Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 9001:2015, Internal and External Auditor


    Answer:
    ISO 9001 is the international standard for Quality Management Systems (QMS), published by ISO (the International Organization for Standardization). The standard was most recently updated in 2015 and is referred to as ISO 9001:2015. You can get a more detailed answer at – What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/

    An internal auditor is a person with the right competency, and independence to perform an internal audit, also known as the first-party audit. An internal audit is a systematic process to internally get objective evidence and evaluate if an organization is working according to ISO 9001, or any other management system’s standard requirements. You can enroll for free in this ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/

    An external auditor is someone, competent and independent, performing a second- or third-party audit. You can find mor e information about this kind of audits at First-, Second- & Third-Party Audits, what are the differences? - https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/

    You can enroll for free in this Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/

  • Understanding internal & external issues

    This can be difficult as these internal and external issues that become part of the context of the organization are individual to each company, so the process for collecting them is also unique from one organization to another. This process can be as simple as having top management brain storm what OHS issues exist internally for the organization (such as employee culture, union commitment to OHS, etc.) as well as what issues exist externally for the organization (such as changing equipment needs that affect OHS, new legal training requirements, etc.) Remember, these issues need to be reviewed as part of management review, so having them written down may be necessary depending on the organization.
    For more on how clause 4 work see this article, “Defining the context of the organization according to ISO 45001”; https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

  • What makes a GDPR process unique?


    Answer:

    It is not necessarily about the types and categories of personal data even if these are the same for more than one process, it is about the other elements that must be identified such as lawful basis, retention period, etc. You can have the exact same sets of personal data in two processes but the lawful basis for processing would be different. For example, the personal data of employees is usually processed using contractual obligation or legal obligation and the data of customers (even if we are talking about the same set of data) could be processed based on consent. Also, the retention period may differ. So, as you can see, there is a good reason for having a process-centered approach.

  • Toolkit for becoming compliant with ISO 27033


    Answer: Since these are two different standards, unfortunately our ISO 27001 Documentation Toolkit will not help you become fully compliant with ISO 27033 (Network security standard). You would be able to use some elements of our toolkit to become compliant with ISO 27033 (like risk assessment methodology, operating procedures for IT department, etc.) however those documents do not cover the complete ISO 27033.

    You can see a preview of each document in the ISO 27001 Documentation Toolkit here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  • Coverage of ISO 27001 requirements in the toolkit


    Answer: The toolkit covers mentioned clauses in the following way:
    - Clause 8.1 (Operational planning and control) - this is covered by all the policies and procedures you'll find in the toolkit in folder "08 Annex A"
    - Clauses 8.2 and 8.3 (Information security risk assessment and treatment) - you'll find the documents in the folder "05 Risk assessment and risk treatment methodology"
    - Annex A.5 (Information security policies) - this is covered by all the policies and procedures you'll find in the toolkit in folder "08 Annex A"
    - Annex A.7 (Human resource security) - besides the two documents in the folder "07 Human resources security", the document Supplier security policy (folder 08 - A.15) covers controls A.7.1.1, A.7.1.2 and A.7.2.2, Security clauses for suppliers and partners (folder 08 - A.15) covers the control A.7.1.2, and Incident management procedure (folder 08 - A.16) covers A.7.2.3.

    By the way, in the root folder of your toolkit you'll find a PDF document called "List of documents" where it is specified which document covers which clause of the standard.

  • How often the risk review needs to be done?

    SOA controls are implemented due to various reasons like Best Practices, Legal, Contractual, or out of risk assessments.

    Answer: You should review your current risk assessment at least once a year, or if any bigger change happens - e.g. change of technology, change of location, change in your products or services, change in legislation, etc.

    Is it good to categorize the controls implementation like this and do assess all controls every quarter or only during any technology or regulatory changes?

    Answer: I didn't see in practice this kind of categorization, and it seems to me it won't be useful - as mentioned above, the review needs to be triggered by any significant changes.

  • Minimum roles for ISO 27001 certification

    This is correct - smaller companies very often hire outsourced security officers.

  • BIA input for risk assessment


    Answer: ISO 27001 does not prescribe which inputs you should use when performing the risk assessment, only that you have to take into account the impact on confidentiality, integrity and availability of your information.

    Therefore, you can take Business Impact Analysis as an input for your risk assessment, however this could prove to be very costly if you start doing this for each of your assets; to avoid these costs you can do the BIA only for the most valuable assets.

    Read also this article: Risk assessment vs business impact analysis: https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

  • Non disclosure agreement and auditors


    Answer:
    Normally, organizations don’t require that certification bodies auditors sign non-disclosure agreements, since they have to keep professional confidentiality. However, if they will contact proprietary specifications, or proprietary processes, or information not intended for public knowledge, your organization can previously contact the certification body and request them to arrange things accordingly

    The following material will provide you information about the classification of information:
    - ISO 27001 – Information classification according to ISO 27001 - https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Requirements for a third-party consultant/training provider


    Answer:
    ISO has no requirements for a third-party consultant/training provider to possess before he can provide the required EMS internal auditor training to a client's ISO 14001 champion. That will depend on each client own requirements.

    The following material will provide you information about consultant/training requirements:
    – How to become an ISO 14001 consultant - https://advisera.com/14001academy/blog/2016/08/29/how-to-become-an-iso-14001-consultant/
    - free online training ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
    - book - THE ISO 14 001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/
Page 630-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +