Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Quality policy in ISO 9001 and ISO 17025


    Answer:

    You don´t need to keep separately the quality policy for ISO 17025 and ISO 9001. What is mandatory is to maintain documented information of the quality policy for both standards, so it doesn´t matter if you do it separately or you have only one document.

    To learn more about quality policy in ISO 9001 and ISO 17025, you can see - ISO 17025 vs ISO 9001https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//

  • Loading and unloading areas and ISO 27001

    We've received this question:

    >I am fully satisfied with the answer for loading & unloading area. I do understand what the standard says but how to make it from scratch? So just consider any office, and I have to make a new loading & unloading area.

    Answer:

    Once you already have the requirements for this new area, you have to assess your office to verify if you have any environment (e.g., an room or free area) available that can fulfill them (the most restrictive ones will be those related to an isolated environment and the existence of internal and external doors, because all others are related to actions and signalization).

    If you now do not have such available area you will have to build one (if this control is considered applicable). In this case you will have to include these requirements to the responsible to build this new area, so you can ensure it will fulfill control A.11.1.6.

  • Toolkit selection

    From your experience, what is the best way to approach this project? We are also looking at purchasing your tool kit and was wondering if we should purchase on the ISO 27001 toolkit or to buy the EU GDPR/ISO 27001 toolkit despite our certification requirement is for only ISO 27001 considering the price difference for future sake.

    Answer:

    The main question here is if the US facility has to handle EU citizen's data, or will handle it in the near future. If the US facility does not have access to EU citizen's data, and does not expect that for the near future, you can reduce its scope only to ISO 27001 and US legal requirements. Implementing integrated standards/regul ations is more complex, and you should avoid such implementations whenever possible.

    Regarding the toolkits, I'd suggest you to buy the EU GDPR/ISO 27001 toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/, because this one has all documents you will need to fulfill both ISO 27001 and EU GDPR, and you can use only the ISO 27001 related documents to implement ISO 27001 in your US facility.

  • Evidenciar el contexto de la organización


    Respuesta:

    Siempre es recomendable realizar la determinación del contexto de la forma más sencilla posible, por ejemplo organizando una tormenta de ideas con el personal relevante de la organización y llevando a cabo un análisis DOFA (debilidades, oportunidades, fortalezas y amenazas). El acta de reunión que incluye este análisis sería suficiente para evidenciar que se ha llevado a cabo la determinación del contexto de la organización.

    Para más información sobre el contexto de la organización en ISO 14001:2015 puede ver:
    - Artículo - Determinar el contexto de la organización en ISO 14001: https://advisera.com/14001academy/es/knowledgebase/determinar-el-contexto-de-la-organizacion-en-iso-14001/
    - Libro - The ISO 14001:2015 Companion (en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
    - Curso en línea gratuito de Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

  • Auditoría interna y control/evaluación de proveedores

    Como se hace en ese caso, de qué manera verificar los requisitos que establece la norma que tienen que ver con esos departamentos.?

    Respuesta:

    En ese caso la organización cuenta con varios proveedores externos que realizan los servicios de diferentes áreas de la organización. La cláusula 8.4.1 de la norma ISO 9001:2015 establece que los proveedores externos sean controlados y que su desempeño sea evaluado, por tanto esto es lo que debe ser auditado en la organización: el control y la evaluación de los proveedores externos.

    Uno de los métodos para llevar a cabo el control de los procesos subcontratados es que en el contrato con el proveedor la organización establezca mediante información documentada (por ejemplo procedimientos o instrucciones de trabajo) las funciones, responsabilidade s, informes consecuencias, etc. A su vez la organización debe de contar con una serie de criterios para la selección de sus proveedores, como la calidad del envío, el precio, los términos de pago, etc.
    Otra opción para el control de proveedores puede ser mediante un proceso de auditoría por una segunda parte. En este caso la lista de verificación o checklist tiene que ser acordado y aprobado por ambas partes, la organización y el proveedor.

    Estos materiales pueden serle de utilidad para llevar a cabo la auditoría interna en cuanto al control y evaluación de proveedores:
    - Artículo - Cómo controlar los procesos subcontratados utilizando ISO 9001:2015 (en inglés): https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - Artículo - Cómo evaluar el desempeño de los proveedores según ISO 9001:2015 (en inglés): https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/?icn=free-blog-9001&ici=top-how-to-evaluate-supplier-performance-according-to-iso-9001-2015-txt /> - Libro -Auditoría intena ISO: una guía en un lenguaje sencillo: https://advisera.com/books/auditoria-interna-iso-una-guia-en-un-lenguaje-sencillo/
    - Curso gratuito en línea - Curso de auditor interno ISO 9001:2015: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/

  • Interested parties - Decision


    Answer:

    Please check the last paragraph of Annex A.3 of ISO 9001:2015. It is up to each organization to decide if a certain entity is an interested party or not. Considering a certain entity or group as an interested party is not a technical decision, it is a management decision. Different organizations in a same economic sector can have different sets of interested parties due to different strategic orientations.

    If you consider a certification body as an interested party I would consider the contract or agreement with them as the source of their requirements. Revision could be done when going for recertification or after some request to change the contract or agreement.

    The following material will provide you information about interested parties:

    - ISO 9001 – How to determin e interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Information labeling


    Answer: Very often, for efficiency reasons, only information classified as high sensitive is labelled (ISO 27001 is not prescriptive about which information to label, so this is an organization decision), and in such scenarios information that is not highly sensitive is not labelled.

    Regarding what you need to label, you must include all documents within the ISMS scope, i.e., the information you want to protect and documents related to the isms, regardless of the media it uses (if the same high sensitive information is on electronic and physical media, both media must be labelled).

    This article will provide more information:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Personal certification maintenance

    We received this question:

    >I am reaching out to you for the clarification of maintenance again. Please refer to my certificate. It says it is valid for 3 years. I understand we don't need to renew it but the details on the certificate say otherwise. Can you please help me to understand if I am missing something?

    Answer:

    This period mentioned in the certification is related for how long this certificate can be used in the process to become an certification auditor. Since you have been approved in the exam by 2016, this certification is valid until 2019, to be used to fulfill one of the requirements to become a certification auditor. After 2019 you to take another exam to have a valid certification for this process.

    This article will provide you additional information:
    - How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/

  • Template content

    Answer: You can use our Training and Awareness Plan template to determine and organize the required competencies for your ISMS.

    You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/training-and-awareness-plan/

    This article can provide more information:
    - What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/

    2. Is there a template for Information related to information security objectives at relevant functions and levels, as required in clause 6.2?
    Answer: You can use our Statment of Applicability template to define the objectives for your ISMS and the Measurement Report template to summarize the measurement methods, the frequency of measurement, and the results.

    You can see a free demo of these templates at these links:
    - https://advisera.com/27001academy/documentation/statement-of-applicability /
    - https://advisera.com/27001academy/documentation/measurement-report/
    These articles can provide more information:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

    3. Is there a template for plans to achieve the security objectives, as required in clause 6.2, must have been determined (at least for the majority of the security objectives defined)?

    Answer: The security objectives are achieved by treating the risks that can affect them. Considering that, you can use our Risk Treatment Plan to to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.

    You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/risk-treatment-plan/
    This material can provide more information:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

    4. Is there a template that identifies the Needs and expectations of interested parties, as mentioned in clause 4.2?

    Answer: You can use our List of legal, regulatory and contractual requirements template to identify and document the requirements of interested parties.

    You can see a free demo of this template at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

    You can read more here: Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/explanation-iso-270012013-clause-4-1-understanding-organization

  • Return of assets control


    Answer:

    The return of assets control has the objective to ensure the return of all organizati onal assets in the possession of employees or contractors upon termination of their work relationship. Considering that, you must include in your list all assets of the organization that are in their possession, that can pose an unacceptable risk to information security. Regarding personal assets, it is important to record them so you can know where your information, may be stored. When personnel is leaving the organization you should check if all organizational assets were returned, and if information on personal devices were deleted.

    The application of this control may be tricky in organizations where personnel often use their own equipment, due to privacy questions, or the organization has several mobile equipments, so you should consider defining clearly who and in what circumstances of personnel is responsible for assets that can easily be moved out of organization's premises.

    These materials can help you regarding use of personal device:
    - How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
    - Bring Your Own Device (BYOD) Policy https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
Page 691-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +