Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Design alterations

    New question:
    "Thanks for this information – You’ve answered my Question.

    I’ve asked this question as Company 1 is the Head Office and they do the design – Thus Holding the ISO Certificate for Design & Development– Company B is the Sister company which only does repairs and they claim they are not doing design but my argument was that they are redesigning the Original Design down to something else therefore their ISO Certificate should include design even if they use the design engineers at company A but documented Information must be in place.

    Do you agree?"

    My answer:
    If Company B only does repairs, repairs are not considered design. Perhaps one should clarify the meaning of “repairs”, presently I’m working with a company that sell new machines, buy used machines from customers, if both parts agree, and then they repair them and sometimes do changes because, for example, new safety requirements, better components, to sell them as second-hand machines. In tha t case design is a must!

    Another important point is: who is ordering the design changes? If they do the design changes but the order with the indications come from Company 1, design is not an issue for Company B.

  • Controls in third party facility

    We received this question:

    >I have a further question. Some of the properties and free, public and we do not have a contract. How will this impact your suggestion?

    Answer: Without a contract you will not have any support to enforce the properties responsible to implement the security controls you require, and you will be at risk of being legally processed for modifying the facilities to implement the controls by yourself without authorization.

  • Risk treatment plan


    Answer: The Risk Treatment Plan must include actions only to:
    - treat risks evaluated as unacceptable (as result of risk assessment)
    - improve the performance of already existing controls (based on a top management decision)

    This article will provide you further explanation about risk treatment plan:
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

    These materials will also help you regarding risk treatment plan:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Requirement for vulnerability scanning


    Answer: The performing of vulnerability scanning or penetration testing, either by the organization itself or by a 3rd party, are options to be considered only if the control A.18.2.3 (Technical compliance review) is considered applicable as result of risk assessment or because of a top management decision. It is important to understand that vulnerability scanning or penetration testing are only options. If other means, like manual reviews, can fulfill your needs, the performing of vulnerability scanning or penetration testing are not necessary.

    This article will provide you further explanation about vulnerabilities management:
    - How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

  • Before certification audit


    Answer:

    Yes! If your organization has not yet performed an internal audit and a management review certification auditors cannot verify that your organization complies with all ISO 9001 requirements.

    The following material will provide you information about internal audits:

    - ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Standard for BCM


    Answer: For ISO the main standard for business continuity management is the ISO 22301, which defines the requirements for the business continuity management system. For complementary guidance and recommendations there are supporting standards such as ISO 22313 and ISO 27031 (Guidelines for information and communication technology readiness for business continuity)

    Other organizations have their own standards that an organization should consider according to its own context, like National Fire Protection Association (NFPA) and its NFPA 1600

    These articles will provide you further explanation about BCM standards:
    - What is ISO 22301? https://advisera.com/27001academy/what-is-iso-22301/
    - ISO 22301 vs. ISO 22313 https://advisera.com/27001academy/blog/2013/05/21/iso-22301-vs-iso-22313/
    - Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
    - NF PA 1600 vs. ISO 22301 – Similarities and differences https://advisera.com/27001academy/blog/2013/11/05/nfpa-1600-vs-iso-22301-similarities-and-differences/

    2- The requirements state what SHOULD be done and not HOW to do it right?

    Answer: Your assumption is partially correct. ISO 22301, like other ISO management standards, has mandatory requirements (associated to the words must/shall) and also optional requirements (associated to the words may/should), and these only define what must/should be done, and not how. This is like this way to allow each organization to freely define how to implement the requirements.

    This material will also help you regarding BCM:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Recruitment and competencies

    It is not an area that I am familiar with. Nevertheless, I can make a connection with ISO 9001:2015 clause 7.2 about competency. Your customer wants you to recruit people with enough competencies and skills for the job that they will perform. Due to clause 8.4.3 about information for external providers, your customer should give you the competency requirements that they need.
    The following material will provide you information about competencies:
    - ISO 9001 – How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Changing template content


    Answer: To change the formula for risk calculation you only have to replace the formula on each cell in "Risk" column, as you would do to change a formula in an excel spreadsheet. The cell are not blocked so you can change the content freely.

    To change the values permitted for columns Consequence and Likelihood, please select the cells in the "Consequence" column you want to apply the change to, access the tab "Data" in the main menu, then in Data Tools select the option "Data Validation". In the window that will show you can edit the values permitted for the cells as well as the warning text. Do the same steps for cells in the column "Likelihood".

    To change the colours that are displayed automatically based on the r isk level, you have to select the same cells as in the previous explanation and access in "Home" tab the "Conditional Formatting" option, and the the option "Manage rules". From there you can edit the colours according your needs.

    For more information, please access these links:
    - https://support.office.com/en-us/article/apply-data-validation-to-cells-29fecbcc-d1b9-42c1-9d76-eff3ce5f7249
    - https://support.office.com/en-us/article/use-formulas-with-conditional-formatting-fed60dfa-1d3f-4e13-9ecb-f1951ff89d7f

  • Information protection


    Answer: For protection of information flowing through the Internet, and networks in general, the recommended approach is application of cryptography, either to protect the communication channel and the information itself, as well as to authenticate the parties involved in the communication.

    These articles will provide you further explanation about use of cryptography:
    - How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
    - How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

  • Privacy Notices

    2. Once the 'Privacy Policy' is completed this goes online but where do we put our 'Privacy Notice' once completed? Can we send this to our clients via email?

    Answers:

    1. This depends on what you are going with the comments, for what purpose you are collecting them. So, in order to provide you with an accurate answer would need more details on the reports you are sending and the reason for doing that. Also, do you really need to include the names ? What is the reason behind that?
    2. Regarding your Privacy Policy is not necessary that you sent them to your clients you could just inform them about it and provide a link to it. Regarding the “Privacy Notice” according to article 13 of the EU GDPR – “Information to be provided where personal data are collected from the data subject” you need to provide it at the time the information i s collected.
    However, if you don`t receive the personal information from directly from the data subject but from another source as per article 14 of the EU GDPR – “Information to be provided where personal data have not been obtained from the data subject” you can provide the Privacy Notices:
    - within a reasonable time after obtaining the data, but at the latest within a month;
    - if the personal data is used to communicate with the individual, at the latest when that communication is made;
    - if the personal data is disclosed to a third party, at the latest when that data is disclosed.

    If you obtain that personal data from a third party, there is no need to provide a privacy notice if:
    - the individual already has the information;
    - providing the information would be impossible or involve disproportionate effort, particularly where the processing
    is for archiving, scientific or historical research purposes or statistical purposes;
    - the obtaining or disclosure is pursuant to Union or Member State law and there are appropriate measures to protect - the individual; or
    - the information is subject to professional secrecy

    There is no mention in the EU GDPR on how you should communicate the Privacy Notice so you can use email as well.

    You can learn more about Privacy Notices by accessing our free webinar “Privacy Notices Under the EU GDPR” at https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
Page 785-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +