Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Transfers of personal data


    2. In case the processor is not certified in Privacy Shield, to which contract should the standard contractual clauses be added?

    Answers:

    1. The safeguards should be ensured by the data exporter, if I understand correctly that the hospital would be in the EU. So the data exporter and data controller would be the EU hospital and the data importer and the processor would be the US located lab.

    2. The Standard Contractual Clauses (controller to processor version) should be between the EU hospital (data exporter) and the US Lab (data importer).

  • Plan de calidad


    Respuesta:

    La estructura del plan de calidad será diferente en tanto en cuanto han cambiado algunos requisitos de la norma, como por ejemplo que la organización ahora tiene mayor libertad para decidir qué documentación incorporar en su SGC, como son los procedimientos, otros nuevos requisitos a incorporar en el sistema como es la determinación del contexto de la organización, o la identificación de los riesgos y oportunidades. Todo ello será necesario tenerlo en cuenta a la hora también de la planificación de los hitos de cada proceso dentro del proyecto, los recursos necesarios así como las correspondientes responsabilidades.

    Básicamente el Plan de Calidad debe de contar con los siguientes elementos
    - Planificar las diferentes etapas de su proyecto
    - Establecer las funciones y responsabilidades individuales
    - Supervisar y organizar por completo su implementación de ISO 9001

    Puede descargar aquí un plan de pro yecto gratuitamente - Plan de Proyecto para la Implementación de ISO 9001: https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

    Estos materiales también pueden ayudarle con el Plan de Calidad:
    - Curso de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Libro - Discover ISO 9001:2015 through practical examples (disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Statement of applicability A.17.1.3


    Answer: I assume you are referring to a document Statement of Applicability - this document is written so that it is compliant with both ISO 27001 and ISO 22301. However, if you are using only ISO 27001 Toolkit then documents like "Exercise and test plan", and "Review after incidents" do not exist because they are not required by ISO 27001.

    You can use the following text for implementation method of control A.17.1.3: "The Disaster recovery plan is reviewed by [job title] every 3 months, and is audited during internal audit every 12 months."

  • Problems with inventory of assets

    If you were to document each and every process, this would mean you would have hundreds of documents - so no, it is not mandatory to document every process.

    Developing a process means you have to define exactly what are the inputs, what are the steps in performing certain activities, who is responsible, what is the timing, what are the outputs, etc.

    If you do not want to document that process, this means you have to agree with all people involved exactly how this is done, in detail.

    If you want to document that process, you simply have to write down everything you have defined.

    This article can also help you: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Review of the BCP


    Answer: I am sorry, but we don’t have a specific checklist for this, but commonly the points of a BCP are the following:

    - Roles and responsibilities
    - Key contacts
    - Plan activation and deactivation
    - Communication
    - Incident response
    - Physical sites and transportation
    - Order of recovery for activities
    - Recovery plans

    You can check in your BCP if these points are in place.

    For more information about the structure of the BCP, you can see this article “Business continuity plan: How to structure it according to ISO 22301” : https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

  • Acuerdos de confidencialidad

    En el contexto de la ISO 27001 (que es sobre la protección de la información del negocio), el criterio debe ser el riesgo: Si estás compartiendo información con partes externas, y no tienes un Acuerdo de Confidencialidad con estas partes externas, existe un riesgo importante relacionado con la revelación de información. Por tanto, básicamente, en mi opinión, debes establecer Acuerdos de Confidencialidad con todas las partes interesadas que puedan acceder a información es pecífica de tu negoio (esta información específica puede ser internal confidencial, etc).

    Por cierto, este artículo te puede resultar interesante “Which security clauses to use for supplier agreements?” : https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • ISO 27001 vs ISO 27002


    Answer: If you want to implement only the ISO 27002, which is a code of best practices about information security, you don’t need the ISO 27001. But remember that you cannot certify ISO 27002, only ISO 27001 is certifiable, because this standard - I mean, ISO 27001- defines an Information Security Management System.

    The core of ISO 27001 is the risk management, and basically you will need to identify and treat risks, and for the treatment, you can use the ISO 27002, because it gives you specific information about how to implement security controls. So, the logic is to implement ISO 27001, using the code of best practices of ISO 27002 to know how to implement security controls for the treatment of risks identified.

    For more information about ISO 27001 and ISO 27002, please see this article “Diferencias y similitudes entre ISO 27001 e ISO 27002” : https://advisera.com/27001academy/es/knowledgebase/diferencias-y-similitudes-entre-iso-27001-e-iso-27002/

    And also this one “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Risk management and the Internal audit


    Answer: I am sorry, but the Internal Audit, and the Risk management are things completely different in ISO 27001. The Risk management is performed to identify and treat risks. The Internal Audit is performed (after the risk management) to check the compliance with ISO 27001.

    Anyway, if one year you identify a risk, and you define a treatment for it, you don’t need to include this risk in your assessment of the next year, because in that moment the treatment will be closed, and won’t be a risk for your business.

    And remember that no matter what the results of the risk assessment are, internal audit is mandatory - at least once a year

    For more information about the risk management you can see this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

    And this course can be also interesting for you “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/

  • Identification of threats


    Answer: Our catalogue of threats/vulnerabilities is enough for most of companies (small and medium size), because the list is generic, and includes a lot kind of threats, useful for any business. Anyway, each business is a different world, and maybe in some cases you need to include specific threats, but probably with our list, you can identify the most important ones.

    You should know that it is not possible to identify all the risks - this is why risk assessment needs to be updated regularly (at least one a year, but if possible more often), and through this updates you will improve the list by adding the risks you identified through time.

    You can also use the catalogue of ISO 27005, which is an international standard that gives you a code of best practices for the information security r isk management, including a catalogue of threats and vulnerabilities, and maybe can help you as complement of our catalogue. You can buy this standard directly from iso.org : https://www.iso.org/standard/75281.html

  • Source vendor dropping ISO 9001 certification


    Answer:

    There is no mandatory requirement in ISO 9001:2015 that source vendors must be certified. Consider the actual supplier performance. If it is positive, you can change your requirements for that kind of supplier to remove the need to be certified. If the supplier performance is negative, consider the possibility of looking for another supplier

    The following material will provide you information about supplier evaluation:

    - ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
    - free online training ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 682-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +