Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11271 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Certification body

Answer:

The main certification bodies for ISO 27001 are:
- BSI: https://www.bsigroup.com
- Bureau Veritas: https://www.dnvgl.com/
- DNV: https://www.dnvgl.com/services?ServiceTypes=136423
- SGS: www.sgs.com/
- TUV: www.tuv.com

You also can find a proper certification body from this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

You can use this link to enter your profile, and we will find the certification body that best fits your needs.
Regarding QAS, it is our policy not to issue opinions about specific organizations.

This article will provide you further explanation about selecting a certification body:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Subcontractor evaluation, selection or termination

Answer:
There is no universal formal process for dealing with subcontractor evaluation, selection or termination. Each organization has to design its own process as long as it is useful and effective.
I like to start my conversation with organizations with this drawing:

Can your organization work will all subcontractors? Does your organization have some basic requirements? For example, Subcontractors must:
Be ISO 9001 certified;
Have certain kind of machines;
Have certain kind of experienced workers;
Have a production capacity above a certain level.

After that evaluation, subcontractors that passed belong to a pool of approved subcontractors.

When your organization has a specific order that must be fulfilled, checks the pool of approved subcontractors and request quotation to two or three. As approved subcontractors they have enough quality. Now, what is relevant is knowing who ha s the best price, who is available, who can deliver on time.

Subcontractors worked for your organization. It is important, from time to time, to evaluate actual performance to check if the initial evaluation was a good predictor of performance, to find if any of the subcontractors should invest more in improving performance, and if any of the subcontractors due to bad performance is really not a good partner for your organization.

The following material will provide you information about treating subcontractors:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Free course – ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Writing an EMS Manual

Answer:
ISO 14001:2015 does not require an EMS manual. So, this is great news, you are free to design the content of your EMS manual. I like to consider an EMS Manual as a kind of ID card: Who are we? What do we do? How do we interact with the environment? What are our environmental priorities? How do we work in our EMS? What is the scope of our EMS?

The following material will provide you information about an EMS Manual:
- ISO 14001 – What is an environmental management system manual? - https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:201 5 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/
GDPR compliance

Answer:

The EU GDPR is the most complex piece of regulation up to date and one of the few that have extra territorial reach. The requirements for both controllers and processors go beyond other pieces of legislation across the world. Also the fines that can go up to 4% of a company turnover are one of the heftiest out there.

2. Others you are familiar with that are tough?

Answer:

The only one that I can think of because is similar to the GDPR is the California Consumer Privacy Act (CCPA) – a first-of-its-kind US law – passed in California in 2018 and takes effect January 1, 2020.

3. Any multi-country comparison doc or docs on the web you have come across?

Answer:

We have run a comparison between the GDPR and the German Bundesdatenschutzgesetz https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-vs-german-bundesdatenschutzgesetz-similarities-and-differences/

You can find all sort of interesting articles in our Knowledgebase (https://advisera.com/eugdpracademy/knowledgebase/).
IT Decommissioning policy

Answer:

The EU GDPR does not refer to decommissioning of IT systems or assets, it refers to what is called data retention, meaning that personal data should not be kept for longer than necessary to fulfill the purpose for which it was collected regardless of how and where the data is stored.

What you should be considering is a Data Retention Policy and a Data Retention Schedule which you can find at: https://advisera.com/eugdpracademy/documentation/data-retention-policy/ and https://advisera.com/eugdpracademy/documentation/data-retention-schedule/
Evidencias liderazgo

Respuesta:

Las evidencias objetivas para demostrar el liderazgo pueden ser recogidas mediante entrevistas, observaciones, e información documentada.

Por ejemplo:

- Apartado a) durante la realización de las entrevistas con la dirección debe existir coherencia entre la información que facilita la dirección y otras evidencias, con las prácticas y actuación real de la empresa, y la información documentada.
- Apartado h) participando la dirección en la comunicación relacionado con el sistema de gestión así como eventos de concienciación que se realicen; asegurando que el SGC está integrado en el sistema de gestión de la empresa; asegurando que se toman las acciones necesarias cuando existe una diferencia entre el desempeño deseado y el real.
- Apartado i) asegurando que la dirección proporciona suficientes recursos para la mejora continua del SGC así como para su funcionamiento de los procesos

Los siguientes materiales le ayudarán a comprender como evidenciar el liderazgo:
- Artículo - Cómo cumplir con los nuevos requerimientos de liderazgo en la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-cumplir-con-los-nuevos-requerimientos-de-liderazgo-en-la-iso-90012015/
- Libro - Discover ISO 9001:2015 Through Practical Examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
Certification requirements and benefits

Answer:
Normally, ISO certification is a requirement from clients, it can also be a requirement in certain regulated economic activities. For example, presently I’m working with a company that has to be certified in order to be able to enter in a more attractive part of the electrical construction market.

Potential benefits from implanting an ISO 9001 QMS can be:
Improvement of your credibility and image.
Cutting business maintenance costs.
Improvement of customer satisfaction.
Better process integration.
Improve your evidence for decision making.
Create a continual improvement culture
Engagement of employees.

The following material will provide you information about implementation benefits:
- ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Questions about risk assessment

Answer: I'm assuming you are referring to European 2017 Revision of ISO/IEC 27001. Considering that, this is an European version of ISO 27001, with minor adjustments that do not affect an ISMS based on ISO 27001:2013, so there are no corrections needed on documents from the toolkits.

For further information see:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

2. Also regarding the risk assessment and treatment should not be signed from risk owner and others? Please advise or any recommendation whom shall sign?

Answer: The residual risks, final result of risk assessment and treatment proc ess, must be accepted and signed either by risk owners or by top management on their behalf. What normally happens is that top management formally accepts residual risks and only consult risk owners on situations where residual risk is not clear enough and requires clarification (e.g., when a residual risk has high value and the treatment option chose was accept the risk).

For further information see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

3. And also in case of the organization has ERM section or department how it will be handled shall information security department ignore ERM and follow this methodology? Keep in mind the organization are adopting ISO 31000 and framework are defined is it better to refer to them?

Answer: First it is important to note that ISO 27001 does not prescribe a risk assessment and treatment methodology, so an organization can adopt the methodology that best suits its needs. Additionally, the standard provides a note informing that its requirements aligns with the principles and generic guidelines provided in ISO 31000, so you can adopt the methodology used by the ERM section, only considering minor adjustments for it to consider relevant aspects for information security.

These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

These materials will also help you regarding risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Defining critical activities for BIA

Answer:

If this activity is considered critical to the business, and its disruption for an amount of time can make business unrecoverable, then you must include it in the BC. The difference from this activity to the others is that while for others activities you may have to consider recovery on a daily time frame (i.e., in the next day the activity will be required), for this specific activity you have to consider a weekly time frame for recovery (if not recovered on Monday/Tuesday, the activity will be required only on the next week). On both cases you have to consider worst-case scenario, i.e. that the disruption occurs at the worst possible moment.

This article will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

These materials will also help you regarding performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Exclusion of clauses for ISO 13485 for small business
Oseyuhono Oooxanfah bpf.xnzr.community.advisera.com.sbk.sr https://sl**********

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11271 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Certification body

Subcontractor evaluation, selection or termination

Writing an EMS Manual

GDPR compliance

IT Decommissioning policy

Evidencias liderazgo

Certification requirements and benefits

Questions about risk assessment

Defining critical activities for BIA

Exclusion of clauses for ISO 13485 for small business

Didn’t find an answer?