Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
interested parties
Hi mmidre, Still about the relevant stakeholders, when I read "development aid" I immediately think of the people who will receive the aid, they are the ultimate reason for your organization, and I think of those who finance the performance of your organization (Governments? Patrons? NGOs? …)
About the use of the SWOT analysis I follow a prerequisite before using it (1) and I use it to deduce what kind of actions are possible and aligned with the strategic orientation (2).
(1) – Do not use the SWOT analysis without previously defining the strategic orientation. An opportunity is not intrinsically an opportunity. It is an opportunity in the context of a strategy. I never forget a company that considered the products that they were selling as having a weak point, they were very expensive. I told them, that that classification was absurd because they were selling the top of the market brands in that category, price there is not an issue.
(2) – After building the SWOT matrix I use what some call TOWS analysis and others call Dynamic SWOT.
Consider the relationship betwee n S and O – Can you use some Strenghts to build up on Opportunities?
Consider the relationship between S and T – Can you use some Strenghts to minimize Threats?
Consider the relationship between W and O – Can you act up on Weaknesses to build up on Opportunities?
Consider the relationship between W and T – Can you act to preempt, to minimize the results of the dangerous combination of Weaknesses and Threats?
Hope it helps! -
Standard Contractual Clauses
Answer:
You can refer to the technical and organizational measures in Annex 2 – Technical and organizational measures” of “A.15.2 Supplier Data Processing Agreement” that can be found in folder 11_Security Control sub-folder A.15 Supplier Relationships. -
Risk assessment examples
Answer: Our templates use asset-based risk assessment approach, so our available material goes in that direction.
As an example of process-based risk assessment I suggest you to take a look at this paper from GIAC:
- Performing a Process-Based Information Security Risk Assessment https://www.giac.org/paper/gsec/3776/performing-process-based-information-security-risk-assessment/106086
For other approaches I suggest you to take a look at ISO 31010, the IOS standard for methods and techniques for risk management. For information about IOS 31010, please see this article:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
Data processor
Answer:
The documents in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are relevant to both controllers and processors with some exceptions. For example, the folder dedicated to “Managing data subject rights” is not relevant for processors because this part needs to be handled only by controllers, the same goes for the “Data protection impact assessment” folder as well. The rest of the documents can be used by both controllers and processors alike.
However, if you are a company established in the EU and have employees that makes you a controller in terms of the data of your employees.
To find out more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Software validation in medical device
Answer:
The purpose of the software validation is to provide objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.
Depending on the type of software and its role within the medical device, the organization can apply different methods for validation.
Software validation is difficult because a developer cannot test forever, and it is hard to know how much evidence is enough. In large measure, software validation is a matter of developing a "level of confidence" that the device meets all requirements and user expectations for the software automated functions and features of the device. Measures such as defects found in specification document, est imates of defects remaining, testing coverage, and other techniques are all used to develop an acceptable level of confidence before shipping the product. -
Investments on ISO 27001
E faz parte da estratégia, realizar a implementação da ISO 27001, como objetivo melhor posiciona-la no mercado, além dos demais benefícios da certificação / implementação 27001. Pode me auxiliar com isso?
A empresa está na estaca 0 (zero) com relação a segurança, não possui PSI, não possui firewall em harware ou software e também não possui pessoal especializado em SI. A atividade fim dela, é fabricação de sofware.
Seria realmente uma certificação de uma empresa com (20 funcionários) em "nível 0", contaria com aquisições do tipo:
Materiais (a própria normal e livros)
Horas de consultoria
Custos da avaliação
Custos com tecnologia (firewalls)
Custos com capacitação da equipe
Porém eu não tenho noção de quantitativo e provavelmente mais itens que se façam necessários para conseguir a certificação. Além, do temo necessário.
Pode me ajudar com isso?
(I am working on a business plan that involves among a number of factors, the most important for the 27001 subject is that it is the acquisition of a small software manufacturing company.
And it is part of the strategy, to implement the implementation of ISO 27001, as the best goal to position it in the market, in addition to the other benefits of certification / implementation 27001. Can you help me with this?
The company is at stake 0 (zero) with respect to security, does not have PSI, does not have firewall in hardware or software and also does not have personnel specialized in IS. The end activity of it, is the fabrication of software.
It would really be a certification of a company with (20 employees) in "level 0", would have acquisitions of type:
Materials (own normal and books)
Consulting hours
Evaluation costs
Technology costs (firewalls)
Team empowerment costs
But I have no idea of quantitative and probably more items that are needed to achieve certification. In addition, the necessary time.
Can you help me with this?)
Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project -
Should you integrate AS9100
Answer:
I would not recommend having 2 systems for the following reasons:
1) ISO 13485 is the odd standard since it does not follow the same format as the others, so this would be the logical standard to maintain as a separate management system. However, you indicate that you already have this standard integrated with ISO 9001 & ISO14001 so there would be no benefit to have AS9100 as a separate system.
2) Even with ISO 13485 standard following a different format many of the support processes are still the same and have not really changed with the new requirements. These include internal audit, competence assessment, management review, documentation control, etc. Having a separate management system for AS9100 would mean you lose the benefit of integrating these support processes. -
Context and multiple sites
Hello. Thank you. I have another question. The auditor for ISO 14001 2015 asked us if we take into consideration sustainable materials when we buy packaging products. My question is is sustainable materials part of the ISO 14001 2015 audit? unless we consider it a big environmental aspect. Please advise. Thanks.
Maria -
New Quality Processes
I would use a “master list” of all “how we do it” procedures: with their name, current version, where they are used and the owner for approval of changes -
Inventory of assets
Regarding ISO 27001, the inventory of assets must consider only assets associated with information and information processing facilities, including fixed assets like safes, shredders and others, so you can leave non related furniture and fixed assets out of this inventory.
This article will provide you further explanation about assets inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding assets inventory:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/