Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Filling templates


    Answer: Besides the reference to the ISO 27001 standard and to the implementation project plan (if such document exists) that is already included, you have to include reference to any laws, regulations or contracts that have clauses that can impact on your ISMS (e.g., confidentiality clauses on service level agreements with customers, data protection clauses on laws you are enforced to follow, etc.). For this list you can reference the List of Legal, Regulatory, Contractual and Other Requirements template, that is included in your toolkit on folder 02 Procedure for Identification of Requirements, and include the references to all documents there.

    There is no need to include reference to any other document from the toolkit.

    2. We have an offshore wholly owned subsidiary in India which operates as a separate legal entity, can we include that in the scope?

    Answer: Subsidiaries legally bounded to the main organization can be included in the ISMS scope, but you should evaluate if the effort to maintain two organizations operating on different countries in a single scope is not greater than adopting two separated scopes.

    3. During the first audit, the auditor mentioned we needed a 'small scope' that would be printed on the ISO Certificate, which part of the scope is he referring to?

    Answer: The auditor is referring to a summary from subsections 3.1 to 3.5 of the ISMS Scope Document (processes and services, organizational units, locations, networks and IT infrastructure and the exclusions of the scope). An example may be:

    "The ISMS scope comprises of software development process, performed by our software development department on premises located on address xyz, and the customer support process, performed by our customer relationship department on premises located on address abc."

  • Data Processing Agreement


    Answer:

    For the most part, the content of a Data Processing Agreement can be the same as all such documents are based on the requirements of EU GDPR Article 28 – Processors. However, there are the scope, purpose, duration as well as the types and categories of personal data being processed which vary depending on the service.
    You can find a suitable template at https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/ The main body of the agreement should be applicable across the board to all services and Annex 1 should be filled in with the details related to the scope, purpose, categories of data and duration of the processing.

  • GDPR Supervisory Authority in Africa


    Answer:

    Based on your description, it doesn't seem that the EU GDPR is applicable to you as you don't process personal data of data subjects in the EU. If you want to find out more about the EU GDPR, check out our free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Filling SoA


    Answer:

    To perform the identification of applicable controls for the Statement of Applicability you need to consider:
    - The results of risk assessment (risks identified as unacceptable will require the implementation of controls)
    - Contracts, laws, regulations and other legal requirements that demands the implementation of controls (e.g., performance levels on Service Level Agreements, data protection on GDPR, etc.)
    - Top management decisions about controls to be implemented not related to the previous reasons (e.g., because the top management considers them good market practices.

    These articles will provide you further explanation about SoA and risk management process:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding risk management process:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Fundamentos básicos de la evaluación y tratamiento de riesgos según ISO 27001 [webinar gratis] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar/

  • ISO 45001 Gap Analysis Tool


    Answer:
    We do not have an excel checklist for gap analysis, but we do have an online tool to help with this assessment. As you have stated it is designed to ask in a simple manner what parts of the ISO 45001:2018 requirements are already in place so that you can assess how much there is left to do.
    To find this online ISO 45001 Gap Analysis Tool go to, https://advisera.com/45001academy/iso-45001-gap-analysis-tool/

  • Difference between clauses 4.4 and 8.1

    Have consulted 'clause by clause' and 'what to do' publications too and yet find it difficult to comply for the documentation and record keeping of our QMS.

    Answer:

    The main difference is that clause 4.4 is much broader, covering planning for the entire Quality Management System, meanwhile clause 8.1 covers planning for all of operations aspects of the QMS, i.e. design, customer requirements, , purchasing, etc.

    You can see these materials to help you understanding clauses 4.4 and 8.1:
    - Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/

  • AS9100 Rev D Document Review


    Answers:
    The AS9100 Rev D standard does not talk specifically about this issue, and only states in clause 7.5.2c (creating and updating) that documented information is reviewed and approved for suitability and adequacy, and leaves the decision on how to do this appropriately to the organization. In fact, with a small organization you may have only one expert in a certain process so that there is not an adequate review person available (AS9100 is written for all types of organizations). That being said it is difficult to see how one person could review their own work, and a second person review can be very helpful to highlight potential issues in a document.
    It is important to remember that this clause only talks about QMS documented information, and not the information covered by clause 8.1.2 for configuration management which deal with control of physical and function attributes of the products or services which often include drawing, specifications, etc. In the end it also comes down to what customer and legal requirements are imposed on you for approval of certain documentation, so make sure you consult these requirements also.
    For more information on understanding the AS9100 documented information clause, see this article: A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/

  • What does ISO 45001 add to SAMTRAC

    2. Do I need to do it or is Samtrac and Safety management enough?
    Answers:
    1. The ISO 45001:2018 standard is an internationally recognized standard that includes all of the processes which are agreed to be necessary for a comprehensive system to manage and improve OH&S performance in the workplace. The standard goes beyond simply meeting legal requirements and managing risk, but also includes the need to improve the processes and OH&S performance over time. This improvement focus, along with the need to integrate OH&S processes into the business processes, is an addition to the ISO 45001 standard which goes beyond just managing safety and OH&S risk. This being said, ISO 45001:2018 is a document which contains the requirements for an organization to implement, and is not something that an individual is certified to. An individual can only understand how to implement the standard, and be trained to implement and audit the requirements.
    2. This depends on what you wish to do. SAMTRAC deals with occupational risk management, and fits in very well with the overall safety management processes. Using the ISO 45001:2018 standard to understand all of the requirements of a world-recognized OH&S management system can help you to understand how safety and risk management integrate into the processes of the company, which could be very useful for anyone you are going to consult.
    For more information on understanding the ISO 45001 clauses, see this whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • ISO 45001 Risk and opportunity process

    Answer:
    The ISO 45001:2018 standard does not require any specific method for identifying and assessing risks and opportunities. Many companies will do this by brainstorming the risks and opportunities that they know exist for the OHSMS, and then determining if they need to do something, and if so what those actions will be. For most companies this will be the easiest and most effective process to start with, and they may adapt their risk and opportunity assessment as they find improvements.
    For more information on the risk & opportunity requirements, see this article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

  • Academe's suppliers


    Answer:
    Yes, criteria for evaluation and selection of suppliers (clause 8.4.1) is a mandatory document. If you consider graduated students as your school products, we can see your system as https://www.screencast.com/t/k3w9PTsAYciK

    We can ask what products or services the school use as inputs to perform its services. Once I helped a school at implementing its quality management system and I remember that they considered as suppliers:
    * Transportation services;
    * Canteen services;
    * Cleaning services;
    * Accommodation services;
    * Maintenance services;

    Perhaps you can find these examples as an inspiration to your case.

    The following material will provide you more information:
    - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - Should unive rsities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
    - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
Page 619-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +