Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Requirement for Policy for Business Continuity

    Dejan said the [Strategy for business continuity] I can exclude if we don’t want to become compliant with ISO 22301. This means to me it isn’t part of ISO 27001. What about the [policy for business continuity]: is it also just a part of ISO 22301 or is it a part of ISO 27001 too (for example A.17 out of the ISO 27001 standard —but for that Dejan said the emergency management plan is enough and covers chapter A.17). Which part of the standard talks about having a [policy for business continuity]? I can’t find the policy in the toolkit either.

    Answer:

    ISO 27001 does not require a Policy for Business Continuity. This policy is a requirement only for ISO 22301. Since one of the objectives of the toolkit is to avoid excessive work on documents we did not include such policy in ISO 27001 documentation toolkit (the Disaster Recovery Plan template included in the toolkit is enough to cover the requirements of ISO 27001 A.17.).

    This article will provide you furthe r explanation about implementing business continuity in an ISO 27001 ISMS:
    - How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/

  • GDPR EU Representation


    Answer:

    You are only exempted for appointing a representative if the processing, which is occasional, does not include on a large scale the processing of special categories of data, as referred in Article 9(1) or processing of personal data relating to criminal convictions and offences referred in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or if you are a public authority or body (which is not the case).

  • Defining scope


    Answer:

    According to ISO 27001, an ISMS scope must be defined in terms of information, locations or business units to be protected, considering the organization's objectives and context.
    For small and mid-size organizations (up to 100 employees) often it is better to include all the organization in the scope, because the effort to keep only a part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.

    These articles will provide you further explanation about defining scope:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding defining scope:
    - Book Secu re & Simple: A Small-Business Guide to implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Internal audit - Plan & Report


    Answer:

    Conducting an internal audit can be done following these steps found in ISO 19011:
    1 – Initiate the Audit
    2 – Review the Documents
    3 – Develop Audit Plan
    4 – Assign Work to Auditors per Plan
    5 – Prepare Working Papers
    6 – Determine the Audit Sequence
    7 – Conduct Opening Meeting
    8 – Review Documents and Communicate
    9 – Carry out the Audit
    10 – Generate Audit Findings
    11 – Present Findings and Conclusions
    12 – Formally Distribute Audit Report
    13 – Follow Up on Actions / Corrective Actions

    You can find more information about this in these articles:
    - 13 steps for ISO 9001 internal auditing using ISO 19011: https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
    - Five main steps in ISO 9001 internal audit: https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

    The internal audit plan is a document to record and inform necessary employees of an audit that will happen. The Audit Plan should include the purpose, scope, criteria, and objectives for the audit, as well as identify audit datea and Audit Team members.

    Regarding the Internal Audit Report, it is the document used to report on the findings of an internal audit. The following elements need to be included in an audit report:
    - Audit objective
    - Audit scope
    - Audit client
    - Audit days and places
    - Audit criteria
    - Audit findings
    - Audit conclusions

    Again, the best practice for audit report content can be found in ISO 19011 - Guidelines for quality and/or environmental management systems auditing.

    For more information about the audit report, see this article - Writing a good QMS intrenal audit report: https://advisera.com/9001academy/blog/2015/03/17/writing-a-good-qms-internal-audit-report/

    You can find more information about an audit report here - Writing a good QMS internal audit report: https://advisera.com/9001academy/blog/2015/03/17/writing-a-good-qms-internal-audit-report/

    There materials can help you to learn more about internal audit in ISO 9001:2015:
    - Book - ISO Internal Audit Plain English Guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 9001:2015: Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/

  • Audit meetings


    Answer:

    The need for opening and closing meetings on internal audits are more related to audit complexity than the number of employees (company turnover would not be a good criteria). Good criteria to decide for performing opening and closing meetings on internal audits are if the audit scope falls under the responsibility of more than one person (e.g., the audit scope involves two or more unrelated departments or process), or if there is a great number of people involved in the audit (e.g., there is an audit team, or the auditor will be working with multiple guides from the auditee).

    This way the auditor will ensure alignment between all personnel involved in the audit and will save time not repeating the same information multiple times during the audit.

    This article will provide you further explanation about internal audits:
    - Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/

    By the way, the opening and closing meeting are explained in our Lead Auditor course.

  • ISO 45001 Contractors vs outsourcing




    Answer:

    Clause 8.1.4.2 is about contractors and the controls needed to control activities that impact your organization, the contractors’ workers and other interested parties in the workplace. Clause 8.1.4.3 is about outsourcing and ensuring that the arrangement and control for outsourcing are aligned with legal requirements and OH&S outcomes. The difference between these two may seem subtle, but if you look at the definition of contractor in clause 3.7 it becomes more clear; in the note for contractor it gives an example of construction activities.

    So, the requirements are different because contractors are very often providing services in your facility (such as construction, electrical, plumbing, etc.) and as such the ability of the contractor to directly affect your workplace health & safety is much greater. You also need to worry about the health & safety rules that are being followed by your contractor employees when they ar e on your site.

    By comparison outsourced services (such as computer services, accounting, etc.) can often be done away from your workplace and as such have less of an effect on your workplace health & safety. This means the controls for these services do not necessarily need to be as thorough. The standard separates these two types of externally provided services so that the requirements can be more clearly stated.

    If you are interested in learning more about ISO 45001:2018 you can check out these upcoming webinars: https://advisera.com/45001academy/webinars/

  • Non-EU based company blocking EU users by IP while still offering services in EU

    It is not the same thing. If you use a VPN just for the sole purpose of trying to bypass the EUGDR or other such means to cheat your way out of compliance, then this is definitely going to work. However, if you genuinely don`t know where your website comes from and you are not knowingly targeting or monitoring individuals in the Union, then you should be bound by the EU GDPR. I hope this is more clear now, please try to read my responses in the right context.

  • How long to keep prosthesis product in the even of knee transplant


    Answer:

    The Standard does not state how long a product should be kept. Generally, it should follow applicable regulatory guidelines or the projected useful life of the medial device depending on whichever is the longest. In this case, there should be documented records for traceability of the prosthesis in case of any field safety notice and recall.

    For more information , please refer to

    How to manage recalls and advisory notices for medical devices according to ISO 13485
    https://advisera.com/13485academy/blog/2017/08/31/how-to-manage-recalls-and-advisory-notices-for-medical-devices-according-to-iso-13485/

  • GDPR responsibilities for small web design business


    Answer:

    My guess is that you are building websites for your clients thus, your clients will be the data controllers as regards to the personal data of the website users/visitors. In this case one of your main duties in terms of privacy is building the website as to allow your customers to comply with the provisions of the GDPR - this means, among other things, to provide a way to your customer to provide Privacy Notices to their visitors/users, capture and store the consent, allow personal data to be delet ed when no longer needed or anonymized.

    You can find some useful documents for website compliance in our “ GDPR Mini Toolkit for Websites” ( https://advisera.com/eugdpracademy/eu-gdpr-mini-toolkit-for-websites/).

  • Exclusion and non-conformity


    Answer:

    Yes, it results in a non-conformity. And the auditor can even consider it as a major non-conformity. With ISO 9001:2015 there is no longer the possibility for voluntary exclusion of a clause. Within the scope of the quality management system of the organization all applicable clauses must be considered.

    The following material will provide you information about exclusion in ISO 9001:2015:
    - ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
    - free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Dis cover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 667-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +