Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Drawing a checklist
Answer:
If you want to develop a checklist to audit top management you should start with the purpose of the audit: Is it to check conformity? Is it to check effectiveness? Let us suppose that it is to check conformity. Then, you should collect the audit criteria (Quality policy, quality objectives, procedures, ISO 9001 and any other external documentation that sets rules for the organization (for example, legislation).
Now is the time to develop the checklist:
Read the audit criteria, and ask yourself: Is this true? Are we doing this? Be suspicious, be cynical and underline all topics that mess with you and your curiosity. Then, for each topic start to list questions that you want to ask (where and to whom), things that you want to observe being done (where and when), things that you want to verify (where).
Now it is just a matter of organizing all those questions, observations and verifications to be done, along an itinerary for your audi t (when in one place you do everything there, to avoid come to a place, walk away and then come back again)
The following material will provide you information about checklists:
- ISO 9001 – ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
Internal Audit Checklist [ISO 9001:2015] - https://advisera.com/9001academy/documentation/internal-audit-checklist/
ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Document numbering
Answer:
They are not required to be the same as long as each numbering structure is defined for each facility and followed.
The following material will provide you information about documentation:
- ISO 9001 – How to structure quality management system documentation - - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Data processors
Answer:
It is very unlikely that you are only a processor. If you are based in the EU and you have employees this makes you a controller in terms of processing their personal data at least for the purpose of HR management.
Regardless, assuming that you are acting solely as a processor the only folder of the toolkit that will not be suitable for you are “04_Managing_Data_Subject_Rights” and “05_Data_Protection_Impact_Assessment”.
You may also need to tweak a little the “9.1_Data_Breach_Response_and_Notification_Procedure_EN” because as a processor you only are required to notify the data controllers about the data breach and you are not allowed to contact the Supervisory Authority or the data subjects. If your customers acting as controllers don’t have specific requirements as regards to what information to provid e them when a data breach occurs you can use the template for “9.3_Data_Breach_Notification_Form_to_the_Supervisory_Authority_EN” to inform the controller about the breach (just remove the “TO THE SUPERVISORY AUTHORITY “ from the title). -
Risk assessment information
1- job title of the person responsible for the Risk treatment plan ?
2- Can we give ISMS Project Manager and Internal Auditor* the right to make entries into and changes to the Statement of Applicability?
Note : Give the right for internal auditor will be after internal audit procedure to keep records of SoA updated.
Answer: The person responsible for the ISMS can also be designated to be responsible for the overall Risk Treatment Plan, but you should note that for each action in the plan there also have to be a designated person, that can be different from the responsible for the overall plan (usually they can be either the risk owner or the person responsible for the control being implemented).
The ISMS Project Manager can have access to make entries and changes to the Statement of Applicability during the project implement ation, but any modification in the SoA must be previously approved by Top Management before publication.
Normally the internal auditor cannot have editing access to the SoA (his activities only require him to evaluate the document). Any changes due to results of an audit must be performed by the person responsible for the SoA (generally the person responsible for the ISMS).
These articles will provide you further explanation about risk treatment plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
This material will also help you regarding risk treatment plan:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Scope definition
Answer: You can limit the scope only to the IT department, but considering the size of your organization it is better to include all organization in the ISMS scope, because the effort that will be required to keep the separation may be greater than the effort to implement and maintain the ISMS for the whole organization.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small- Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Asset register
The application has many components which I assume we would classify as underlying assets. In your Excel worksheet, you have Category of asset, Tool for delivery of service, Underlying assets, Category of underlying asset, Asset name, Asset owner, Risk owner etc.
If I was to classify the application in the worksheet, would I do the following:
Category of asset: Applications and databases
Tool for delivery of service: XXXX
Included features within tool: Here I would list the various modules of the application, e.g. Online access, User Interface, Reports etc
Infrastructure /Server(s) name: Here I would list the names of servers that are used to host the application
Underlying assets: If the application consists of server databases sitting on XX X servers, plus XXX servers would these be classed as underlying assets.
Category of underlying asset: For category of underlying asset, I assume that I would class the XXX Servers as Operating Systems and the XXXX Servers as Database Applications. In the same way, I would classify XXXX as an Operating System and XXXX as a development tool.
Asset Owner and Risk Owner: I assume that I allocate risk owners here based on the technology involved. The Asset Owner in all cases may be the Operations Manager but the risk owners may be the Server Team and the DBA respectively.
So, in summary, if I classify “XXXX” as the tool for delivery of the service and allocate the many underlying components as underlying assets, is this the best approach.
Answer: An approach with this level of detail is not common for small companies in general, but it is not wrong (big companies may see it as adequate). The main question you should consider here is if this level of detail is really necessary for you to manage the risks efficiently.
This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/ -
Product safety training
Answer:
The standard requires the organization to identify needs for training regarding the product safety and to perform the training. Needs for training can be determined based on the new activities introduced regarding the product safety or based on the FMEA results or customer requirements. Once you identify the training need, you need to plan and perform the training and produce records about the training, e.g. training report.
The training plan that contains training about the product safety and the training report on the training conducted is sufficient evidence to demonstrate compliance with this requirement of the standard.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ -
Company data
As long as we are talking about personal data the EU GDPR comes into play, so it doesn't matter whose data are concerned, could be employees, customers, customers employees, suppliers employees.