Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Gap Assessment for a Bank


    Answer: ISO 27001 was designed to be used by organizations of any size and industry, so there are no specific conditions required for performing a gap assessment for a bank, and you can rely on common used techniques like interviews with key personnel, documentation review and observation of daily operations.

    To help you with performing a gap analysis, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    Its simple question-and-answer format allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.

  • PCI DSS and ISO 27001


    What i am trying to do is to compare ISO 27001, PCI DSS and SWIFT Customer Security Program to see which controls overlap. Any assistance?

    Answer: To compare implemented security controls and practices with ISO 27001 requirements, I suggest you to take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    This simple question-and-answer format will help you to visualize which specific elements of an ISO 27001 information security management system you’ve already implemented, and what you still need to do.

    These articles will provide you further explanation about PCI DSS and ISO 27001:

    - PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/
    - PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification https://advisera.com/27001academy/knowledgebase/pci-dss -vs-iso-27001-part-2-implementation-and-certification/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Implementing ISO 9001 and ISO 27001


    Answer: You do not need to create separated documents to comply with ISO 27001 if you already have documents that cover similar requirements for ISO 9001 (e.g., control of documents, internal audit, management review, etc.), but you have to take care to adjust them to cover ISO 27001 requirements and your need for information security, and not simply write that the ISO 9001 documents also refer to the Companies ISO 27001 (e.g., in an hypothetical situation, if your internal audit for ISO 9001 is annual, but for any reason the ISO 27001 internal audit is semi-annual, then this difference should be adjusted in your internal audit procedure).

    These articles will provide you further explanation about implementing management systems:
    - How to impl ement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/

    These materials will also help you regarding ISO 27001 implementation:
    - ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Documentation and scope


    Answer:
    1. About “how many documents” please keep in mind two phrases in ISO 9001: “keep documented information” and “maintain documented information”.

    “keep documented information” means keeping records like an order from a customer, a validation checklist or a training session. Keep in mind that records can be in digital as well as in paper.

    “maintain documented information” means keeping updated documents like the quality policy, or the scope of the system, or a procedure. ISO 9001:2015 does not include any requirement for mandatory p rocedures, it is up to each organization to decide what needs to maintain as a documented procedure. For example, an IT company can maintain procedures as digital checklists.

    2.About the scope. For example, I work with an IT company that has three groups of customers to whom they develop software: manufacturing shoes companies; B2B commerce of fruits and vegetables and recycling companies. When developing their quality management system, they decided to just include under the certification scope the development, commercialization and service of software for the shoes manufacturing industry, because the other customers will not value working with a certified supplier.

    The following material will provide you information about documented information and scope:

    - ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Mandatory EU GDPR documents


    Answer:

    Most of the documents which are marked as not mandatory are either guidance documents which are not mandated by the EU GDPR or forms that are nor mandatory and can be changed based on the requirements of your business.

    Also, the whole section 8 regarding Security of Processing is marked as not mandatory because the EU GDPR requires controller and processors to have “adequate” technical and organizational measures in place to protect personal data based on the risk of processing so each organization needs to assess its own risk and decide upon the security measures.

    To find out more about the mandatory documents in the EU GDPR Toolkit check out our article List of mandatory documents required by EU GDPR” https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

  • Main changes in documentation


    Answer:

    About procedures and manual, they are no longer mandatory – different from forbidden. Something that gives organizations much more freedom to adapt and use what they find useful, and when they find it useful.

    The following material will provide you information about the main changes with ISO 9001:2015:

    Check this free infographic - Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? – https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/
    Check this free Gap Analysis tool - Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
    - Free webinar – ISO 9001:2015 vs ISO 9001:2008 – The main changes - https://advisera.com/9001academy/webinar/iso-90012015-vs-iso-90012008-the-main-changes-free-webinar-on-demand/
    ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ ourse/
    - book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Environmental aspects at different situations

    ie, normal, abnormal and emergency?”

    Answer:

    You want to make a fair and rather complete assessment of how your organization interacts or may interact with the environment. Please consider Annex A.6.1.2 where it states clearly that one should consider normal and abnormal operating conditions, shut-down and start-up conditions, as well as reasonably foreseeable emergency situations.

    The following material will provide you information about assessment of environmental interactions:

    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 1 4001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Data transfer


    Answer:

    Once the EU GDPR kicks in you would need to provide a Privacy Notice to the individuals whose data you are collecting during the shows you mentioned.

    Your privacy notice should contain the information required by EU GDPR art. 13 “ Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ ) namely:

    • Your identity, contact details and details of your representative (if any);
    • The contact details of your data protection officer;
    • The purpose and legal basis of processing. Where legitimate interests is relied upon, details of those interests;
    • The right to withdraw consent (if this is the basis for any processing;
    • The categories of personal data processed;
    • The recipients or categories of recipients of personal data;
    • Details of any intended transfer outside the Union. Details of any safeguards relied upon and the means to obtain copies of transfer agreements;
    • The period for which data will be stored or the criteria used to determine this period;
    • A list of the individual’s rights, including the right to object to direct marketing, make a subject access request, and to be “forgotten”;
    • Details of any automated decision making, including details of the logic used and potential consequences for the individual;
    • Whether provision of personal data is a statutory or contractual requirement, whether disclosure is mandatory and the consequence of not disclosing personal data;
    • The right to complain to a supervisory authority;

    To find out more about privacy notices check out our webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ as well as our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • Planning changes to the QMS


    Answer:

    Presently I am working with a manufacturing shoe company with a QMS for production of comfort fashion shoes. They are making a change to their QMS to include in the scope the production of occupational uniform shoes to corporations – other requirements, other materials, other processes.

    Last year I worked with an injection molding company that duplicated the number of machines and changed location to another site, with a lot of new workers recruited – that was a great change in planning, operating and controlling production.

    Some years ago, I worked with a machine manufacturing company. One of their operations was painting parts of the machines. Then, due to stricter environmental legislation they decided to subcontract that operation to a painting services specialist. They had to change their production planning and quality control to consider the new flow of production.

    I hope that these examples show what can be considered “a change to the QMS”.

    The following material will provide you information about planning change:

    - ISO 9001 – QMS Change Management in 7 steps - https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Personal data


    Answer: Broadly speaking, any information that can identify or be related to an identifiable natural person must be considered personal data (e.g., name, address, email address, etc.).

    Considering that, the most common information gathered during an internal audit that is personal data refers to employees and to their competence records. Depending upon the QMS scope, an auditor may have access to organization's clients personal data (e.g., when the organization's scope includes customer support services, or financial processes), so you should consider evaluating the scope statement to identify other types of personal data that auditor may be find.
Page 754-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +