Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Information security management policy vs information security policy
Answer:
Yes, in the context of ISO 27001 this is the same document - such a document defines top-level management intent regarding information security and general roles and responsibilities.
Detailed security rules are usually written through detailed policies, for example in our toolkit you will see IT Security Policy that describes detailed general rules for all employees. -
Risk likelihood
Answer:
First of all, you should record an incident in the Incident log, not in the Risk register - the purpose of Incident log is to record all the incidents from the past, while Risk register tries to anticipate the incidents from the future.
If an incident has already happened in the bust, then it has a much higher chance of happening in the future.
See also this article: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk assessment:
- book ISO 27001 Risk Management in Plain English https://advise ra.com/books/iso-27001-risk-management-in-plain-english/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Approach for the document management
1. Context – Read each template document to understand the context of each document.
2. Content – Replace the placeholder tags in the template documents with the relevant information as per the context of the document. Some of these information will be available in the current BCM document.
3. Compile – go through each document to check whether the document has no formatting issues.
What additional steps do we need to follow in addition to the approach described above?
Answer: Basically you are in the right way, but additionally, you can also define a method for the review and approval of documents. So, when you finish the documentation, some person can review each document (probably can identify some errors), and after a person can approval each document (if everything is ok). If after the review a change is necessary, you can also add this change in the change history.
It is also important to follow the sequence of folders for the implementation, because these are the optimal steps to implement the standard.
By the way, our solution Conformio can help you for these things, so this can be interesting for you “What kind of Document Management System (DMS) do you need for handling ISO documents?” : https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/ -
Regulatory body audit as third-party audit
Answer:
A third-party audit is performed by an audit organization independent of the customer-supplier relationship and is free of any conflict of interest. An audit by a regulator is independent of customer supplier relationship, and the audit organization is independent of the audited organization. So, an audit by a regulatory body can be considered a third-party audit.
The following material will provide you information about audits:
- ISO 9001 – First-, Second- & Third-Party Audits, what are the differences? - https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Checking the EU citizenship on a website
Answer:
Usually controllers need to establish the identity of a data subject before answering any requests in order to ensure that they are dealing with the right person. However, asking you to provide a copy of your ID might be excessive especially because the EU GDPR does not apply exclusively to EU citizens.
To learn more about data subject right check our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Cerificación asociación sin ánimo de lucro
Respuesta:
La certificación e implantación de las norma ISO 9001 e ISO 14001 es igual para todos los sectores, incluyendo asociaciones sin ánimo de lucro, teniendo que dar cumplimiento a cada uno de los requisitos de las normas, como ocurre en el caso de una empresa.
Para más información, estos materiales pueden serle de utilidad:
- How to integrate ISO 14001 and ISO 9001 (disponible sólo en inglés): https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
- Libro - Discover ISO 9001 through practical examples (disponible sólo en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Libro - The ISO 14001:2015 companion (disponible sólo en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
- Curso de Fundamentos ISO 9001: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
- Curso de Fundamentos ISO 14001: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ -
SMART objectives
Answer:
SMART objectives stand for (specific, measurable, achievable, realistic and time-based).
The following material will provide you information about SMART objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
What clause of ISO 9001
Answer:
Clause 8.2.3 is about the need to check if the organization has the capacity to fulfill a customer’s order. Clause 8.4.1 (last paragraph) can be interpreted, not mandatory, as a need to do supplier rating.
The following material will provide you information about relationships with customers:
- ISO 9001 – How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Interfaces and dependencies
Answer:
Interfaces are the limit points between what is inside the ISMS scope and what is out (e.g., a website page is an interface between organization's information systems and the external public, a loading area is an interface between a supplier and the organization, etc.).
Dependencies are relations between organization's elements (processes, assets, etc.) that are needed to achieve a defined outcome (e.g., a datacenter depends upon a communication provider to make information systems available).
This article will provide you further explanation about examples of interface and dependencies:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
These materials will also help you regarding examples of interface and dependencies:
- Book Secure & Simple: A Small-Busi ness Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Organizational knowledge at an university department
Answer:
I would look into the university department and ask:
Do you have a list of relevant functions or roles in this department?
Can you evidence the determination of what knowledge is necessary for performing a function relevant for achieving process performance and/or products and services conformity?
Can you evidence how that knowledge is kept alive and is shared when needed? (Can be a database, can be Work Instructions, can be reports, can be sharing information at meetings)
Can the department evidence actions to prevent knowledge loss? (For example, if someone leaves, if someone is promoted, if someone has an accident.)
Can the department evidence the knowledge transmission when someone starts in a function?
Particularly important at the university environment - Can your department evidence routines to be aware of new knowledge? Subscription of technical magazines? Regular meetings with other organizations? Partners hips with companies, other universities? Regular participation at seminars and conferences? Programs for buying books?
The following materials will provide you details with organizational knowledge:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/