Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Cumplir con la cláusula referente a recursos 7.1

    Ambos se tratan de requisitos que la norma no exige que sean documentados, luego simplemente se trata de cumplir con los mismos.
    En cuanto a la infraestructura, ésta puede incluir: edificios y servicios asociados, equipos (incluyendo hardware y software); transporte; tecnología de la información y comunicación.
    El mantenimiento de la infraestructura se puede llevar a cabo a mediante un programa de mantenimiento preventivo planificado, adecuado y proporcionado a las operaciones realizadas y al contexto de la organización, y a cualquier requisito del plan de contingencia en caso de interrupción. Los procesos de planificación empresarial deben determinar los cambios y las necesidades futuras de infraestructura específica.
    En cuanto a la cláusula 7.1.4, ésta incluye que exista un ambiente adecuado que sea resultado de la combinación de factores físicos y humanos, como por ejemplo:
    - sociales: no discriminatorio, tranquilo, sin disputas
    - psicológicos: reducción del estrés, protección emocional
    - físicos: temperatura, humedad, iluminación
    Su organización debe establecer, controlar y mantener sus propios requisitos ambientales.
    En ambos casos los auditores determinarán el cumplimiento de estas cláusulas mediante entrevistas con la alta dirección, los encargados de los procesos correspondientes y la recolección de evidencias objetivas.
    Además el siguiente material puede proporcionarle más información sobre la nueva ISO 9001:2015:
    - Curso gratuito en línea de fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Diferencias ISO 9001:2015 vs. ISO 9001:2008

    Respecto a las diferencias existentes entre ISO 9001:2008 e ISO 9001:2015, puede encontrar información en la siguiente infografía: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/infografia-iso-90012015-vs-revision-del-2008-que-ha-cambiado/
    Por otro lado, puede encontrar la información correspondiente a la Lista de documentos obligatorios en el siguiente artículo: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
    Además el siguiente material puede proporcionarle más información sobre la nueva ISO 9001:2015:
    - Curso gratuito en línea de fundamentos ISO 9001:2015: https://advisera.com/training/es/c ourse/curso-de-fundamentos-de-la-norma-iso-90012015/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Risks in HR depratment


    Answer:

    The risk and opportunities to be identified should be related to the effectiveness of the process, the QMS as a whole and compliance to requirements of the standard and the customers. You need to observe the HR department and all the processes that belong to it and determine what risks exist within this area. The most obvious risk regarding HR department is failure to provide competent employees to other processes within the QMS, of course, depending on the context of the organization this risk can be significant or not.

    As as the methodology for the risk analysis, the most simple approach is to arrange a brainstorming session with the most relevant people in the HR department and talk about the risk, or you can use SWOT analysis.

  • Data Subject Consent Form


    Answer:

    The document is mandatory for those processing activities that are based on consent for example marketing activities. If you rely on any other legal basis you don’t need it but only need to provide the right information to the data subject via you Privacy Notices.

    To find out more about consent you can check out our article “Is consent needed? Six legal bases to process data according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  • Scope of the IT Security Policy (Doc 8.1)


    Answer:

    Article 32 of the EU GDPR - Security of processing https://advisera.com/eugdpracademy/gdpr/security-of-processing/ requires controllers and processors alike to implement “appropriate” technical and organizational measures to keep the personal data.

    The policies you would find in section 8 of the EU GDPR toolkit are examples of organizational measures taken to protect the data. So, in a nutshell the purpose of the IT Security Policy as well as the whole array of policies in section 8 is to provide you with a set of documents which if implemented correctly will ensure that you have taken the appropriate measures to protect personal data.

    If you want to find out more about keeping data secure please check out our article “How cybersecurity solutions can help with GDPR compliance” https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/

  • People related risks


    Answer: Considering ISO 27001, when thinking about people related threats you should consider how people can endanger information security (e.g., espionage, error, identity theft, etc.), and when thinking about people related vulnerabilities you should consider how weaknesses related to people can endanger information security (e.g., lack of training, lack of awareness, unavailability of the person, etc.).

    These articles will provide you further explanation about assessing risks:
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding assessing risks:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Implementation of controls

    We received this question:

    >Can you also let me know if I decide to implement a control from Annex A, does that mean that we have to implement all the requirements for that control from the ISO 27002 standard ?

    Answer: Most of ISO 27002 text is written as "you should...", meaning that you only have to implement some items if you identify a need to do that (based on the results of your risk assessment). So, for some controls you may have to implement all items, while for others you have to implement only a few of them.

  • Termination of job - activity


    Answer: ISO 27001 does not prescribe how to implement its requirements or controls, only what needs to be achieved.

    Considering that, for the scenario you stated you can consider the control  A.9.2.6 - Removal or adjustment of access rights as basis to support your need to manage users's access rights, but for the definition of specific period of time for account deletion / removal you must consider the perceived risks (results of risk assessment) and legal requirements (e.g., laws, regulations and contracts) that must be fulfilled.

    These articles will provide you further explanation about controls selection and access control:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    These materials will also help you regarding controls selection and access control:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ITIL and ISO 20000


    Answer:
    There is a free download on our web page. Please check this whitepaper:
    ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping https://info.advisera.com/20000academy/free-download/itil-vs-iso-iec-20000-similarities-and-differences-process-mapping

  • Environmental aspects and risks


    I have a question about ISO 14001:2015 – item 6.1.1 and 6.1.2

    In accordance with the 6.1.2:
    1. Define Aspects
    2. Estimate them by established criteria and I received Significant Aspects

    And that is all.

    There is Note: that significant aspects CAN result risk and opportunities.
    During the certification audit – Auditor requires THAT: To each aspect MUST BE added risk and opportunity in accordance with the 6.1.1. I do not agree with that Auditor interpretation. In my opinion:

    In accordance with 6.1.1 I must prepare managing of the Environmental Processes (a little bit like 4.4 of ISO 9001:2015 – eg. Turtle Diagram). To that Environmental Process – I prepare risk and opportunities which ARE to environmental activities – estimate etc.
    Is above clear? What is your opinion? – to what I must prepare risks and estimate them?

    Answer:

    The standard requires organization to determine risks and opportunities related to environmental aspects, compliance obligations and other issues and requirements regarding the context and interested parties. This doesn't mean that every environmental aspect needs to have risk and opportunity.

    It is not enough to identify risks and opportunities related only to the environmental activities, because the standard requires organization to identify risks and opportunities to ensure effectiveness of the QMS, prevent, or reduce desired effects and achieve continual improvement. This includes determining risks and opportunities related to environmental aspects. For most of the significant environmental aspect you can identify risk related to not establishing or not following operational controls. But you don't have to do this for every environmental aspect you have.

    For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
Page 775-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +