Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mexican personal data law
Answer:
If the EU GDPR is applicable for your university than I would say that a Privacy Policy would need to be created to raise awareness and prove compliance. But first you need to check in which areas is the GDPR applicable because is most likely it would be applicable in limited cases.
To learn more about the EU GDPR check out our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
Audit checklist
We are interested in moving into an AS 9100 certification as well, so I want a strong QMS governing my ISO 9001:2015 in order to have a smooth transition into the new cert.
Answer:
We have a complete audit checklist which includes more than 100 questions to ensure each requirement of the ISO 9001 standard is implemented and maintained within the QMS, and includes the ability for the company to add additional questions to suit additional company needs. You can download a free preview here - Internal Audit Checklist: https://advisera.com/9001academy/documentation/internal-audit-checklist/
Also, these materials can help you with the audit checklist:
- Article - ISO 9001 Audit Checklist: https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- Art icle - How to create a checklist for an ISO 9001 internal audit for your QMS: https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
- Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/ -
Template content
Yes, our templates are designed to be fully compliant with the standards they cover. This internal audit checklist covers the main requirements of ISO 22301 and ISO 27001 and the controls from ISO 27001 Annex A. You can take a look to the free demo of the Internal audit checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/ From this free demo you can check if it can fulfil your needs. -
Gap assessment report
ISO 27001 does not require a Gap Assessment Report, and this is not a common document used in an ISMS, so there is no specific template available in the tookits. For gap assessment, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/. After completing the question-and-answer format you can provide your email to receive the results, informing you what you already have, what needs to be done and suggestions about what to do. -
Documentation of security responsibilities
Answer: ISO 27001 only requires the definition, designation and communication of responsibilities and authorities regarding ensuring the ISMS conforms with the standard and that reporting on the performance of the ISMS is made to top management. Other duties and responsibilities can be added if the organization identified need to do that.
You can document general information security roles and responsibilities in job descriptions, or as a part of the organizational chart, or in the Information Security Policy.
Specific security roles and responsibilities can be documented in policies, procedures, plans, and other documents that you develop as a part of the ISO 27001 implementation.
This article will provide you further expla nation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ -
Risk assessment approach on ISO 27001
Answer: ISO 27001 does not prescribe an approach to perform risk assessment, so you can choose the approach that better suits your needs.
Asset-based risk assessment is easier to perform, while the process-based risk assessment can provide you a more understandable context to identify and evaluate risks.
These materials will provide you further explanation about risk assessment approaches:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Email addresses and data breaches
We have recorded this in house in the Data Breach Register, recalled the messages to minimize the impact and taken steps to prevent it happening again.
However I am unable to ascertain if this would require reporting to the ICO. My interpretation is that this would not constitute a risk for the rights and freedoms of individuals and therefore would not require reporting to the ICO. Please can you advise.
Answer:
If the only data that was disclosed to unauthorized recipients are email addresses then I would say is safe to say that there is no risk to the rights and freedoms of the data subjects and is not necessary to notify the ICO.
To learn more about data breaches check out our webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/). -
Changes in scope
Answer: Yes, it is possible to certify your company only for the first office without expanding the scope of ISO certification; however be aware that in such case the other offices will be treated as third parties, which could complicate your operations. Such solutions are better for larger companies, whereas for smaller companies we recommend that you include your whole company (i.e. all of your offices) in the scope.
This article will provide more information:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Design and development is for more than the new
Answer:
Clause 8.3.6 applies to design and development changes. Even with an established product or service your organization can design and develop new, we hope, improved versions, because of technological changes, because of legal changes, because of customers feedback, for example.
The following material will provide you information about design and development:
- ISO 9001 – The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Company profile
Answer:
There is no requirement in ISO about that. Nevertheless, I would recommend your suggestion. I like to include in the policy and answer to the question: who are we?
The following material will provide you information about quality policy:
- ISO 9001 – How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/