Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Management Representative after ISO 9001:2015


    Answer:

    The role of Management Representative has been removed from ISO 9001:2015, responsibilities went to top management. Not being mandatory is not the same as forbidden. So, your organization can keep the role of Management Representative, or of QMS Manager to the person who drives the whole process.

    The following material will provide you information about the Management Representative:

    - ISO 9001 – What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ se/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Organization knowledge and Customer Specific Requiremnets


    Answer:

    When it comes to the organizational knowledge, the standard is rather vague. This allows organizations freedom id deciding how to identify the knowledge and provide access to it for the relevant people. For example, consider one process from your company. Then, list all activities performed in that process. For each activity, identify which function perf, list what kind of knowledge someone on those functions has to have in order to perform those activities competently. That knowledge can include things like:
    - knowing work instructions;
    - having a professional certificate considering the person as a professional welder;
    - knowing how to operate certain machines;
    - knowing how to control the quality of certain parts;
    - Knowing how to identify, segregate and manage nonconformance parts.

    When you identify organizational knowledge y ou do not consider any person in particular, you are using abstract thinking. What kind of knowledge s hould have anyone performing that function.

    Then, look at the actual performance of the process and to the actual persons performing those functions. Do they have the right amount of knowledge? Are they competent enough? Remember, you can have competent people working in a process and because your company becomes more demanding at performance, perhaps those some people become non-competent.

    For more information, please take a look at the following materials:
    - Article: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
    - free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - book – Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    When it comes to requirement 7.5.1.1.d) the easiest approach is to create a matrix where in one column you will list your processes and in the second column you can put relevant CSRs for each process. In addition you can put responsible person for compliance with each of customer specific requirements. The main input for this matrix is identification of interested parties and their needs and expectations, if it is done properly, you can use list of interested parties and their needs and expectations to meet this requirement. Basically the CSR matrix is more detailed examination of needs and expectations of one group of interested parties - customers.

    Here you can find free preview of our List of Interested Parties and Customer Specific Requirements https://advisera.com/16949academy/documentation/list-of-interested-parties-and-customer-specific-requirements/

  • EU GDPR article 28

    1. If a systems builder installs several workstations with different applications at a customer and needs to log information on those systems (not per se an audit trail) to be able to debug what went wrong between these systems, and the customer is happy to provide these logs or even (continuous) access to the systems to have things debugged, but the logs may contain privacy related information, then what do you do? Warn systems users that their actions are logged?Demand that customer anonimifies the logs / State we uphold privacy and use logs only for debugging our systems and not for audit trail? Do we need a processor agreement for that? Who provides it?
    2. Do processor agreements need to be signed by both parties?
    3. Do you need to actively request a website visitor to accept cookies and read the privacy statement even if you do not use personal information that is collected, e.g. by google analytics and similar 3rd party tools? Or is it enough just to link to a disclaimer or legal statement on these pages…

    Answers:

    1. If the users are having access to personal data you need to ensure that they are bound by the duty of confidence. This is a requirement of EU GDPR article 28.(3)e – Processors (https://advisera.com/eugdpracademy/gdpr/processor/). You can also have a pop up message to the users that they are about to access personal data.
    2. If possible the customer should try to anonymize the personal data and if is not possible a Data Processing Agreement should be signed by you as the data processor and your customer as the data controller. This need to be legally binding agreement and need to be signed or agreed by both parties.
    3. Is the ePrivacy Directive, which requires websites to gain consent from readers if they want to use cookies to track them. You should have a separate Cookie Policy that need to be accepted by the users. Also, the users must be informed about how they can set up their browsers not to accept cookies.

    If you want to find out more about the processors obligations you can check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR- opt in or legitimate interest


    Answer:

    No it does not. However bear in mind that “legitimate interest” for marketing activities can be used only in relation with existing customers not for prospective customers.

    Switching to consent doesn't make a difference just make sure that the consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes. You must also keep records so it can demonstrate that consent has been given by the relevant individual.

    To find out more about consent you can check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/

  • Data Sharing Agreement


    Answer:

    If you both parties are controllers no Data Processing Agreement is needed.

    However, if one controller needs to send data to another controller outside the EEA you would need to relay on the controller to controller Standard contractual clauses which is document 6.1 of the Toolkit.

    To find more about transfering personal data check out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

  • ITIL and cloud


    Answer:
    If you already have (or are planning to) have implemented ITIL, there shouldn't be problems if you use cloud to support your operations. Read the article "How ITIL can help cloud services" https://advisera.com/20000academy/blog/2015/07/28/how-itil-can-help-cloud-services/
    to learn more about this.

  • Compliance questionnaire


    Você poderia por gentileza, dar uma orientação em como formular esse questionário?

    (I am doing an academic paper (Article) on information security in which I have to prepare a questionnaire with the purpose of analyzing the adherence of information security adopted in companies with ISO 27002.

    Could you please give guidance on how to formulate this questionnaire?)

    Answer: Basically you have to identify for each control what is required (generally an action followed by the word "should") and formulate a question based on it.

    For example, for control 5.1.1 (Policies for information security), the requirement is:

    "A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties."

    So a proper question would be "Are t here policies for information security defined, approved by management, published and communicated to relevant parties?"
    For reference, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

  • ISO 27001 standard course


    Answer: I'm sorry, but I believe there has been a little misunderstanding regarding standard's structure. The term "clause" is used for separate the content of the main part of the standard, and ISO 27001:2013 has 10 clauses. Regarding Annex A, it has 114 controls, and not 111, and it is organized into 14 parts called "sections".

    These articles will provide you further explanation about ISO 27001:
    - What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - A first look at the new ISO 27001 https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
    - Main changes in the new ISO 27002 https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/

    This material will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On You r Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Audit and ISO 22301


    Answer: For an audit program first you have to define if you are going to perform one audit or a series of audits throughout the year. After that you have to define criteria to define individual audits and the auditors that will perform them, the procedure that will be used for the audits, and if you are going to use checklists or not.

    For testing plans first you have to define which kind of test you will perform (e.g., Orientation seminar, Desk check, Plan walk-through, Functional testing, etc.), After that you have to define the tests scope, objectives, and timing, and align these decisions with top management and management heads to develop the necessary details for the test plans.

    These materials will provide you further explanation about internal audit and test plans:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - How to prepare for an ISO 27001 internal audit (the general concepts are al so applicable to ISO 22301) https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

    2 - Also, does ISO 22301 has SoA as in ISO 27001?

    Answer: The statement of applicability is a requirement only for ISO 27001. There is no similar requirement for ISO 22301.

    These materials will provide you further explanation about ISO 22301:
    - What is IS 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • SOA preparation


    Answer: The folders and documents in your toolkit are listed in the exactly order you need to follow in order to implement the ISMS, so you have to prepare the Statement of Applicability after you have finished to fill the Risk Assessment Table and the Risk Treatment Table.

    This article will provide you further explanation about the Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    These materials will also help you regarding the Statement of Applicability:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 758-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +