Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Gap analysis versus internal audit
Answer:
Yes, you still need to do an internal audit. Internal audits and gap analysis are different things and have different purposes. A gap analysis identifies what is missing when it is supposed that something is missing. An internal audit is performed on a process that is supposed to be already operating according to the audit criteria.
The following material will provide you information about gap analysis versus internal audit:
- ISO 9001 – Gap analysis vs. internal audit in ISO 9001 - https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001//
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ 5-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditor's checklists
Answer:
Normally, each auditor uses his own checklist. So, you can be audited by someone more focused on formalities. ISO 9001:2015 has no mandatory procedures. So, auditors may focus their attention more on results, on effectiveness and less is procedures.
The following material will provide you information about external audits:
- ISO 9001 – Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/ se/iso-90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
BIA Questionnaire
The impact measurement is based on a 4-point scale starting with 1-marginal up to 4-catastrophic.
Could you please provide a description or definition variance between 1 – Marginal and 2 – Acceptable?
Answer: Marginal is an impact barely perceived and that does not affect business continuity.
Acceptable is any impact that is perceived by the organization, users or customers, but does not require the organization to implement controls to ensure the service levels agreed with customers.
These materials will also help you regarding BIA Questionnaire:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Selection of controls
We are doing third-party inspections of vessels and in our report format we are taking pictures of the seaman’s certificates and include those in the report we are making.
The certificates contain personal information such as; Name, DOB, certificate number and picture of seaman. We are issuing the final report to the client normally the vessel owner or the vessel owner client e.g. oil company.
We are storing the information in our data base and use the information to verify the skills of the seaman.
My question to you is do we need to implement all the controls identified in the statement of applicability that I have identified under EU DGPR see column “Justification for selection” in the attachment or is it sufficient to implement the controls that we have identified in Appendix 1 Risk Treatment Table?
Answer: To be complaint wi th ISO 27001, controls from Annex A must be implemented if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must to comply with
- There is a Top Management decision to implement the controls, by considering then as good practices.
Considering that, you must implement controls not only to treat unacceptable risks identified in the risk assessment, but also controls that can fulfill requirements of the EU GDPR.
This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls selection:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Exclusions in ISO 9001:2015
If the organization does not perform any design and development process within the QMS, the clause 8.3 of design and development of products can be excluded from the scope. When excluding clauses of the standard, you need to document the exclusions in the document about the scope of the QMS and provide justification for those exclusions.
To learn more about exclusions in ISO 9001:2015, see this article - What clauses can be excluded in ISO 9001:2015https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
These materials can also help you with the implementation of ISO 9001:2015:
- Book "Discover ISO 9001:2015 through practical examples": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Conformio - Compliance tool: https://advisera.com/conformio/ -
Cómo definir el alcance
ISO 9001:2015 establece que el SGC puede incluir secciones específicas de la organización, por lo tanto puede certificar sólo departamentos o secciones concretas de la empresa y efectivamente considerar el área de desarrollo como su cliente.
Para saber más sobre el alcance de su organización, vea este artículo -Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/
Estos materiales también pueden serv irle de ayuda con la implementación de ISO 9001:2015:
- Libro - Descubre ISO 9001:2015 mediante ejemplos prácticos (disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso en línea de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Incident ticket opening
Answer:
It's important that all incidents are recorded, no matter where they come from (the source of an incident). Source could be internal support (any level) or external (as you mentioned - e.g. supplier). For example, if supplier is responsible for certain functionality in scope of the IT service you provide, their task will be to maintain it. That also includes recording incidents if they see some e.g. malfunctions.
See the articles for further details:
"Incident Management in ITIL – solid foundations of operational processes" https://advisera.com/20000academy/blog/2013/05/21/incident-management-itil-solid-foundations-operational-processes/
"Incident Record – you can’t live without it" https://advisera.com/20000academy/blog/2014/07/01/incident-record-cant-live-without/
or visit free webinar
"ITIL Incident Management Process Demystified" https://advisera.com/20000academy/webinar/itil-incident-management-process-demystified-free-webinar-on-demand/ -
10 days period
Answer:
The 10 days period is just a suggestion which we considered to be reasonable considering that you roughly have 30 days to provide an answer to the data subject.
To learn more about data subject rights check out our webinar “ Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Controller and Processor sheet
Name of the registration related to IT / System / Software / paper document (means the software used in the PC of each our Employee)? Is there a precompiled guide regarding this attachment?
Answers:
1. Both sheets need to be filled in as most likely it you are a company established in the EU you will be having processing activities for which you are acting as controller such as HR related activities (recruitments, onboarding, HR administration) as well as activities where you are acting as a processors for instance if you are a company providing IT maintenance for a another company (controller) and while doing that you are having access to the controller's personal data.
2. That particular column should filled in with either the System that is processing the personal data for a specific processing activity or the processing activity itself (see the examples regarding HR) this is because there may be several processing activities that do not rely on an I system (e.g. resisting the visitors, or training attendance lists).
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Register of Privacy Notices
Answer:
There are several notices that can be included in there such as: website privacy notice, employee privacy notice, recruitment privacy notice, visitors privacy notice, etc.
To find out more about privacy notices check out our webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)