Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Control implementation
Thank,
"Risk assessment is a crucial step in Information Security Management System (ISMS) implementation because it tells you the following: you should implement security controls (safeguards) only if there are risks (potential incidents) that would justify that particular control. In other words, the higher the risk, the more you need to invest in controls; but, on the other hand, if there are no risks that would justify a particular control, then implementing it would be a waste of time and money"
Answer: Controls from ISO 27001 Annex A must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? /27001academy/knowledgebase/the-bas ic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Product safety & continual improvement
Answer:
The requirements for product safety are directly related to your product. If you have a product with hazards (such as a battery with a hazard of shocking someone while using it) then you need to identify these hazards and decide what needs to be done (such as warning labels, protective covers, etc.) If your product does not have any safety hazard then you could simply demonstrate that this has been assessed and therefore no actions are required.
Continual improvement is the incremental, planned changes that you implement to make things better in your organization (as opposed to continuous which means everything is improving all the time). This is to be applied to your products and service and the QMS to meet customer needs and enhance customer satisfaction (clause 10.1) as well as looking for opportunities to improve other aspects of the QMS not directly related to customer requirements or satisfaction (clause 10.3). In many ways one of t he biggest ways that a company demonstrates continual improvement is through the use of we planned quality objectives which give a target for improvement and follow through on plans to achieve them.
For more information see this whitepaper: https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d -
Safety Data Sheets in the AS9100 audit
The other is ceramic dielecric powder company (ISO9001) who designs product for the customer. This company does provide SDS with the shipments.
Will the auditor be reviewing SDS during the audit based on "statutory and regulatory requirements"?
Answer:
This is something that has two answers, and they are the same for AS9100 Rev D and ISO 9001:2015.
First when it comes to having SDSs for the chemicals and materials that are used within the company comes under “Environment for operation of processes” (Clause 7.1.4). If these SDSs are required in your country to have in order to use the chemicals you must therefore have them to perform your processes. This was also previously the case in the last standard under clause 6.4 for “work environment”. If you needed to have these in place to perform your process then it is a resource that you needed to have and was therefore auditable.
Secondly, if you are creating a chemical that requires an SDS to be sent with it, then this is a requirement of your product. Therefore, it falls under the standard in clause 8.2.2 “Determining the requirements for products and services”. If there is a requirement that you need to meet and are not doing so this could be an audit nonconformance. Again, in the previous version of the standards this was also a requirement in clause 7.2.1 “Determination of requirements related to the product” where it also stated that you shall determine statutory and regulatory requirements applicable to the product.
So, this has really not changed. The auditors could have reviewed SDS during an audit against these requirements. That being said, just because an auditor can look at one aspect of a process does not meant hat they will. -
Gender and date of birth
Title (Mr/Mrs/Ms etc)
Date of Birth
Gender
Are any or all of these classed as “Sensitive Personal Data” ? What extra precautions do we need to take for these?
Answer:
Gender and date of birth are not sensitive personal data as per the definition provided by the EU GDPR, there are no extra precautions needed.
To learn more about sensitive personal data check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Certification bodies
We are located in Eindhoven - NL. Our primary business is providing a SAAS solution, we work with an 27001 certified hosting partner.
Answer: I'm assuming you are referring to certification bodies instead of auditing agencies. Considering that, we do not know Netherlands market in details to recommend specific certification bodies, but you should consider these references:
- SGS https://www.sgs.nl/en
- BSI https://www.bsigroup.com/nl-NL/
To help you selecting an certification body, I recommend these materials:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body -
Integrating ISO 27001 and ISO 9001
All ISO management systems published after 2012 have the same general structure, and this make integrating them a lot easier. In the integration process you should consider two phases: 1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, training, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered 2 – Integration of the specific parts of each system (basically sections 6 and 8 of each standard). Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes. This article will provide you further explanation about integrating ISO management systems: - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/ - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ These materials will also help you regarding integrating ISO management systems: - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
Interna/External auditor role
The auditor role is to verify if the management system is implemented, operated, maintained and improved according to the requirements of the defined standard, as well as according to other requirements defined by the organization that are relevant to the management system. The auditor has little to no role during the management system implementation. The internal auditor performs audits on behalf of the organization that owns the management system, while the external auditor performs audits on behalf of an organization's client (second-party auditor) or a certification body (third-party auditor).
The role of the person in charge of information security is to ensure that the information security management system conforms to the requirements of the standard, and to report on the performance of the information security management system to top management. This person has an important role in the management system implementation, either as the leader of the implementation project team or as the person who will give the project's team the needed guidance for the project implementation.
These articles will provide you further explanation about information security responsible and auditor roles:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
These materials will also help you regarding information security responsible and auditor roles:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISMS implementation
How to start implementing ISMS?
For the implementation of an ISMS complaint with ISO 27001, the leading ISO standard for information security management, you should consider these steps:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use you own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/Which department to select?
The departments or organizational units to be included in such a project will depend on the information to be protected and the business objectives, so there is no definitive answer to this question.
These articles will provide you further explanation about ISMS scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Internal audit requirements (1)
Answer:
I would contact the Certification Body and ask them the question.
ISO 9001:2015 clause 9.2.2 c) speaks about selecting auditors and conducting audits to ensure objectivity and impartiality. One important point that I want to remark is that it is the organization that determines the auditor competence requirements. If Certification Body has no particular requirements in the contract, it is up to your organization to state requirements as long as it ensures “objectivity and impartiality”.
The following material will provide you information about audit requirements:
- ISO 9001 – ISO 9001 internal au ditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Being compliant with the GDPR
Answer:
From the description you provided it looks like the data is directly collected in the US so basically they are not transferred from a EU entity to a US entity. The only thing you need to do is to mention in your Privacy Notice that the data processed in the US and may be stored in the US or other locations around the world.
To find out more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/