
Page 578-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +