Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11272 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Internal audit is different from gap analysis

Yes, you still need to do an internal audit. Internal audits and gap analysis are different things and have different purposes. A gap analysis identifies what is missing when it is supposed that something is missing. An internal audit is performed on a process that is supposed to be already operating according to the audit criteria. There is a before and after the gap analysis, there is no assurance that the changes needed were implemented and effective.

About the template, we have this toolkit: ISO 9001:2015 Internal Audit Toolkit - https://advisera.com/9001academy/iso-9001-2015-internal-audit-toolkit/

The following material will provide you information about gap analysis versus internal audit:

- ISO 9001 – Gap analysis vs. internal audit in ISO 9001 – https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001/ /

- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Documenting Quality Policy & Quality Objectives

Answer:

Normally, the Quality Policy is included in the Quality Manual. Nevertheless, the Quality Policy should be, also, a stand-alone document if there are employees that have no access to the Quality Manual. Normally, the Quality Objectives are not included in the Quality Manual because they can change every year. There are no requirements against including them in the Quality Manual it is just the practical side of having to change it frequently that stops most of the people of doing it.

The following material will provide you information about the Quality Manual:

- ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 900 1:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Auditing versus monitoring

Answer:

Yes, environmental audit and environmental monitoring and evaluation are different things, although both are used to evaluate performance. An environmental audit is a systematic process of obtaining evidences to determine if audit criteria are fulfilled. For example; are procedures being followed, are desired results being attained? Audits are done by auditors, they check documentation, they observe, they ask questions to people doing the jobs. Environmental monitoring is about determining the status of a process or system, comparing actual results with desired results, the specifications, and after evaluation deciding if anything should be done. For example, independently of what is being done an organization can monitor the amount of solid wastes that generates, or the quality of its air emissions.

The following material will provide you information about monitoring and auditing:

- ISO 14001 – How to measure the effec tiveness of your EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/
- How to define EMS key performance indicators (KPIs) according to ISO 14001 - https://advisera.com/14001academy/blog/2016/05/30/how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001/?icn=free-blog-14001&ici=bottom-how-to-define-ems-key-performance-indicators-kpis-according-to-iso-14001-txt /> - Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
ISO22301 Internal Audit
To define samples for a BCMS internal audit you should consider:
- contracts and regulations you must comply with (policies and procedures related to the most critical or most frequent requirements should be sampled)
- the results of business impact assessment (policies and procedures related to the most critical elements identified in the BIA should be sampled)
- Business continuity plans and related records

These articles will provide you further explanation about defining an audit checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
Lack of information in non-conformance description
Answer:

Any non-conformance issued during an audit should include the clause that is not being respected. If I received a non-conformance during a surveillance audit, I would contact the certification body and politely ask them to identify the clause being violated or asking them if my interpretation of what clause is not being respected is was correct.

The following material will provide you information about the non-conformances issued during audits:

- ISO 9001 – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
GDPR component for cookie consent

Answer:

The EU GDPR states that the consent should be “a freely given, specific, informed and unambiguous indication of the individual’s wishes’ this means that consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.

However, the use of cookies is regulated by the ePrivacy Directive which s tates that you only need to inform the visitors about the cookies you are using not obtaining their consent but this also depends on the types of cookies you are using as well as the personal data collected and the purposes for which is used.

To find out more about consent check out our free “EU GDPR FOUNDATIONS COURSE” (https://advisera.com/training/).
Risk Assessment in ISO 27001:2013
First is important to note that information flow is not mentioned in the whole ISO 27001 standard.

Regarding risk assessment, the information flow is only one of the inputs used to understand the context on which the risk assessment will be performed. So you still have to define an approach to the risk assessment process, and for information security risk assessment the asset-based risk assessment is still one of the most common approaches.

These articles can provide you more information about risk assessment approaches:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Template content

Answer: If you need a procedure for monitoring information processing servers, I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology template to see if it can fulfill your needs. You can access the demo at this link: https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
Regarding Code of Ethics, the requirements of ISO 27001 do not require such document.
Entidades certificadoras acreditadas

Respuesta: Sí, es cierto. En España, ENAC es la entidad nacional de acreditación (generalmente cada pais tiene la suya propia), y esta entidad acredita entidades certificadoras que pueden emitir certificados ISO 27001 (y otros estándares ISO como ISO 9001, ISO 14001, etc). Esto significa que si tienes un certificado que ha sido emitido por una entidad certificadora que no está acreditada por una entidad acreditadora (ENAC o cualquier otra), quizás un cliente puede no confiar en tu certificado, porque no está acreditado.

ENAC, como entidad acreditadora, evalua si cada entidad certificadora está realizando el proceso de certificación de acuerdo a un proceso formal, que tiene que estar alineado con otro estándar: ISO 27006, que es un estándar internacional que específica unos requerimientos, y proporciona una guía para que las en tidades certificadoras puedan auditar y certificar un SGSI.

Con respecto IQnet, básicamente es una red internacional de entidades certificadoras, lo cual significa que si tienes un certificado ISO 27001 emitido en España por una entidad certificadora, el mismo certificado puede ser válido en otro pais por otra entidad certificadora que pertenezca también a IQnet.

Este artículo sobre cómo seleccionar una entidad certificadora puede ser útil para ti "How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Y también este otro artículo “Accreditation vs. certification vs. registration in the ISO world” : https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
SOC Type 2, GDPR and ISO 27001

Answer: We are not experts on SOC Type 2, but this information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

Regarding ISO 27001 and GDPR, ISO 27001 is a standard which focus on protection of information, and EU GDPR is a regulation defining requirements for protection of privacy, so ISO 27001 can be used as basis to achieve compliance with ca 50% of EU GDPR.

These articles will provide you further explanation about ISO 27001 and GDPR:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

2 - How to avoid duplicated effort.

Answer: To avoid duplicated effort you should first map the correlation between the requirements of these three documents, to identify which ones are similar, and only then plan the documents you have to create.

This material will provide you further explanation about ISO 27001 and GDPR:
- How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11272 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Internal audit is different from gap analysis

Documenting Quality Policy & Quality Objectives

Auditing versus monitoring

ISO22301 Internal Audit

Lack of information in non-conformance description

GDPR component for cookie consent

Risk Assessment in ISO 27001:2013

Template content

Entidades certificadoras acreditadas

SOC Type 2, GDPR and ISO 27001

Didn’t find an answer?