Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Templates for ISO / IES 27033 -2


    Answer:

    Some elements of our ISO 27001 Documentation Toolkit can help you gather information for ISO 27033:
    - Procedure for Identification of Requirements https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
    - List of Legal, Regulatory, Contractual and Other Requirements https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
    It is important to note that these are two different standards, so these documents may not cover the complete ISO 27033 requirements.

  • Updating auditor competence

    I need to carry out an internal audit to ISO 14001:2015 version so if I had internal awareness training for the updates to the new standard ISO 14001:2015 would this be enough evidence for an External Auditors such as SGS.”

    Answer:
    Strictly by the book, internal auditor competence is defined and settled by the audit customer, for example, a management system audit program manager. So, as long as you can evidence the competence requirements of your organization there should be no problem. Having said that, I must confess that I already found some third-party auditors wanting beside the training for the update to the new standard, some kind of training on the risk-based thinking (RBT) for internal auditors. Perhaps because they were not satisfied with the RBT approach of the audited organization. Also, I can imagine that some e xternal auditors will start checking to see if internal auditors had any training on the update of ISO 19011:2018 version. But remember my first statement.

    By the way, an odd thing happened in ISO 9000:2015 and ISO 19011:2018 definition of auditor it no longer mentions the word competence.

    The following material will provide you information about internal auditors requirements:
    - ISO 14001 – What competences should an ISO 14001 internal auditor have? - https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Identification of field failures

    Answer:
    Identification of potential field failures represent potential points in the process where the process can fail, that means that the outcome of the process is not in line with the specifications. FMEA analysis, especially PFMEA analysis is one of the tools for such analysis. Failure of function, for example, can be the failure of the process of purchasing in quantity of purchased items (bought more than needed)

    To find out more about FMEA please see our article:
    https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/

    2. How can do that for 'identification?
    Answer:
    Identification of failures can be done by lookin g at the process itself and reporting of failures. An example can be in production, where the process is monitor and every failure of process that is out of specification is recorded.

  • Opportunities in ISO45001

    Opportunities are not necessarily related to the risks. OH&S opportunities are about reducing or eliminating the risks associated with hazards, so for these you can think of how to make the risk less as an OH&S opportunity, but other opportunities are not necessarily from risks. These are top level opportunities that you might identify as part of a SWOT analysis or other strategic planning process to identify uncertainties you can capitalize on.

     

    You can read a bit more on the SWOT analysis in the article: Benefits of SWOT analysis in ISO 45001, https://advisera.com/45001academy/blog/2019/05/27/iso-45001-swot-analysis-what-are-the-benefits/

  • ISO 9001 for a single person company


    Answer:

    Implementing ISO 9001:2015 in a single person Ltd company is possible and in fact, it should be quite straight forward because you won´t have to deal with certain issues such as communication problems that usually arise in larger organizations.

    Regarding your question about if it is relevant or not achieving certification for a single man company - like for anything else in bussiness you will need to evaluate costs vs benefits of implementing the standard. If you determine that you will gain some work that otherwise you wouldn´t be eligible for, then you should consider implementing ISO 9001.

    To learn more about achieving ISO 9001 in a small company you can see these materials:
    - Article - Checklist of ISO 9001 implementation and certification steps: https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
    - Article - Benefits of ISO 9001 implementation f or small businesses: https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - ISO 9001:2015 Foundations course: https://advisera.com/training/iso-9001-foundations-course/

  • EU GDPR and Supervisory Authority


    Answer: Where the extra-territorial provisions of the EU GDPR apply, the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, where it is unlikely to be a risk to individuals and it does not involve large scale processing of sensitive personal data.

    2. The regulation appears rather vague on the data subjects, is it EU CITIZENS or EU residents?

    Answer: The regulation is crystal clear and it refers to data subjects “in the Union”. The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual resi dence of those individuals is irrelevant. If you want to find out more about the EU GDPR, check out our free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Controls selection

    Another concern is CIS20 does not have (HR and physical security), whereas 27002 does. The proposed scope of XXXXXX ISMS will not include (HR and physical security), it would include only relevant CIS20 controls. (I understand I ca n add others, but due to scope do not want to add). So my question is … Can XXXXXX have a certified 27001 ISMS using CIS20 controls only?

    Answer:

    First it is important to note that all controls from ISO 27001 Annex (those controls are the same as the ones in ISO 27002) must be considered during an ISMS implementation complaint with ISO 27001. For all controls from Annex A you have to identify if they are applicable or not, and justify why they are applicable or not.

    Second thing is, most of CIS 20 controls can be related to ISO 27001 Annex A controls (e.g., CIS control “Inventory and Control of Hardware Assets” can be related to ISO 27001 controls “A.8.1.1 Inventory of assets” and “A.8.1.2 Ownership of assets”), so in a sense when you implement CIS 20 controls you are considering particular controls from Annex A as applicable.

    However you will need to list all the ISO 27001 controls that are not covered by CIS 20 and decide whether they are applicable or not.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    This material will also help you regarding ISO 27001:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

  • Retaining time for internal audit records


    Answer:
    Unless your organization belongs to a sector with particular requirements from customers or regulators, there is no “officially” suggested time to retain records of internal audits. 10 years seems to be demanding without any particular return of investment. In my work with organizations I recommend 4 years. With this time frame organizations ensure that they keep internal audit records during the three year cycle of certification.

    The following material will provide you information about document and record control:
    - ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • SOC 2 Audit Compliance


    Answer:

    We're not experts in this field, but in general SOC 2 reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy, and to perform this audit you can consider an ISO 27001 internal audit approach:
    - Identification of compliance requirements
    - Elaboration of an audit checklist
    - Performing the audit to gather compliance evidences
    - Elaborate report

    These articles will provide you further explanation about performing audits:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding internal audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com /books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 27001 Toolkit content


    Answer: I'm assuming that by data classification you mean information classification. Considering that, the template that covers information classification is the "Information Classification Policy", which is located in folder 08 Annex A ==A.8 Asset management

    2 - And in addition - vulnerability ,management process? Can't find these docs in the package.

    Answer: The vulnerability management is not a mandatory document according to ISO 27001, nor is it a document commonly adopted by organizations (most of them rely on outsourced services for this purpose), so it is not included in the toolkit, to avoid unnecessary effort to manage the ISMS. If you understand that this document is important to your organization, you can schedule a meeting with one of our experts so he can help you to develop such document.

    These articles will provide you further explanation about vulnerability management:
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
    - How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
    - Implementing restrictions on software installation using ISO 27001 control A.12.6.2 https://advisera.com/27001academy/blog/2016/02/08/implementing-restrictions-on-software-installation-using-iso-27001-control-a-12-6-2/
Page 626-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +