Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Interested parties
Answer: Examples of internal interested parties are pretty much the same regardless the industry: employees, top management, and shareholders.
As for examples of external interested parties we can mention: regulatory agencies, clients, local community, and suppliers.
This article will provide you further explanation about interested parties:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Nonconformity occurrence and risks
Answer:
I have not seen the nonconformance. Looking into clause 10.2 I can guess what the intention of the auditor was. Please, check the first part of clause 10.2 – “When a nonconformity occurs” it is about the occurrence of a nonconformity, not about corrective action. When a nonconformity occurs, your organization should update risks and opportunities determined during planning, if necessary. A nonconformity is the manifestation of a risk that actually happened. Was that risk initially determined? Was that risk correctly classified and evaluated? The nonconformity can be about something that you overlooked during the initial risk determination. Waiting for an annual revision exercise can be too late to act.
The following material will provide you information about risks and opportunities:
- ISO 9001 – How to address risks and opportunities in ISO 9001 – https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- - ISO 9001:2015 Risk Management Toolkit – https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Changes in the scope
Answer:
If some changes happen in your company, like reorganization, then you will need to redetermine the scope of your organization and you will have to analyse how this will affect your entire QMS, including the context of your organization, risks and opportunities, etc.
You don´t need to put in the ISO since it is just a PDF document published by ISO.
To learn more about changes in the scope you can see these articles:
- How to define the scope of the QMS according to ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
Also these materials can help you with the implementation of IS O 9001:2015:
- Book "Discover ISO 9001:2015 through practical examples": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Conformio - Compliance tool: https://advisera.com/conformio/ -
Staff commitment
In order to increase the commitment of the employees you can organize an awareness session with them presenting the myths and benefits of ISO 9001:2015 as well as the importance of their role in the implementation. For that purpose you can use this presentation - Why ISO 9001:2015 - Awareness Presentation: https://info.advisera.com/9001academy/free-download/why-iso-9001-2015-awareness-presentation
You can also read this white paper which explains how implementing ISO 9001 can help your business grow and perform better - How can ISO 9001 help your business grow: https://info.advisera.com/9001academy/free-download/how-can-iso-9001-help-your-business-grow
To learn more about the importance of the personnel commitment in the i mplementation, you can use this materials:
- ISO 9001: 2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
FSSC vs FSMS
Answer:
FSMS stands for Food Safety Management System. FSSC stands for Food Safety System Certification. ISO 22000 is not recognized by GFSI (Global Food Safety Initiative), however a certification scheme that uses ISO 22000 as part of its requirements is. This certification is FSSC 22000, and it is recognized by GFSI. -
Change Management - purpose and objectives
Answer:
Change Management process deals with live services and their efficiency. Therefore, success (or un-success) of process activities is seen and noticed by the customer (who pays the bill, after-all). So,there are many elements why is Change Management important, and these articles can help you:
"ITIL V3 Change Management – at the heart of Service Management" https://advisera.com/20000academy/knowledgebase/itil-v3-change-management-at-the-heart-of-service-management/
"5 benefits of ITIL Change Management implementation" https://advisera.com/20000academy/blog/2016/06/21/5-benefits-of-itil-change-management-implementation/
"How to overcome barriers while implementing the ITIL/ISO 20000 Change Management process" https://advisera.com/ 00academy/blog/2015/12/15/how-to-overcome-barriers-while-implementing-the-itiliso-20000-change-management-process/
Also, this free webinar can help you
"An overview of the ITIL Change Management Process" https://advisera.com/20000academy/webinar/an-overview-of-the-itil-change-management-process-free-webinar-on-demand/ -
Fulflling control A.18.1.1
1 - Does Contractual requirements refer to any contract or service agreement we have made with a supplier; for example telecommunications, web hosting?
Answer: Contractual requirements refer to any contract or service agreement relevant to information security, established not only between your organization and suppliers, but with customers and employees too.
This article will provide you information about what to consider as contractual requirements:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
2 - Should the list of re gulatory and legal requirements include those required by our clients? For example the Civil Contingencies Act needed for an emergency service or local council we would be providing a serve to.
Answer: Regulatory and legal requirements relevant to information security must consider requirements from any relevant interested party, such as customers, suppliers, regulators, governments, etc.
This article will provide you information about interested parties and their requirements:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Filling scope template
We have one office at a single address. However we rent a serverspace at XXXXX, equipped with server racks where we place and maintain our own servers. Electricity, heating/cooling, connectivity etc is supplied by the owner of the facility. We do not have 24/7 access. When we encounter a problem during hours that the facility is closed, we have to wait to gain access until the facility is opened again?
In your experience, does such a facility have to be included in the scope.
Answer: If your organization performs the operation and maintenance of these server racks you must include this location in your ISMS scope. If the operation and maintenance of these server racks are outsourced, then you do not need to include this location in your ISMS scope, but it is important to notice that the rented serverspace (and the outsourced operation of servers, if applicable) must be considered in the risk assessment (the risk assessment will help you to insert applica ble security clauses into the agreement with the service provider).
This article will provide you more information about defining the scope:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ -
Consultation recommendation
Answer: Our ISO 27001 Documentation toolkit covers information security in general and it is sufficient also to provide security for cloud environments, but if you have specific requirements for cloud security (e.g., laws, regulations, and customers requirements), then we recommend our ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit. In the links bellow you can access a free demo of both toolkits:
- ISO 27001 Documentation toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
- ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/
These articles will provide you more information about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
When is EU GDPR applicable?
2. If GDPR is incompatible with domestic law how to ?(Such as GPS some country need to tracking CAR but GDPR no need)
3. How about penalty process ? (Who checked who settled and who paid the fine. And who pay? And ็Have a lawsuit after the 25-Jun or not?)
Answers:
1. The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR .. .will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. If the processing refers to a person that is physically in Thailand then the EU GDPR is not applicable.
2. The EU GDPR can be superseded by national law in some instances. However, is only EU Member State Law that can supersede the provisions of the Regulation.
3. The GD PR only sets the maximum fines. The way the fines are applied is subject to local Member State Law.
To learn more the EU GDPR check out our free “EU GDPR Foundation Course” https://advisera.com/training/