Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Indemnification clauses
Answer:
Usually indemnification clauses are found in the Master Agreement not in the Annexes and the reason is that it needs to be applicable to all subsequent documents of the Master Agreement.
However if you want to put a indemnification clause in the Supplier Data Processing Agreement you can use the following wording: “Supplier will indemnify and keep indemnified and defend at its own expense [Company Name] against all costs, claims, damages, expenses, or proceedings which [Company Name] may incur as a result of a breach of Supplier of its obligations herein. In case [Company Name] has suffered loss, cost and/or damage, or has to pay any penalty or compensation according to EU GDPR or other Privacy Laws due to Supplier’s breach, Supplier shall reimburse [Company Name] for all that loss, cost and damages. -
Use of structured templates
Answer:
There is nothing mandatory in the ISO 9001:2015 about documents having to follow a structured template. Normally every organization follows the practice of having work instructions, procedures or forms following a structured template. That transmits, order, planning, and frames a common visual look but it is not a mandatory requirement. Clause 7.5.2 b) requires that the template(s) used is/are adequate.
The following material will provide you information about the documented information:
- ISO 9001 – How to structure quality management system documentation
- https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Setting up a network
Answer: ISO 27001, and more specifically ISO 27002, can provide you requirements regarding what you must consider when setting up a network, but they do not provide guidance on how to perform such task.
These articles will provide you further explanation about ISO 27001 and ISO 27002:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
Technically speaking, you should consider:
- Identification of which traffic must come in and out of this network, so you can configure the rules for the security pe rimeter (e.g., through an outbound firewall)
- Identification of which traffic should flow inside the network, so you can configure how the elements should be segregated (e.g., to segregate networks accessed by visitors, by embassy's employees in general, and by embassy's high staff).
- In case of use of wireless networks, what would be the rules for use and access.
These articles will provide you further explanation about ISO 27001 and network security:
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/ -
List of evidences / artefacts
Example: HR security domain :-
Evidence required : Approved HR policy document, Roles and responsibility in the table in ISMS, Last 5 onboarded resources with training completed list and offboarded 5 resources list with offboard checklist and data removable certificate, access revoked mail confirmation. etc
Answer: It seems to me that you are making a mistake here.
When performing risk assessment there is no need to list evidences /artefacts. In this step you have to identify which risks are relevant considering the scope of the assessment.
Evidences and/or artefacts regarding the 114 controls from ISO 27001 Annex A are used when you perform either a gap analysis (to identify how many controls you already have implemented) or an audit (to evidence the controls implementation and performance).
For a list of questions regarding gap analysis, I suggest y ou to take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Its question-and-answer format allows you to visualize which specific elements of an information security management system are already implemented, and what still needs to be done.
For a list of questions regarding internal audit, I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.
These articles will provide you further explanation about gap analysis, internal audit, risk assessment and checklists:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- Risk assessment vs. internal audit in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
ISO 9001 Use of Quality Tools
Academy: https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
Answer:
This is correct, ISO 9001:2015 does not dictate any quality tools to be used in the QMS. ISO 9001:2015 calls for the QMS to continually improve, and the article was pointing out some ways that quality tools can be used to support this continual improvement. They are not mandated, however, like other tools such as Six Sigma and Lean the quality tools can be used to support the QMS.
For more information on these other tools see these articles: https://advisera.com/9001academy/knowledgebase/iso-9001-vs-six-sigma-how-they-compare-and-how-they-are-different/ and https://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/ -
GC Mark for business continuity
Answer:
I would say you have to conclude for what purpose you need a certificate - if your clients prefers GC Mark better than ISO 22301, then you should go for the GC Mark, and vice versa.
By the way, I've reviewed the GC mark website, and I didn't find a certificate for business continuity. -
Benefits of ISO 14001
how does it contribute to the sustainability practices?”
Answer:
The implementation of an environmental management system allows developing a systematic approach to environmental issues in organizations. Beginning with basic assurance of legal and regulatory compliance, and evolving to issues such as alignment between strategy and environment (eg waste reduction, better waste separation and increased efficiency in cost-based strategies, or integration of environmental concerns into design of new products in strategies based on innovation), such as improving the relationship with the neighborhood and avoiding problems with future expansion needs, or such as improving the image before potential clients who value the environmental issues.
The following material will provide you information about environmental management benefits:
- ISO 14001 – 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Outsourced processes in scope
No, it is not necessary. Remember that some organizations use outsourced processes only when they have more orders than capacity.
The following material will provide you information about scope:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
Internal audit on documentation
First, “work instructions” is a designation normally used to describe operational procedures that explain in more or less detail “how to do some task”. When auditing documentation, you can verify if it is clear, known by users, approved by the right authority, updated and followed.
The following material will provide you information about internal audit:
- ISO 14001 – How to make an ISO 14001 internal audit checklist - https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/
- Free course - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Retention period
Answer:
Article 5(e) - “Principles relating to processing of personal data” of the EU GDPR states that personal data should be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ ). And this is the only mention about an retention period.
It is up to the controller to establish suitable retention periods unless those are specified in local law. So my advice is to ask someone with a legal background if such obligation exists under Norwegian law and if not, you can keep deleting the chat content every 30 days.
You can find additional information about data retention in our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//).