Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Meaning of authority
Answer:
Authority is about the power of decision, the power of command. Responsibility is about obligation. For example, an operator may have the responsibility to perform quality control and identify the nonconforming product (he or she has the obligation to do it, he or she is expected to do it), and may not have the authority to decide what to do with the identified nonconforming product.
The following material will provide you with information about roles and responsibilities:
- ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001 :2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
ISO 27001 implementation steps
>1 - We use the Microsoft Azure Public cloud heavily to provide Web Services to clients. One of my executives is asking if we can just include this platform in the scope and have the IT department that ‘interfaces’ with it as an ‘interested party’, therefore reducing the amount of work involved. Only the IT Department interfaces with this platform.
In summary, are we able to only include a ‘platform’ or does the scope have to include an organisational unit.
Answer: You can include cloud environments in your ISMS scope without problems, and the extension you have to include them in your ISMS scope will depend of the type of service you have:
- If you have an Infrastructure as a Service (IaaS) agreement, then software and data should be in the ISMS scope, while physical location and hardware are completely out.
- If you have an Platform as a Service (PaaS) agreement, then data and all application software should be included in the ISMS scope, while everything else is out, including all system software.
- If you have an Software as a Service (SaaS) agreement, then only th e data should be in the ISMS scope.
Regarding who will interface with the cloud provider, you can define the IT department without problem also.
This article will provide you further explanation about ISMS scope and cloud environments:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
>2 - Also, once I have ironed out the requirements of the scope for the meeting, how do I go about recording it efficiently? Am I best using a spreadsheet of some kind?
Answer: To document your ISMS scope, I suggest you to take a look at the free demo of our ISMS Scope Document at this link: https://advisera.com/27001academy/documentation/isms-scope-document/
This document can help clearly define the boundaries of the ISMS fulfilling the requirements of ISO 27001 standard. -
Application of BCP on ISO 27001
Answer:
Any control from ISO 27001 Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occur there is no need to implement any control considering ISO 27001 requirements, including BCPs.
So, considering your scenario, besides risks and contracts you should also verify if there are no laws and regulations applicable to your business requiring the implementation of BCPs, and the explicit intention of top management not to implement BCPs for ISO 27001.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Certificaton audit
Answer:
To obtain a certification your organization has to hire an accredited certification body to perform the certification audit. And although price is an important criteria, you should consider other aspects like reputation, experience, and flexibility.
To help you find a certification body near your location, I suggest you to use this link: https://advisera.com/
This article will provide you further explanation about certification bodies:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
This material will also help you regarding certification audit:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Road Map for implementation of IATF 16949
Answer:
Implementation of the standard should begin with getting support from the management, identifying QMS requirements and definition of the scope of implementation.
You can use a Checklist of IATF 16949:2016 implementation steps- https://advisera.com/16949academy/knowledgebase/checklist-of-iatf-16949-2016-implementation-steps/
Feel free to look at the following materials to know more about the scope:
„How to define the scope of the IATF 16949“: https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
After please look at how to implement the PDCA cycle in the automotive industry as it is basic for the implementation of the standard.
-How to implement the PDCA cycle in the automotive industry: https://advisera.com/16949academy/blog/2017/06/07/how-to-implement-the-pdca-cycle-in-the-automotive-industry-according-to-iatf-16949/
In an implementation diagram please find process steps that you may follow a roadmap.
-IATF 16949:2016 Implementation diagram: https://info.advisera.com/16949academy/free-download/iatf-16949-implementation-diagram
Also, the checklist for documentation required and checklist for project implementation can help:
- Checklist of mandatory documents required by IATF: https://info.advisera.com/16949academy/free-download/checklist-of-mandatory-documentation-required-by-iatf-16949
-Project Checklist for IATF 16949:20 16 Implementation: https://info.advisera.com/16949academy/free-download/project-checklist-for-iatf-16949-2016-implementation
As you had experience with ISO/TS 16949 it will be good to look at these materials:
- The twelve-step transition process from ISO/TS 16949:2009 to IATF 16949:2016 https://info.advisera.com/16949academy/free-download/twelve-step-transition-process-from-iso-ts-16949-2009-to-iatf-16949-2016
- IATF 16949:2016 vs ISO/TS 16949:2009 Matrix: https://info.advisera.com/16949academy/free-download/iatf-16949-2016-vs-iso-ts-16949-2009-matrix -
Format of documents for its control
Answer:
Yes, as long as those documents are documented information that support the operation of processes you will need to register them. ISO 9001:2015 in clause 7.5 requires an organization to “Maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confident that the processes are being carried out as planned.”
Basically you will need to document, no matter what format you decide to use, the following:
- Documenting critical portions of the quality management system (QMS) such as its scope, key operational processes, policies, and objectives.
Documenting important, but less critical information that supports the QMS such as process flowcharts, specific quality and operational procedures, schedules, information collection approaches (i.e. forms, surveys), business plans, etc.
These materials can help you to understand document control in ISO 9001:2015:
- Article - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Legal requirements
I was wondering how up to date it is and the sources of the information? We were considering purchasing a legal register, but I am not convinced that we need to.
Answer:
Unfortunately, this list is not fully up-to-date because it depends on voluntary contributions from our readers - therefore, it is likely that not all regulations are listed. To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser. -
Risk assessment
1. Would you please help to guide me how to start to do risk management (from Risk Identified --Risk Treatment Plan)?
Answer: Since your answer is not clear about which material from our knowledge base you've read, I suggest these materials for you to understand the risk management process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar-on-demand/
2. I would be appreciated if you could help to detail with sample data since the first step to get risk identified.
Answer: For free sample data I suggest these materials:
- Diagram of 6 steps in ISO 27001 risk management https://info.advisera.com/27001academy/free-download/diagram-of-6-steps-in-iso-27001-risk-management
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
For more detailed information I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
This toolkit enables you to implement information security and business continuity risk management compliant with ISO 27001 and ISO 22301, and provides access to video tutorials to help fill in the documents with real data examples.
3. Is it possible to treat or prevent to be zero risk appetite?
Answer: It is not possible to treat risks to achieve zero risk appetite, because the cost to treat all possible risks an organization is exposed to would be prohibitive.
4. If I follow standard COBIT 5 for risk management, I don’t need to do SOA right?
Answer: Your understanding is correct. The Statement of Applicability is not a requirement for COBIT 5, so you do not need to develop such document if you follow COBIT 5 risk management approach. -
Template content
Control 6.1.1 Information security roles and responsibilities is covered by all templates in the toolkit. For each required action on a template always it is required the definition of who must perform it (the field [job title]).
Please be aware that ISO 27001 does not require you to document each and every control you declare as applicable, you can simply describe the implementation of such undocumented controls in the Statement of Applicability. In order to avoid overhead for small companies, we have decided to include in the toolkit only those documents that are mandatory + those that are most commonly used; in other words, you will not find in the toolkit the documents that are not mandatory and that are not used very often.
For more information regarding controls A.6.1.4, and A.6.1.5 please read these materials:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
- Special interest groups: A useful resource to sup port your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/ -
Car license plate number
Answer:
The EU GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. As long as the car is registered to an individual, the license plate would make that person indefinable so it would fall under the definition above.
To learn more about personal data and the EU GDPR check out our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).