Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Defining scope

    A chip manufacturing organization would like to go for ISO 27001 and want to include only IT managed services in the scope. IT managed services is a support organization and helping the entire business but their labs environment is different and would like to keep it out of scope from ISO 27001. Is that possible?

    Answer:

    ISO 27001 does not require the ISMS scope to be all the organization, so it can be defined only as a small part if it will fulfill its needs and objectives.

    What you should consider is if the defined scope will protect the information the business considers relevant. For example if you define only the IT managed services as the scope, but the information it handles also is used in the labs environment, at the labs it may not be properly protected.
    These articles will provide you further explanation about defining scope:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms -scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding defining scope:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Certificar un producto o servicio con ISO 27001


    Respuesta: No puedes certificar directamente un producto o servicio, o un proceso de un servicio/producto, pero puedes incluirlos en la definición de tu certificado. Por ejemplo: Los sistemas de información que dan soporte al servicio X, de acuerdo a la declaración de aplicabilidad versión x/y/z.

    En cualquier caso, si la compañía es pequeña o mediana, nosotros recomendamos incluir en el alcance del SGSI toda la organización.

    Para más información sobre el alcance “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  • Documentation in smaller companies


    Answer:

    In my opinion small companies should indeed, avoid too much documentation, and that is actually the aim of the new standard ISO 9001:2015. Just complying with the mandatory documents, which list you can see here - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ and deciding about some other documented procedures commonly used should be enough for an organization to success in an audit.

    To learn more about documented information in ISO 9001:2015, you can see these materials:
    - New approach to document an d record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - Book - Managing ISO Documentation: a plain English guide: https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Free on-line course- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

  • Quality policy in ISO 9001 and ISO 17025


    Answer:

    You don´t need to keep separately the quality policy for ISO 17025 and ISO 9001. What is mandatory is to maintain documented information of the quality policy for both standards, so it doesn´t matter if you do it separately or you have only one document.

    To learn more about quality policy in ISO 9001 and ISO 17025, you can see - ISO 17025 vs ISO 9001https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//

  • Loading and unloading areas and ISO 27001

    We've received this question:

    >I am fully satisfied with the answer for loading & unloading area. I do understand what the standard says but how to make it from scratch? So just consider any office, and I have to make a new loading & unloading area.

    Answer:

    Once you already have the requirements for this new area, you have to assess your office to verify if you have any environment (e.g., an room or free area) available that can fulfill them (the most restrictive ones will be those related to an isolated environment and the existence of internal and external doors, because all others are related to actions and signalization).

    If you now do not have such available area you will have to build one (if this control is considered applicable). In this case you will have to include these requirements to the responsible to build this new area, so you can ensure it will fulfill control A.11.1.6.

  • Toolkit selection

    From your experience, what is the best way to approach this project? We are also looking at purchasing your tool kit and was wondering if we should purchase on the ISO 27001 toolkit or to buy the EU GDPR/ISO 27001 toolkit despite our certification requirement is for only ISO 27001 considering the price difference for future sake.

    Answer:

    The main question here is if the US facility has to handle EU citizen's data, or will handle it in the near future. If the US facility does not have access to EU citizen's data, and does not expect that for the near future, you can reduce its scope only to ISO 27001 and US legal requirements. Implementing integrated standards/regul ations is more complex, and you should avoid such implementations whenever possible.

    Regarding the toolkits, I'd suggest you to buy the EU GDPR/ISO 27001 toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/, because this one has all documents you will need to fulfill both ISO 27001 and EU GDPR, and you can use only the ISO 27001 related documents to implement ISO 27001 in your US facility.

  • Evidenciar el contexto de la organización


    Respuesta:

    Siempre es recomendable realizar la determinación del contexto de la forma más sencilla posible, por ejemplo organizando una tormenta de ideas con el personal relevante de la organización y llevando a cabo un análisis DOFA (debilidades, oportunidades, fortalezas y amenazas). El acta de reunión que incluye este análisis sería suficiente para evidenciar que se ha llevado a cabo la determinación del contexto de la organización.

    Para más información sobre el contexto de la organización en ISO 14001:2015 puede ver:
    - Artículo - Determinar el contexto de la organización en ISO 14001: https://advisera.com/14001academy/es/knowledgebase/determinar-el-contexto-de-la-organizacion-en-iso-14001/
    - Libro - The ISO 14001:2015 Companion (en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
    - Curso en línea gratuito de Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

  • Auditoría interna y control/evaluación de proveedores

    Como se hace en ese caso, de qué manera verificar los requisitos que establece la norma que tienen que ver con esos departamentos.?

    Respuesta:

    En ese caso la organización cuenta con varios proveedores externos que realizan los servicios de diferentes áreas de la organización. La cláusula 8.4.1 de la norma ISO 9001:2015 establece que los proveedores externos sean controlados y que su desempeño sea evaluado, por tanto esto es lo que debe ser auditado en la organización: el control y la evaluación de los proveedores externos.

    Uno de los métodos para llevar a cabo el control de los procesos subcontratados es que en el contrato con el proveedor la organización establezca mediante información documentada (por ejemplo procedimientos o instrucciones de trabajo) las funciones, responsabilidade s, informes consecuencias, etc. A su vez la organización debe de contar con una serie de criterios para la selección de sus proveedores, como la calidad del envío, el precio, los términos de pago, etc.
    Otra opción para el control de proveedores puede ser mediante un proceso de auditoría por una segunda parte. En este caso la lista de verificación o checklist tiene que ser acordado y aprobado por ambas partes, la organización y el proveedor.

    Estos materiales pueden serle de utilidad para llevar a cabo la auditoría interna en cuanto al control y evaluación de proveedores:
    - Artículo - Cómo controlar los procesos subcontratados utilizando ISO 9001:2015 (en inglés): https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
    - Artículo - Cómo evaluar el desempeño de los proveedores según ISO 9001:2015 (en inglés): https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/?icn=free-blog-9001&ici=top-how-to-evaluate-supplier-performance-according-to-iso-9001-2015-txt /> - Libro -Auditoría intena ISO: una guía en un lenguaje sencillo: https://advisera.com/books/auditoria-interna-iso-una-guia-en-un-lenguaje-sencillo/
    - Curso gratuito en línea - Curso de auditor interno ISO 9001:2015: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/

  • Interested parties - Decision


    Answer:

    Please check the last paragraph of Annex A.3 of ISO 9001:2015. It is up to each organization to decide if a certain entity is an interested party or not. Considering a certain entity or group as an interested party is not a technical decision, it is a management decision. Different organizations in a same economic sector can have different sets of interested parties due to different strategic orientations.

    If you consider a certification body as an interested party I would consider the contract or agreement with them as the source of their requirements. Revision could be done when going for recertification or after some request to change the contract or agreement.

    The following material will provide you information about interested parties:

    - ISO 9001 – How to determin e interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
    - Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Information labeling


    Answer: Very often, for efficiency reasons, only information classified as high sensitive is labelled (ISO 27001 is not prescriptive about which information to label, so this is an organization decision), and in such scenarios information that is not highly sensitive is not labelled.

    Regarding what you need to label, you must include all documents within the ISMS scope, i.e., the information you want to protect and documents related to the isms, regardless of the media it uses (if the same high sensitive information is on electronic and physical media, both media must be labelled).

    This article will provide more information:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Page 691-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +