Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Definición de OLA


    Respuesta: Un OLA (Operational Level Agreement) basicamente es un acuerdo interno entre tu organización y una parte de la misma organización (por ejemplo, un acuerdo entre el área de TI, y el área de Marketing), y el contenido de este acuerdo depende del acuerdo específico que se establezca en cada caso (quiero decir, depende del servicio que una parte quiera proporcionar a la otra parte), pero puedes usar esta plantilla para tu proyecto, donde puedes definir el acuerdo del proyecto, relaciones, requerimientos sobre el servicio, planificación/cronograma, duración, etc. “Acuerdo de nivel operacional (OLA)” https://advisera.com/20000academy/es/documentation/acuerdo-de-nivel-operacional-ola/

    Y este artículo también te puede resultar interesante “SLAs, OLAs and UCs in ITIL and ISO 20000” : https://advisera.com/20000academy/knowledgebase/slas-olas-ucs-itil-iso-20000/

  • AS9100 Manual from a consultant

    Answer:
    This is one of the problems with consultants that do not take into account the processes that are currently in the company hen they choose what to document on a QMS, does what is documented actually add value? There are a few things to consider now that you have the manual, even if it was adapted from another template manual:
    - Do we actually do the things that the manual states?
    - Does the manual add a necessary process that we did not have in place before?
    If the answer to these are positive then the manual may be beneficial to you, on the other hand, if the manual:
    - Has written detail that you do not do
    - Has processes that are not required by your company, or AS9100 Rev D
    - Is wordy or complex such that it will confuse your employees
    If these are true then the manual is not only lacking in value , it is actually a problem since you will fail when your employees are audited against the manual. When you have a consultant working for you what you want is to ensure that what they write down is actually what you do so that people follow it.
    For more on dealing with consultants there is a good checklist on 9001Academy that can help with choosing a consultant that is relevant to the AS9100 QMS: https://info.advisera.com/9001academy/free-download/list-of-questions-to-ask-an-iso-9001-consultant

  • ISO 9001 and procurement

    are there powerpoint sample presentation to help communicate to teams on supplier evaluation with respect to ISO9001?

  • Risk with a positive and negative impact


    Answer:

    ISO 9000:2015 defines Risk as the effect of uncertainty. Then, in a note adds that an effect is a deviation from the expected - positive or negative. So, ISO 9000:2015 accepts the use of the general word risk both for negative and positive impact. Although when one use the words risk and opportunity is much more easy to distinguish positive from negative effects – remember that many organizations use different methods to evaluate risks and opportunities. For example, many organizations use probability as a factor to evaluate risks and others use effort as factor to evaluate opportunities.

    The f ollowing material will provide you information about the risk-based approach:

    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Boundary in ISO 9001 scope


    Answer:

    An organization does not need to apply its quality management system to all of its operations. For example, an organization can manufacture a line of products with its own brand and manufacture generic products to other brands as a subcontracted organization. The organization can decide to implement a QMS and only apply it to the part of the business where it works as subcontracted and not to the part where it manufactures under its brand. So the boundary would be, in that case, working as subcontracted by other organizations.

    The following materials will provide you details about the scope of a management system:

    - ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 – https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

    - free online training ISO 9001:2015 Foundations Co urse – https://advisera.com/training/iso-9001-foundations-course/

    - book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Information security policy content


    Answer: According ISO 27001, the Information Security Policy must include:
    - the information security objectives, or how the objectives are proposed, how they are approved, and how they are reviewed
    - a statement of top management about its commitment to fulfill the requirements of all interested parties, and to continually improve the ISMS

    There is no need to include specific controls in the Information Security Policy. If you need to describe details about the application of one or more controls you should consider writing them in a specific policy (e.g., Access control policy, backup policy, etc.).

    These articles will provide you further explanation about Information Security Policy:
    - What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
    - Information security policy – how detailed should it be? https://advi sera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

    These materials will also help you regarding Information Security Policy:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk management according to ISO 27001, ISO 27005 and ISO 31000

    I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk management methodology. What steps are mandatory, and what is optional?

    First is important to note that ISO 27005 is not a methodology, but a general framework for information security risk management.

    It differs from ISO 27001 in the fact that ISO 27005 provides not only steps for the risk management process (e.g., risk assessment, risk evaluation, risk treatment, etc.), but options regarding on how to perform each step (e.g., qualitative or quantitative approach risk assessment). A specific set of options to perform the steps would be a methodology, so from ISO 27005, you can develop several different methodologies to perform the same steps.

    Considering that, if by steps you talk about parts of the process, then all steps of ISO 27005 are required by ISO 27001. If by steps you refer on how to execute the process, you are free to choose between the approaches provided by ISO 27005 the options that better suits you, because ISO 27001 does not prescribe how to perform them.

    Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?

    Considering the previous answer, you can use asset impact instead of asset valuation when performing risk assessment for ISO 27001 using the ISO 27005 framework

  • Consent and Privacy notice

    1. “as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual”: what does this mean exactly? A copy of the request by email for example, or of the completed subscription form?
    2. Second database (stakeholders mapping): “No consent is needed, you just need to provide them with a Privacy Notice”: does this mean that as soon as we gather professional data from an individual, this person has to be aware of it?
    3. Second database (stakeholders mapping): the processing doesn’t seem to respect the conditions you list at the very end, as there is no consent (and, if I understood correctly, no need for it). Can we understand “legitimate interests” as the necessary actions taken by an organisation to conduct its activities? If that is not the case, is it really possible to make a stakeholders mapping compliant with the GDPR?

    Answers:

    1. It can be the ones you mentioned, it could be the activity logs if the consent was given in the online environment. There are various types of records you can keep and these are closely linked with the channels you use to collect the consent from the data subjects.

    2. If you are collecting the information directly from the data subject you need to provide the Privacy Notice when you collect the data. However, if you obtain the personal data from a third party ( EU GDPR art. 14 – “Information to be provided where personal data have not been obtained from the data subject” - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) you need to provide the Privacy Notice based on the following timeline:

    - within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
    - if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
    - if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

    You can find valuable information about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

    2. If you want to rely on “legitimate interest” you would need to perform a Legitimate Interest Assessment which is a basic assessment of the processing activity against the rights and freedoms of the data subjects concerned.
    Usually a Legitimate Interest Assessment is structures into three areas:
    - Purpose test: are you pursuing a legitimate interest?
    - Necessity test: is the processing necessary for that purpose?
    - Balancing test: do the individual’s interests override the legitimate interest?

    The Information Commissioner Office issued some guidance on legitimate interest - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

  • Study references


    Answer: For study references about ISO 27001 I suggest you to take a look at the following material:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/

  • AS9100 Counterfeit parts


    Answer:
    The implementation of the requirements for controlling counterfeit parts are greatly dependant on the company involved and the product it produces. In clause 8.1.4 the requirement is just to can a process in place to prevent the use of counterfeit parts. This process can include many things from only buying parts form original equipment manufacturers and approved distributors, to performing tests to validate that the product received is actually the product requested. This all come down to what is required for the product in question, and to some extent the risk of actually getting the wrong parts that can cause a problem in the end products.
    For more information see this article on the special aerospace terms in AS9100: https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/
Page 768-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +