Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Identification of applicable controls
Answer: ISO 27001 it does not have a set of basic controls, rather they have to be selected through a risk assessment process, and to identify the controls required for an organization you must verify its Statement of Applicability (SoA) and results of risk assessment. These documents will provide you information about how the organization perceives its risks and how they are going to treat them (since each organization is unique in its context and risk appetite, they will have different approaches considering the same risks, and you should take that into consideration).
This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-l ogic-of-iso-27001-how-does-information-security-work/
As for the general requirements of ISO 27001, this article will provide you documents and records that are mandatory and some common adopted practices:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding audits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Surveillance audit
Waiting the response please -
ISO 9001 or ISO 13485
Answer: I would say you have to identify first for what purpose this organization needs a certificate – if your clients prefer ISO 9001 better than ISO 13485, then you should go for the ISO 9001, and vice versa.
This article will provide you further explanation about ISO 9001 implementation benefits:
- Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/ -
The GDPR “right to be forgotten”
Answer:
The right to be forgotten is not an absolute right that the data subject has in relation with its data. A controller does not need to comply with such a request the processing is:
- necessary for rights of freedom of expression or information;
- for compliance with a legal obligation under Union or Member State law;
- in the public interest or carried out by an official authority;
- for public interest in the area of public health;
- for archiving or research;
- for legal claims.
So, as you can see if there is a legal obligations set forth under Member State law then you need to keep the data even if the data subject requests for the data to be deleted.
For more information about data subject rights you can check out or webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Deciding on what to check
Answer:
As you can imagine there is no explicit requirement in ISO 9001:2015 to support those auditor demands. I do not know the particular requirements that your customers demand about the painting job, in the past I worked with a company that had to ensure a certain thickness layer of paint over a metal. Th e requirement was not on the paint characteristics but on the result, on the thickness. For that, they used an instrument to measure the thickness. If there is no customer requirement, and if in your risk assessment you saw no problems with the viscosity of the paint, there is no requirement to do what the auditor is asking.
The following material will provide you information about product release:
- ISO 9001 – ISO 9001: Requirements for the release of the product or servisse - https://advisera.com/9001academy/blog/2017/03/28/iso-9001-requirements-for-the-release-of-the-product-or-service/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documenting the context
Answer:
There is no mandatory requirement from ISO 9001:2015 to keep documented information about the context of an organization. That is up to each organization to decide if they will document it and how. For example, it can be a meeting minute where a SWOT matrix was created and analyzed. About legal requirements, your organization can keep a database of all the legal requirements applied to your own organization. Your organization should know the legal requirements to be able to assume the compromise of meeting them.
The following material will provide you information about the context of an organization:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case stu dy: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Handling non-conformities
Answer: According to ISO 27001, clause 10.1 b) 2), causes of nonconformities shall be determined in order to evaluate the need to take action to eliminate them and prevent nonconformities recurrence, or occurrence elsewhere. Considering that, since the outsourced services are affecting your ISMS, a root cause analysis must be performed.
This article will provide you further explanation about handling nonconformities:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding handling nonconformities:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Disaster Recovery Plan template
Answer: Usually there is a single RTO for a whole process / department, and all activities and applications related to it have to meet this RTO.
If you have applications that really have to meet different RTOs (normally this occurs because these RTOs are smaller than the general established RTO), then you should create separate plans.
This material will also help you regarding disaster recovery plans:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Approved supplier list
Answer:
No, there is no explicit requirement for having an approved supplier list under ISO 9001:2015. Imagine that you work in a governmental organization, most countries require public tenders to which potential suppliers have to compete and don’t allow approved suppliers lists.
The following material will provide you information about the external providers:
- ISO 9001 – Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Major Incident communication
Answer:
Communication is one of the essential during Major Incident resolution. Communication should be timely and regular. During the communication (e.g. bridge call, as you suggested) you should focus on customer's business process, facts (particularly if you can explain them in some measurable way, or in monetary values) and to ensure customer that you know what you are doing i.e. that you'll bring that incident to the resolution. Also, take customers' alternatives serious. It could be that they contain some usable elements.
This article can give you more information "
Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/