Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Toolkit content


    1. 'Security Procedures for IT Department'. XXXX is an IT company, this means there is no specific IT department. Is it still obligatory for us to make this document?

    Answer: First it is important to understand that this document is intended to the "department" that runs the IT systems that support the organization's business. In your case this document would be intended to the area that runs your internal IT systems, but also could be applied to IT processes you run for your customers.

    Second, this document is mandatory only if controls that ISO 27001 Annex covers are required by your business, considering that:
    - There are risks identified as unacceptable in the risk assessment that require the implementation of controls covered by this document
    - There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the controls covered by this document
    - There is a top management decision requiring the implementation of the controls covered by this document

    If none of these options occur for the controls related to this document there is no need to implement this document.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    2. Risk Treatment Table: Regarding the zero's at the last column (which is Risk), are these put as an example?
    Answer: The zero is the result of the formula used to calculate risk (consequence plus likelihood, on columns L and M respectively), and on the template the zero is because the template is empty. Included in the toolkit you have access to a video tutorial that will guide you on filling the Risk Treatment Table with real data.

    3. Statement of Applicability: Aren't we supposed to tick the controls which are mandatory for ISO 27001 (the ones affiliated with the documentation in your PDF, ex. Statement of Acceptance of ISMS Documents is mandatory, so A.7.1.2 is applicable) ?

    Answer: The Statement of Applicability goes beyond ticking applicable controls, because you also have to document the justification to apply, or not to apply, a control from Annex A, and the implementation status of each control. Additionally, considering your example, in fact it is the other way around (i.e., because A.7.1.2 is applicable the Statement of Acceptance of ISMS Documents is mandatory).

    This article can provide you further information about SoA:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    4. Validity and document management (which is at the bottom of nearly each document): required or not? If it is required, may we present it on a different way (ex. in a table) ?
    Answer: Validity helps fulfill requirements regarding clause 7.5.2 Creating and updating documented information, while document management helps to identify and control records related to the document, fulfilling clause 7.5.3 Control of documented information. Since ISO 27001 does not prescribe how to present this information, you can use any presentation that you see best for your organization.

    These materials can provide you further information about document management:
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

    5. Confidentiality Statement. Is the Policy for Handling Classified Information the same Policy as the Information Classification Policy? I could not find this in the toolkit.

    Answer: These are the old and new name for the same policy, which covers both the information classification process and the handling of classified information.

    This article will provide you further explanation about information classification:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Periodicidad de las calibraciones


    Respuesta:

    Para establecer la periodicidad de calibración su organización debe tomar en cuenta por un lado las recomendaciones del fabricante así como otras consideraciones en función de las características del equipo. Estas consideraciones tienen que ver con los resultados que se van obteniendo en el tiempo y de la información de que la empresa dispone sobre el equipo.

    No obstante, si su organización de trata de un laboratorio es muy común que haya una legislación o normativa específica que indique la periodicidad con la que se tienen que calibrar los equipos

    Para más información puede ver estos materiales:
    - Artículo https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
    - Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com /books/discover-iso-9001-2015-through-practical-examples/
    - Curso Gratuito en línea -Fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Reviewing documentation


    Answer:
    Since ISO 9001:2015 does not mention “mission statement” I believe you are really mentioning the quality policy. There is no requirement for a quality policy updating frequency. Your organization should evaluate, for example, at management review if the current policy is still useful or should be updated.

    “2. The same question for ISO 9001 2015 needs and expectation of the interested parties, how often it has to be updated?”

    Answer:
    There is no requirement for an updating frequency about needs and expectations of the interested parties. Your organization should monitor and evaluate the need to update or not who are those interested parties and what are their needs and expectations.

    “3. Are there any other ISO 9001 2015 documentation that does have lifespan limitations?”

    Answer:
    There are no lifespan limitations in what concerns ISO 9001:2015 documentation. There maybe lifespan limitations in the result of re gulation or legislation, not because of ISO 9001:2015.

    Be aware that the word “review” in ISO 9001:2015 does not necessarily mean updating a document or something. Review means “critical analysis”. For example, your organization should make a critical analysis of its quality policy and evaluate if it still is actual or needs some change.

    The following material will provide you more information:
    - ISO 9001 – How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
    - You can enroll for free at ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Evidencing version control


    Answer: No, a version number does not have to remain on the actual document.

    2. Does a version number have to be on the documents at all as long as you have version history showing under the Standard Documents under your QMS?

    Answer: No, please check ISO 9001:2015 clause 7.5.3.2 c) about version control. You need to figure out how you will identify documents so that the people who need to use them know there is a change, as well as ensure that if a user has two versions of a document, they know which is the latest version to use. So, how does your QMS guarantee that users are aware that they are using the latest version? Some organizations instead of a version number use a date, others use a name, others only control digital versions and whenever a document is printed it has a warning to users saying that they don’t control documentation on paper.

    The followin g material will provide you more information:
    ISO 9001 – Some Tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
    You can enroll for free at ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Design Control Documents


    Answer:

    For the design control document, we do have one available on hand: https://advisera.com/13485academy/documentation/procedure-for-design-and-development-iso-13485-2016/ .

    Concerning the user requirements, you should think about the roles of each function in the company with respect to design and development. Some examples of inputs could be intended application, usability requirements, risk control and etc. For outputs, you should factor in raw materials, manufacturing processes and quality assurance.

    For more information, please refer to:
    -How to manage design and development o f medical devices according to ISO 13485:2016: https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/

  • Defining the vision of a company


    Answer:
    A vision statement is future-based, and its purpose is to inspire and give direction to employees. Your company is on a journey to become what? If everything goes well what kind of company do you want as a whole to become? When I help organizations define their vision, I invite people to think about what would make them proud of working for that organization or owning that organization. Don’t think about what needs to be done, that is strategy stuff, do a time travel to the future and describe what you see in that future. What kind of work does it do, for what kind of clients does it work, how is it known, why is it praised, why does it make a difference? Keep it short, simple and focused to be of help and motivation.

    The following material will provide you more information:
    - ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
    - To what extent should top management be involved in your QMS? - https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/
    - you can enroll for free at ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Changes in the Organization Chart


    Answer:
    Yes, you can. Later, when the certification body schedules with your organization the next surveillance audit, your organization can send them a new version of the organization chart.

    The following material will provide you more information:
    ISO 9001 – What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
    Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
    You can enroll for free at ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Becoming technical writer


    Answer:

    For BC and DR documentation elaboration jobs I suggest you to consult this list from DRJ (Disaster Recovery Journal): https://www.drj.com/business-continuity-consultants/all.html

    Additionally, if you want to participate as contributor to 27001 and 22301 standards you have to contact the standardization body of your country to verify if it has working groups related to these standards and submit your resume.

  • Lead Auditor certification renew


    Answer:

    To renew your certification you have two options:
    1 - You should consult your certification issuer, or other accredited training provider, to verify if they provide an update course related to your lead auditor certification. Normally these courses are available after a new version of a standard is released. Such courses presents to auditors what has changed in the release of a new version of a standard, and can be used to renew a certificate.
    2 - You can take a full course and retake the exam. Here you can have access to the accredited Lead Auditor course provided by Advisera: https://advisera.com/training/iso-27001-lead-auditor-course/

    It is important to no te that for purposes to become an auditor for a certification body you have to renew your certificate before the three years period validity of the lead auditor certificate expires.
Page 603-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +