Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Training content
Could you advise the effectiveness of the course module coverage and the sample q's in the training sessions for certification fulfillment.
Soliciting your expert opinion and any additional details pertaining to the subject matter.
Answer: Our ISO 27001:2013 Foundations course provides basic knowledge about ISO 27001 structure, requirements and controls, and the ISO 27001 Foundations exam provided at the end of the coure is accredited by Exemplar Global (formerly RABQSA), being world-ide recognized.
Our ISO 27001:2013 Internal Auditor Course is also accredited by Exemplar Global (formerly RABQSA), and its content is developed to support attendants to take the Internal Auditor exam available at the end of the course. This Internal Auditor certification recognizes people who had attained Information Security Management Systems and Management Systems Auditing competencies.
At this moment we do not p rovide courses related to ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certifications (but soon we'll publish our LI/ LA courses). For now, we have this webinar that can help you with preparation to the ISO 27001 Lead Auditor course:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Relevant ISO standards for information security
Answer: You can consider the following standards of the ISO 27001 family as the basis for the generic approach to information security:
ISO/IEC 27001 — Information technology - Security Techniques — Information security management systems — Requirements.
ISO/IEC 27002 — Code of practice for information security controls
ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation
ISO/IEC 27005 — Information security risk management
However, ISO 27000 family also have additional standards that specific industries should also consider critical to properly protect information, such as:
ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC TR 27019 — Infor mation security for process control in the energy industry
ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27032 — Guideline for cybersecurity
So, a more appropriated statement would be "The ISOs 27001, 27002, 27004 and 27005 can provide the basic foundation for the information security posture of any organisation." -
Standard Contractual Clauses Annexes
Answer:
You should have received two documents one to regulate Controller to Controller transfer and one for the Controller to Processor instance. 06.2_Annex_1_Standard_Contractual_Clauses_for_the_Transfer_to_Controll ers_EN
06.3_Annex_2_Standard_Contractual_Clauses_for_the_Transfer_to_Processo rs_EN
To find out more about cross border data transfers don miss our upcoming webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Cross border data transfer
Answer:
At first glance I would say that you are facing a cross border data transfer especially if the team in Philippines would be able to copy the data locally on their machines.
To find out more about cross border data transfers don miss our upcoming webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Requirements for infrastructure
Answer:
ISO 13485 allows exclusions of any requirements from clauses 6, 7 and 8, if they are not applicable to the type of business your organization is performing. Of course, as long as you can provide justification for the exclusion.
Requirements for infrastructure can hardly be excluded, because you still use some kind of equipment, and the entire point of this clause is to define and plan maintenance activities .
Work environment requirements, on the other hand are probably not entirely applicable to your type of business, so you can exclude requirements fo r cleanliness and clothing of personnel (clause 6.4.1) and contamination control (clause 6.4.2).
All the parts of the Procedure for Infrastructure and Work Environment that are not applicable to your type of business can be either edited or completely deleted.
For more information, see: Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/ -
Nonconformities and corrective action
Answer:
ISO 9001:2015 speaks about nonconformities in two clauses:
8.7 is about nonconforming outputs (products and/or services)
10.2 is about other nonconformities like process performance
Whenever a nonconformity occurs it must be treated, it must be corrected. Correction eliminates the nonconformity. After the correction one must ask if a corrective action is needed. A corrective action attacks the cause of the nonconformity and reduces the probability or frequency of the recurrence of the nonconformity. When performance is evaluated, for example, the rate of nonconformities, one must ask if the performance is acceptable or an improvement action, a corrective action is needed.
The following material will provide you inform ation about the nonconformities and corrective actions:
- ISO 9001 – Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
- How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Procedure for the Management of Nonconformities and Corrective Actions - https://advisera.com/9001academy/documentation/procedure-control-non-conforming-products/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Migración a la nueva ISO 9001:2015
Lo primero con lo que debe de contar es con el apoyo de la alta dirección, que va a facilitar tanto los recursos económicos como de personal para que la transición a la nueva norma se lleve a cabo de manera eficaz. Para ello puede presentar los beneficios de implantar la nueva norma ISO 9001:2015.
Posteriormente puede llevar a cabo un análisis de brecha o GAP, para ver con qué requisitos y documentación cumple en la actualidad. Aquí puede encontrar la herramienta de forma gratuita: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/
Más tarde debe establecer un plan de proyecto para llevar a cabo la implantación de la norma, que incluya, el responsable del proyecto o el equipo, los plazos, los diferentes hitos así como el presupuesto con el que se cuenta.
Un recomendación es no escribir demasiados, sólo aque llos que realmente sean necesarios. Aquí puede encontrar la lista de documentos necesarios y recomendados: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Estos materiales también pueden ayudarle en la transición a la norma ISO 9001:2015:
- Curso Fundamentos de la ISo 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro "Descubre ISO 9001:2015 mediante ejemplos prácticos" (sólo en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Herramienta de cumplimiento en línea: https://advisera.com/conformio/ -
AS9100 Rev D vs ISO 9001:2015 main differences
Answer:
As with many other specialized QMS requirements AS9100 Rev D takes the entirety of ISO 9001:2015 and simply adds some aerospace specific requirements to it without taking anything away. While there are some small additions to the processes throughout some of the main additions include; keeping the quality management representative, a process for operational risk management, a process for configuration management, processes to ensure product safety, a process to prevent the use of counterfeit parts, validation and control of special processes, and production process verification.
To find out more about the aerospace specific terms that are defined in AS9100 Rev D, and later are defined as these additional processes, see this article: https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/ -
Data processing agreement
2. Just thinking a little more about this as I see on your notes that this is not a standalone document and is meant to be an annex to the contract the Controller has with a supplier / processor. We don’t have formal contracts / commercial agreements in place with all of our corporate clients and so I’m wondering where this leaves us?
3. It would also be good to know which of the documents in the toolkit should be issued to our suppliers ie from Processor to Sub-Processor. I’m assuming that we simply need to incorporate the relevant security clauses to handle outsourcing risks as described in A.15.3 and the blog in your notes within our existing contracts? Am I right in thinking that precise/suggested wording for these clauses does not form part of the toolkit and if so do you have any advice where we might find example wording?
Ans wers:
1. Based on the provisions of EU GDPR art. 28 – “Processor” (https://advisera.com/eugdpracademy/gdpr/processor/) is the controller that should be the one ensuring it uses processors providing sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the Regulation.
You can of course be proactive and for the controllers that did not provide you a Data Processing Agreement or similar document you can send then the Agreement in the Toolkit (A.15.2) and this would hopefully trigger a reaction from the controller.
2. Regardless if you don`t have a written contract the services you provide to your customers need to be somehow regulated otherwise legally speaking you would be providing a service outside a contractual frame and this would mean that the parties have no obligations towards another. You may have some Terms & Conditions for providing the services and then Data Processing Agreement should refer to it.
Any processing activity needs to have a reason behind it so it needs to be regulated especially if is a payed service.
3. For a Processor to Sub-processor Data Processing agreement you can use the attached document as a reference.
To learn more about procesors check out our free “EU GDPR Foundations Course” https://advisera.com/eugdpracademy/what-is-eugdpr/ -
Contractual clauses for sub-processors
Answer:
Unfortunately the EU Commission only issued controller to controller and controller to processor standard contractual clauses. To learn more about personal data transfers check out our free “EU GDPR Foundations Course” https://advisera.com/eugdpracademy/what-is-eugdpr/