Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11270 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Auditing versus monitoring

Answer:

Yes, environmental audit and environmental monitoring and evaluation are different things, although both are used to evaluate performance. An environmental audit is a systematic process of obtaining evidences to determine if audit criteria are fulfilled. For example; are procedures being followed, are desired results being attained? Audits are done by auditors, they check documentation, they observe, they ask questions to people doing the jobs. Environmental monitoring is about determining the status of a process or system, comparing actual results with desired results, the specifications, and after evaluation deciding if anything should be done. For example, independently of what is being done an organization can monitor the amount of solid wastes that generates, or the quality of its air emissions.

The following material will provide you information about monitoring and auditing:

- ISO 14001 – How to measure the effec tiveness of your EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/
- How to define EMS key performance indicators (KPIs) according to ISO 14001 - https://advisera.com/14001academy/blog/2016/05/30/how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001/?icn=free-blog-14001&ici=bottom-how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001-txt /> - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
ISO22301 Internal Audit
To define samples for a BCMS internal audit you should consider:
- contracts and regulations you must comply with (policies and procedures related to the most critical or most frequent requirements should be sampled)
- the results of business impact assessment (policies and procedures related to the most critical elements identified in the BIA should be sampled)
- Business continuity plans and related records

These articles will provide you further explanation about defining an audit checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Lack of information in non-conformance description
Answer:

Any non-conformance issued during an audit should include the clause that is not being respected. If I received a non-conformance during a surveillance audit, I would contact the certification body and politely ask them to identify the clause being violated or asking them if my interpretation of what clause is not being respected is was correct.

The following material will provide you information about the non-conformances issued during audits:

- ISO 9001 – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
GDPR component for cookie consent

Answer:

The EU GDPR states that the consent should be “a freely given, specific, informed and unambiguous indication of the individual’s wishes’ this means that consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.

However, the use of cookies is regulated by the ePrivacy Directive which s tates that you only need to inform the visitors about the cookies you are using not obtaining their consent but this also depends on the types of cookies you are using as well as the personal data collected and the purposes for which is used.

To find out more about consent check out our free “EU GDPR FOUNDATIONS COURSE” (https://advisera.com/training/).
Risk Assessment in ISO 27001:2013
First is important to note that information flow is not mentioned in the whole ISO 27001 standard.

Regarding risk assessment, the information flow is only one of the inputs used to understand the context on which the risk assessment will be performed. So you still have to define an approach to the risk assessment process, and for information security risk assessment the asset-based risk assessment is still one of the most common approaches.

These articles can provide you more information about risk assessment approaches:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Template content

Answer: If you need a procedure for monitoring information processing servers, I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology template to see if it can fulfill your needs. You can access the demo at this link: https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
Regarding Code of Ethics, the requirements of ISO 27001 do not require such document.
Entidades certificadoras acreditadas

Respuesta: Sí, es cierto. En España, ENAC es la entidad nacional de acreditación (generalmente cada pais tiene la suya propia), y esta entidad acredita entidades certificadoras que pueden emitir certificados ISO 27001 (y otros estándares ISO como ISO 9001, ISO 14001, etc). Esto significa que si tienes un certificado que ha sido emitido por una entidad certificadora que no está acreditada por una entidad acreditadora (ENAC o cualquier otra), quizás un cliente puede no confiar en tu certificado, porque no está acreditado.

ENAC, como entidad acreditadora, evalua si cada entidad certificadora está realizando el proceso de certificación de acuerdo a un proceso formal, que tiene que estar alineado con otro estándar: ISO 27006, que es un estándar internacional que específica unos requerimientos, y proporciona una guía para que las en tidades certificadoras puedan auditar y certificar un SGSI.

Con respecto IQnet, básicamente es una red internacional de entidades certificadoras, lo cual significa que si tienes un certificado ISO 27001 emitido en España por una entidad certificadora, el mismo certificado puede ser válido en otro pais por otra entidad certificadora que pertenezca también a IQnet.

Este artículo sobre cómo seleccionar una entidad certificadora puede ser útil para ti "How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Y también este otro artículo “Accreditation vs. certification vs. registration in the ISO world” : https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
SOC Type 2, GDPR and ISO 27001

Answer: We are not experts on SOC Type 2, but this information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

Regarding ISO 27001 and GDPR, ISO 27001 is a standard which focus on protection of information, and EU GDPR is a regulation defining requirements for protection of privacy, so ISO 27001 can be used as basis to achieve compliance with ca 50% of EU GDPR.

These articles will provide you further explanation about ISO 27001 and GDPR:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

2 - How to avoid duplicated effort.

Answer: To avoid duplicated effort you should first map the correlation between the requirements of these three documents, to identify which ones are similar, and only then plan the documents you have to create.

This material will provide you further explanation about ISO 27001 and GDPR:
- How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/
Knowledge base content

Answer: Since their publication, ISO 27017 and ISO 27018 have not been reviewed or updated (by means of corrigenda), so any information regarding them in our knowledge base is still updated.

Regarding ISO 27001, two updates have already been published through corrigenda, one in 2014 and the other in 2015, but they refer to minor corrections on the standard that do not affect ISMS based on this standard, or its relation with ISO 27017 or ISO 27018.

This article will provide you further explanation about ISO 27001 corrigenda:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/
Risks and opportunities and environmental aspects
Answer:

(1) Please check clause 6.1.1 – it is there that the standard establishes that organizations should determine risks and opportunities associated with environmental aspects. See also the note at the end of clause 6.1.2 and the annex A.6.1.1

(2) No. Please check annex A.8.1, first paragraph. That will depend on the risks and opportunities, significant environmental aspects and compliance obligations. For example, if you have non-significant environmental aspects without associated compliance obligations there is no need for operational control.

The following material will provide you information about operational control:

- ISO 14001 – Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/ 140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11270 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Auditing versus monitoring

ISO22301 Internal Audit

Lack of information in non-conformance description

GDPR component for cookie consent

Risk Assessment in ISO 27001:2013

Template content

Entidades certificadoras acreditadas

SOC Type 2, GDPR and ISO 27001

Knowledge base content

Risks and opportunities and environmental aspects

Didn’t find an answer?