Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Eligibility of IATF certification
@Guest user
Hello, I want to know if a company producing raw material ( Polymers : granules) for automotive Customer is eligible for IATF standards. Thanks in advance.
Answer:
The raw material you produce is used in the production of the product Tire ''n'' company; If it goes to the vehicle as an automotive part, your company is also in a position to obtain IATF certification.
As an example, we can give the auto paint raw material manufacturer or the steel manufacturer.
In both cases, these raw materials are used both in the vehicle body to produce the car.
But I should also point out that; The company that extracts the mine to produce this steel; Cannot obtain IATF certification. Or companies that extract coal from coal mines cannot receive IATF.
Here, the location of the raw material company in the automotive supply chain is important, in short.
-
Certificar personas en una implementación ISO 27001
Respuesta: No, no existe un requerimiento en ISO 27001 que exiga a las personas involucradas en el alcance del SGSI, que tengan que estar certificadas, aunque lo que sí es un requerimiento es que las personas estén entrenadas en cuestiones relativas a la seguridad de la información, y esto puedes conseguirlo a través de una certificación (para cada persona), pero también puedes conseguirlo con un simple curso sobre principios básicos de seguridad de la información. Este curso online te puede resultar interensate “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Y también este otro: “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/ -
GDPR in tourism
Answer:
It is impossible for me to provide you with a solution for being compliant with the requirements of your customers as regards to the EU GDPR since I am lacking information about the requirements and the whole setup.
My proposal is to start the EU GDPR implementation as soon as possible and our EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ will be a good starting point. You can find all the information about our Toolkit from our website - https://advise ra.com/eugdpracademy/product-tour/.
We can also schedule a free meeting so we can better understand your needs and provide some tips on how to proceed further. -
Data subject
Answer:
If the Indian citizens you refer to are working in the EU the EU GDPR applies regardless of their citizenship or tax residence. So in this case is the location where they work that matters.
To learn more about the applicability the EU GDPR check out our article “ What is it and how does it work?” https://advisera.com/eugdpracademy/what-is-eugdpr/ -
Scope change
However, since gaining this a few months ago we are now looking at expanding and opening up some additional rented office space in another location. I believe this may affect A.11 in the statement of applicability? I am wondering if I need to notify our certification body (if and when it happens) and we may have to update our SOA or if we can wait until our next scheduled surveillance audit in 9 months time?
Answer: This new office will indeed affect your ISMS, and maybe not only controls of section A.11, and the best way to understand its impacts, and what must be adjusted in your SOA, is by performing a risk assessment considering how this new office will be related to the ISMS scope (e.g., this new office will be included in the scope, or it will be considered an new interface). For more information, please see this article:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Regarding the certification body, you have to notify them as soon as possible about your intentions, so they can evaluate if changes should be performed in the surveillance audit schedule. -
Context and interested parties
Answer:
Clause 4.1 is about considering the organization as an entity embedded in a reality that is much more than environmental aspects. For example, consider a natural leather shoes manufacturing company. See Annex A.4.1 a) of ISO 14001:2015:
Environmental conditions – natural leather comes from large herds of intensive livestock farming with strong environmental consequences, including emissions relevant to global warming and biodiversity. Liquid waste generation during leather production, solid waste generation during shoes production, exponential rising of transport needs, end of life disposal of used shoes
See Annex A.4.1 b) of ISO 14001:2015:
External issues – the trend to use more and more materials other than leather, the trend for more and more restrictions to the use of chemicals in the leather tre atment, the exponential rising need for home delivery, more and more consumers following trends like veganism
See Annex A.4.1 c) of ISO 14001:2015:
Internal issues – the need to improve efficiency and reduce wastes, old equipment with high energy consumption, the difficulty in hiring new workers, the trend for smaller and smaller orders and fast deliveries
Instead of considering environmental aspects and impacts in a particular moment only, you can consider what will be the most likely evolution
About interested parties (clause 4.2), organizations live in a network of relationships: customers, neighbors, suppliers, workers, customer’s customers, regulators, … some with more or less power or influence over the organization can influence environmental priorities of the organization. For example, strategic target-consumers (customer’s customers) can increasingly appreciate customization and buy online, something that will reduce efficiency and increase transportation needs. Neighbors can be against the increase frequency of transporting vehicles.
The following material will provide you information about context and interested parties:
- ISO 14001 – Determining the context of the organization in ISO 14001 - https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
- How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISO 27001 personal certification
My background: I am a engineer with a work experience (software development and training) for 18 years. My key areas
1. Software QA
2. Performance testing
3. Performance tuning
4. Risk assessment
5. Scripting languages
6. Agile SCRUM
Kindly guide me the preparation process for the certification
Answer: Considering your background, I'd suggest you to go for the ISO 27001 Lead Auditor certification. This certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and qualifies them to start the process to become a certification auditor.
The first step for ISO 27001 Lead Auditor certification is to attend the ISO 27001 Lead Auditor course, which will present you the general concepts of the ISO 27001 standard and the audit methodologies and techniques of ISO 19011 standard. It is a 5 days course, after which you will take the exam.
For more information, please see these materials:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
ISO 31000 study material
Trust you're doing great. Your study material on advisera is very helpful thank you.
However would like to request if there are any modules on ISO 31000 Risk management..or if you could help me with one thing whether Is it mandatory that we have vast experience in job say for some one in mid or entry level can't go for the ISO 31000 Course?
Answer: For information regarding ISO 31000, I suggest you to take a look a these material:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
Regarding ISO 31000 courses, generally they do not require previous job experience (you should verify the course content of your selected training provid er to confirm that), but any level of previous experience will help you to take better advantage of the course. -
RACI Matrix
Answer: As roles to include in your RACI matrix you should consider at least:
- Top management / Project Sponsor as Accountable for project decisions
- Project Manager as Responsible for the project overall execution
- Team member as Responsible for tasks / activities execution
- Units Heads / Processes Owners / Interested Parties as Consulted about risks identification and controls to be implemented
- Employees / Users / as Informed about project milestones
Steps to be included, you should consider:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementat ion (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
ISO 27001 Gap Analysis
1 - But my starting point for now is to check what they have according the iso 27001. Sort of gap analysis? Current situation. I am kind of in the not knowing how to start this.. I mean do you make a list of all these clauses + annex A and check if they have it documented etc? Or is it more then that?
Answer: For a Gap Analysis you do not only evaluate if they have the requirements documented, but also if the processes and controls are also generating the proper records. To help you with a gap analysis, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
2 - What about the maturity? Do I have to measure also the maturity? And how do you do that?
I hope you can give me some advice on how to start this because it is not quite clear to me.
Answer: ISO 27001 does not require performing maturity measurements, but it requires performance measurements, which can be used as parameters to evaluate maturity.
This article will provide you further explanation about ISO 27001 and performance measurement:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/