Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Grading nonconformities
Answer:
ISO 9001:2015 does not mention audit findings categorization. ISO 19011:2018 in clause 6.4.8 states that nonconformities can be classified according to the context of the organization and its risks. This classification can be quantitative (e.g. 1 to 5) or qualitative (e.g. minor, major). Grading nonconformities (as separate categories) is generally used only in certification audits (not so often in internal audits).
About your concerns with subjectivity, remember that this grading is based on the auditor’s judgment and experience.
Minor nonconformity – a nonconformity that does not affect the capability of the management system to achieve the intended results.
Major nonconformity – a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a proce ss has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.
The following material will provide you information about audits:
- Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
- Book – ISO Internal Audit: A Plain English Guide – https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Toolkit content
Answer: You can describe only services in your scope, but it is not recommended, since services are delivered by processes, and you cannot define location in the scope without considering the processes related to the services. For example, in your case, the central processing of a service is performed in the datacenter, while employees interact with the service in rooms and offices outside the datacenter, and these rooms and offices also must be include as locations in your scope, so all environments where the service runs are protected by the ISMS.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2. ISMS Scope Document, Locations: The office is in Belgium and the datacenter is in The Netherlands. Is this a fine way how to write how they are separated?
Answer: If only your datacenter is in the scope, there is no need to include the location of the office. You must specify means of separation only when elements that are inside and outside of the scope are in the same location (for example, the datacenter is in the same building but is located on a separated floor).
3. Which fields are obligatory in the Risk Treatment Plan?
Answer: ISO 27001 does not prescribe the content of a risk treatment plan, but all fields defined in the Risk Treatment Plan template must be filled because they will help you not only to ensure controls are implemented (by means of Description of activities, Responsible person, Start and completion deadlines, and Status) but will also help you evidence fulfillment of standards clauses (Necessary financial and other resources for clause 7.1, Training and awareness programs for clause 7.2, and Method for evaluation of results for clause 9.1)
This article will provide you further explanation about evidencing resources:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
4. Inventory of assets: If we choose not to do asset labeling, then I assume we only have 2 obligatory fields which are Asset Owner and Asset Name right?
Answer: ISO 27001 does not prescribe which details must be listed in the asset inventory, so you can list only the asset name and its owner, but you should also consider to fill the other fields, because they will be useful for managing the assets.
This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
5. A.7.2.3 Disciplinary process: Can this be really basic defined or do you have any examples of how it could be defined?
Answer: ISO 27001 does not prescribe which details must be included in the disciplinary process, so an organization is free to define it the way it better suits them (you can use the disciplinary process you already have in your own organization).
6. Training and Awareness Plan: Is reading the established policies also a way of training?
Answer: Reading policies can be considered a way of awareness and training, to ensure a person knows a policy exists and what it is about. But for some policies you also have to consider that the person must practice to perform properly which is required by the policy.
These articles will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/ -
Data subject rights under the EU GDPR
Answer:
You should file a complaint to the local Supervisory Authority. You can find a list of Supervisory Authorities at https://edpb.europa.eu/about-edpb/board/members_en .
If you want to find out more about your rights, check out this free webinar Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ ) -
Data subject
Answer:
It is the company`s concern to get the employees to delete their accounts where they have used the work email address. From your perspective the request must come from the data subject. -
Processing special categories of data
Answer:
Depends on what you collect as part of the employment process. Usually for employment purposes, if special category data is collected from the employee, this is because it is a legal requirement usually under either Labor Law or laws related to health and safety in the workplace.
So, I genuinely think that you should rely on legal obligation and not consent for any processing of special category data. -
ISO 27001 Implementation
We want to buy https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
For example risk department want to make risk assessments and treatment is it true?
Answer:
In general, the Chief Risk Officer (CRO) role is to identify, analyze and treat significant risks to business considering its various segments (e.g., quality, legal, financial, environmental, information, etc.). This is an independent role in organizations where there are multiple processes that require risk management and it is necessary to ensure a systemic approach.
So the CRO role in implementation of ISO 27001 is to help identify and analyze (by means of risk assessment), and treat significant risks to business regarding information security.
Since this role is separated in your organization, I understand that it has the prerogative to perform the risk assessment and treatment (the project team implementing ISO 27001 would be a customer to this "service"), to ensure the use of the general approach on risk management adopted by the organization, and the application of few adjustments where and when necessary.
Regarding the purchase of the ISO 27001 and 22301 Premium Documentation Toolkit, you should consider it only if you intend to also implement ISO 22301 (for the management system for business continuity). The content of ISO 27001 Documentation Toolkit is sufficient to cover the requirements of ISO 27001, including those related to business continuity.
These articles will provide you further explanation about ISO 27001 and risk management:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
These materials will also help you regarding ISO 27001 and risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Keeping information about risks
Answer:
First, remember that ISO 9001:2015 does not make mandatory to keep records about risk determination and classification. Keeping records is an option that organizations can and normally follow.
Your organization can identify a set of situations where risks are determined (for example: during process performance review meetings, after complaints, when starting product or service development projects) and define how risks and opportunities are recorded, evaluated, and by whom.
You can find more information about risk management at:
- How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
- How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Free webinar on demand – How to implem ent risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
- Free enroll at ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Is ISO 13485 applicable to a non-profit organization?
Answer:
In this case, you have to contact the donors ( the companies that donated the medical equipment) to get the ISO 13485 certification from them. -
Risk assessment for ISMS and BCMS
Answer:
Since BIA relates Impact over Time, and RA relates Impact and Likelihood, I'm assuming by your statement that the RA process used for BIA is using a 1-4 scale, and on the RA for the ISMS you are using the 1-5 scale. Considering that, you have two options to consider to have comparable results:
1 - Adopt a single scale for RA process used both for BIA and the ISMS
2 - Uses a constant to convert the risk value used on BIA to ISMS and vice versa
Considering the second alternative, for each risk value found using the scale 1-5 you must multiply it by .8 to find its equivalent risk value when using the 1-4 scale. For the reverse path (i.e., converting the value from 1-4 scale to 1-5 scale), the constant to be used is 1.25.
This article can provide you further information regarding risk assessment and business impact analysis:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/