Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 9001/14001 and training requirements
Answer:
ISO 9001 and ISO 14001 require that organizations determine competency requirements for their employees. Then, organizations should evaluate if there are competency gaps among their employees and determine any actions to close those gaps. Normally, those actions turn to be training actions. ISO 9001 and ISO 14001 do not require that training should be paid out by employees.
The following material will provide you information about competency:
- How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- ISO 14001 Competence, Training & Awareness: Why are they important for your EMS? - https://advisera.com/14001academy/blog/2014/11/26/iso-14001-competence-training-awareness-important-ems/ s/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Determining the scope
Company XXX located in Anytown, Anystate, USA produces and supplies stainless steel and aluminum for commercial and industrial markets located in the United States, Canada, and Mexico. Our product line includes sheets, blanks, slit coil and master coil with precise tolerances which are available with various finishes and PVC coatings.
10. QMS Requirements
Company XXX receives detailed requirements which are already established by our customers, via specifications and drawings; therefore,
Clause 8.3, Design and Development does not apply and is not within the scope of our QMS.
Answer:
The scope is correct. The scope needs to identify the physical locations of the QMS, products or services that are created within the QMS processes, and the industries that are applicable, incase this is relevant. Also, it should be clear enough to define what your business does, and if not all parts of the business are applicable, it should be easily identified which parts are.
These materials can help you to better understand the scope:
- Article - How to define the scope of the QMS according to ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Article - Certifying different legal entities under one certification scope: https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Minimal documentation for certification
1. 00 Procedure for Document and Record Control
2. 01 Project Plan
3. 02 Procedure for Identification of Requirements
4. 03 ISMS Scope Document
5. 04 Information Security Policy
6. 05 Risk Assessment and Risk Treatment Methodology
After editing the above documents and looking at the total number of documents, we are wondering if we need to complete all the documents for a company of our profile or we could limit them to a fewer documents. Maybe, we could consider the relevant and mandatory ones for us to pass the ISO 27001/ ISO 22301 certifications.
Please advise us on how we could make the document preparation and certification processes faster and easier.
Answer:
In fact you do not need to complete all documents to be compliant with ISO 27001 and ISO 22301. Besides the mandatory documents, the toolkit includes most common used documents, based on results or risk assessments and/or best practices.
Included i n the toolkit there is a List of document files that identifies the mandatory documents and the ones you have to implement only in case you have unacceptable risks to justify their implementation. -
Employees awareness
Answer:
For employee awareness I suggest you to take a look at our Why ISO 27001 – Awareness presentation at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
This short presentation is intended for employees to show what ISO 27001 is all about, why is it good for the company – and also for themselves, and what is their role in handling information security, and you can adjust it to fulfill your needs, or use its content in your e-mails. -
Secondary site location
Answer:
There is no standard distance for a secondary site, because this distance depends on primary site location, organization's profile, and many other variables. You can consider these factors to define the distance most adequate to your business:
- the impact radius of a disruption event that can hit your site (the greater the impact, the longer the distance of your secondary site)
- the costs related to keep this secondary site available (e.g., the greater the distance, the greater the cost of telecommunication links used to connect both sites, and costs to move personnel from the site in case of need).
This article will provide you further explanation about identifying distances for secondary site:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/ -
Controls objectives
Answer:
Controls objectives are written right after the title of each subsection in Annex A. For example, right after subsection A.5.1 (Management direction for information security) you can find the control objective for controls A.5.1.1 and A.5.1.2:
"Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations."
Please note that there is not a control objective for each control. Instead of it there is a control objective for a set of related controls (described in each subsection of Annex A).
This article will provide you further explanatio n about controls objectives:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
This material will also help you regarding control objectives:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Regulatory compliance
If such general regulations do not have impact on the ISMS they can leave them out of the scope and the control would be compliant. -
IATF 16949 and ISO 22301
Answer:
Main reasons to adopt ISO 22301 are:
- You have a legal requirement (e.g., law, regulation or contract) that demands such standard to be implemented.
- There is a marketing or operational edge the organization can take advantage of by implementing the standard
If neither reason applies to your organization you do not need to implement ISO 22301.
Regarding differences, while IATF 16949 focus on quality for automotive industry, ISO 22301 focus on business continuity, enabling an organization to effectively handle disruptive events that can impact its processes or services.
This article will provide you further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/ -
Testing cyber security
Answer:
The most effective and reliable tests of cybersecurity controls, plans and strategy will require software and other resources (these are called vulnerability assessment and penetration test).
However, you also may rely on documentation analysis and tabletop simulations to verify some aspects of your cybersecurity, but these cover far less of the scope you may be exposed to.
These articles will provide you further explanation about security tests:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
- ISO 27 001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/ -
Opt-in email marketing
Answer:
There are three factors to be considered: the public source for that information, the fact that the email address is a “corporate” email address and the content of the direct marketing emails.
The first two factors above clearly indicate that we are dealing with a corporate email address which is made public for communication purposes. If you combine this with the content of your marketing emails, that should be targeting company, not the individual and using that email address you can rely on “legitimate interest” so no consent would be required, but you do need to provide an option to unsubscribe from the marketing emails.
To learn more about marketin g practices and GDPR check out our webinar “How GDPR Affects Marketing Practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/).