Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Keeping information about risks
Answer:
First, remember that ISO 9001:2015 does not make mandatory to keep records about risk determination and classification. Keeping records is an option that organizations can and normally follow.
Your organization can identify a set of situations where risks are determined (for example: during process performance review meetings, after complaints, when starting product or service development projects) and define how risks and opportunities are recorded, evaluated, and by whom.
You can find more information about risk management at:
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Free webinar on demand – How to implem ent risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Free enroll at ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Is ISO 13485 applicable to a non-profit organization?
Answer:
In this case, you have to contact the donors ( the companies that donated the medical equipment) to get the ISO 13485 certification from them. -
Risk assessment for ISMS and BCMS
Answer:
Since BIA relates Impact over Time, and RA relates Impact and Likelihood, I'm assuming by your statement that the RA process used for BIA is using a 1-4 scale, and on the RA for the ISMS you are using the 1-5 scale. Considering that, you have two options to consider to have comparable results:
1 - Adopt a single scale for RA process used both for BIA and the ISMS
2 - Uses a constant to convert the risk value used on BIA to ISMS and vice versa
Considering the second alternative, for each risk value found using the scale 1-5 you must multiply it by .8 to find its equivalent risk value when using the 1-4 scale. For the reverse path (i.e., converting the value from 1-4 scale to 1-5 scale), the constant to be used is 1.25.
This article can provide you further information regarding risk assessment and business impact analysis:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ -
Residual risk
Is it possible NOT to provide employees with laptops and antivirus solutions. Our employees use their own laptops.
Our employees use windows defender. But we can not control if antivirus is on. We can not control if antivirus is updated and scheduled to perform period scans. So, we do not have any control and evidence. What are the options for us?
Answer:
ISO 27001 does not specify who should be the owner of the laptops or which kind of anti-virus software you should use - key point in ISO 27001 is how you deal with risks.
So if your risk assessment says that the risks to those laptops are acceptable even if you do not control the AV software, then you can leave the system as it is; if the risk is not acceptable, then you can require the users to install some kind of AV software where you can control how it operates.
This article will help you more with how to handle risks: The basic logic of ISO 27001: How does information sec urity work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Document controller
Answer:
If you check ISO 9001:2015, clause 7.5, you will see several times the phrase “the organization shall”. However, the organization does not act as such, someone, a person or a function, has authority or responsibility to control the documented information. So, complying with ISO 9001:2015 clause 5.3, top management shall ensure that the responsibilities and authorities for relevant roles, including documented information control, are assigned.
The following material will provide you information about organizational roles, responsibilities and authorities:
- ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/ course/iso-90012015-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 9000 vs ISO 9001
Answer:
Since the beginning, since 1987, ISO 9000 and ISO 9001 always existed as separated standards. ISO 9001 includes the requirements associated with a quality management system and is auditable. ISO 9000 includes quality management principles and vocabulary and it is not auditable. So, ISO 9000:2015 still exists and is very useful for implementers.
The following material will provide you information about ISO 9000:
- List of Quality Management Standards and Frameworks - https://advisera.com/9001academy/knowledgebase/list-of-quality-management-standards-and-frameworks/
- ISO 9000 - https://advisera.com/9001academy/knowledgebase/iso-9000/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Controller and processor obligations
Answer:
The controller should always have a Data Processing Agreement in place with its processors pursuant to art. 28 of the GDPR. Based on the provisions of art. 28.3 (a) the processor needs to act only on the instructions of the controller.
So if the processor refuses to act based on the instructions of the controller it would be a breach of both the GDPR and the Data Processing Agreement.
If you want to find out more about the obligations of processors under the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Toolkit content - BYOD policy
1 - List of permitted devices: How detailed must the device be described? Is it enough to specify PC, laptop or mobile phone? Or should the exact type designation be given?
Answer: ISO 27001 does not prescribe detail levels for device description, so you can use detail levels that you consider sufficient to fulfill your needs, so either a general description or the exact type designation are acceptable for ISO 27001.
2 - Can you give me examples of mandatory device settings?
Answer: As examples of mandatory device settings we have:
- Use of screen lock with password
- Device encryption enabled -
ISO 27001 certification
Answer:
The certification is related to the ISMS scope, so if the scope covers all organization, then certification goes to both units in USA and Russia. If the ISMS scope covers only the tech team and their activities, then certification goes to Russia, and if the ISMS scope covers only the headquarters, then certification goes to USA.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/