Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Adoption of ISO 27031


    Answer:

    ISO 27031 is a supporting standard to help implement controls from ISO 27001 Annex A section 17, which basically covers continuity of information security and Information and Communication Technologies. Considering that, ISO 22301 covers the continuity of business as a whole, while ISO 27031 can be seen as a tool to implement the technical part of ISO 22301, so implementing it without ISO 22301 wouldn't be a good approach, because you wouldn't take advantage of the business impact analysis process, which helps optimize resources application.

    This article will provide you further explanation about Iso 27031:
    - Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

  • Pass or fail audit


    Answer:
    First you must consider nonconformities and its classification of major and minor.

    Normally, any minor nonconformities found in an audit will need to be addressed within a certain timeline, but the certification can be granted when the corrective action plan is received, and the audit team will follow up at the next surveillance audit by the certification body. Major nonconformities might mean that your certification will not be granted until the corrective action is in place and the certification body auditors come and verify that it is effective. But I agree with you, there is some subjectivity from certification body to certification body.

    The following material will provide you more information:
    - How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
    - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - free online training ISO 9001:2015 Lead Auditor Course
    https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • ISO 9001 vs ISO 27001


    Answer:
    Being ISO 9001 certified is not an alternative to being ISO 27001 certified.

    ISO 9001 is a management system standard for the quality management system, and ISO 27001 is a management system standard for information security management system. While ISO 9001 is about customer satisfaction, ISO 27001 is about information risk reduction.

    The following material will provide you more information:
    - How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
    - free online training ISO 9001:2015 Lead Auditor Course
    https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Filling templates


    Answer: Besides the reference to the ISO 27001 standard and to the implementation project plan (if such document exists) that is already included, you have to include reference to any laws, regulations or contracts that have clauses that can impact on your ISMS (e.g., confidentiality clauses on service level agreements with customers, data protection clauses on laws you are enforced to follow, etc.). For this list you can reference the List of Legal, Regulatory, Contractual and Other Requirements template, that is included in your toolkit on folder 02 Procedure for Identification of Requirements, and include the references to all documents there.

    There is no need to include reference to any other document from the toolkit.

    2. We have an offshore wholly owned subsidiary in India which operates as a separate legal entity, can we include that in the scope?

    Answer: Subsidiaries legally bounded to the main organization can be included in the ISMS scope, but you should evaluate if the effort to maintain two organizations operating on different countries in a single scope is not greater than adopting two separated scopes.

    3. During the first audit, the auditor mentioned we needed a 'small scope' that would be printed on the ISO Certificate, which part of the scope is he referring to?

    Answer: The auditor is referring to a summary from subsections 3.1 to 3.5 of the ISMS Scope Document (processes and services, organizational units, locations, networks and IT infrastructure and the exclusions of the scope). An example may be:

    "The ISMS scope comprises of software development process, performed by our software development department on premises located on address xyz, and the customer support process, performed by our customer relationship department on premises located on address abc."

  • Data Processing Agreement


    Answer:

    For the most part, the content of a Data Processing Agreement can be the same as all such documents are based on the requirements of EU GDPR Article 28 – Processors. However, there are the scope, purpose, duration as well as the types and categories of personal data being processed which vary depending on the service.
    You can find a suitable template at https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/ The main body of the agreement should be applicable across the board to all services and Annex 1 should be filled in with the details related to the scope, purpose, categories of data and duration of the processing.

  • GDPR Supervisory Authority in Africa


    Answer:

    Based on your description, it doesn't seem that the EU GDPR is applicable to you as you don't process personal data of data subjects in the EU. If you want to find out more about the EU GDPR, check out our free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Filling SoA


    Answer:

    To perform the identification of applicable controls for the Statement of Applicability you need to consider:
    - The results of risk assessment (risks identified as unacceptable will require the implementation of controls)
    - Contracts, laws, regulations and other legal requirements that demands the implementation of controls (e.g., performance levels on Service Level Agreements, data protection on GDPR, etc.)
    - Top management decisions about controls to be implemented not related to the previous reasons (e.g., because the top management considers them good market practices.

    These articles will provide you further explanation about SoA and risk management process:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk management process:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Fundamentos básicos de la evaluación y tratamiento de riesgos según ISO 27001 [webinar gratis] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar/

  • ISO 45001 Gap Analysis Tool


    Answer:
    We do not have an excel checklist for gap analysis, but we do have an online tool to help with this assessment. As you have stated it is designed to ask in a simple manner what parts of the ISO 45001:2018 requirements are already in place so that you can assess how much there is left to do.
    To find this online ISO 45001 Gap Analysis Tool go to, https://advisera.com/45001academy/iso-45001-gap-analysis-tool/

  • Difference between clauses 4.4 and 8.1

    Have consulted 'clause by clause' and 'what to do' publications too and yet find it difficult to comply for the documentation and record keeping of our QMS.

    Answer:

    The main difference is that clause 4.4 is much broader, covering planning for the entire Quality Management System, meanwhile clause 8.1 covers planning for all of operations aspects of the QMS, i.e. design, customer requirements, , purchasing, etc.

    You can see these materials to help you understanding clauses 4.4 and 8.1:
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • AS9100 Rev D Document Review


    Answers:
    The AS9100 Rev D standard does not talk specifically about this issue, and only states in clause 7.5.2c (creating and updating) that documented information is reviewed and approved for suitability and adequacy, and leaves the decision on how to do this appropriately to the organization. In fact, with a small organization you may have only one expert in a certain process so that there is not an adequate review person available (AS9100 is written for all types of organizations). That being said it is difficult to see how one person could review their own work, and a second person review can be very helpful to highlight potential issues in a document.
    It is important to remember that this clause only talks about QMS documented information, and not the information covered by clause 8.1.2 for configuration management which deal with control of physical and function attributes of the products or services which often include drawing, specifications, etc. In the end it also comes down to what customer and legal requirements are imposed on you for approval of certain documentation, so make sure you consult these requirements also.
    For more information on understanding the AS9100 documented information clause, see this article: A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/
Page 619-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +