Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Support contracts - are they required for ISO 27001?
Answer: ISO 27001 says that you have to assess how important that support is for the security of your data - if you conclude that this support really is important, then you should renew the contracts to be compliant with ISO 27001. This is done through the process of risk assessment.
These articles will help you:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
These materials will also help you regarding your suppliers:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/s ecure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Develop a traceability system
Answer:
Start by the end. Imagine that you are with a finished product in the warehouse, or that you receive a complaint about a service provided. What kind of information is requested by legislation, by your customers, or by your own organization? Go backwards step by step and determine what kind of information you want to record and easily access. Stop where you want or need. For example some organizations only keep traceability after a certain operation. In the first case, with the finished product in the warehouse, with a particular lot number, perhaps you want to see:
Who and when controlled quality of the finished product
Who, when, with what machines/team/line manufactured the product
Who, when recorded process control verifications
What raw materials and subassemblies were used
Who manufactured those subassemblies
Who and when controlled raw materials used
Who and when supplied the raw materials
This is just an example.
The following material will provide you informati on about traceability:
- ISO 9001 – ISO 9001:2015 clause 8.5 Product realization – Practical examples for compliance - https://advisera.com/9001academy/blog/2015/11/03/iso-90012015-clause-8-5-product-realization-practical-examples-for-compliance/
- Record of Traceability [ISO 9001:2015] - https://advisera.com/9001academy/documentation/record-traceability/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Transition of ISO 9100 Revision C to Revision D
The main changes come in the first paragraphs of the standard which will comprise the main transition points, defining the context of the organization and understanding your interested parties and their needs. Many other requirements are largely similar with some new operational requirements added for product safety and prevention of counterfeit parts. It can be helpful to do a gap analysis as well (we have a simple one here: https://advisera.com/9100academy/as9100-gap-analysis-tool/)
For a lot more detail on the transition process see this whitepaper: https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d -
Audit team
Answer:
Yes, you can. Just make sure you have an appropriate audit documented methodology and have your auditors take some EU GDPR awareness trainings.
Also make sure that the persons performing the audit did not do the EU GDPR implementation, due to conflict of interests.
You can find useful EU GDPR Foundation course on our website here https://advisera.com/training/eu-gdpr-foundations-course// -
Toolkit support
Answer: Included with our toolkits you can send filled documents for review (the quantity of documents you can send will depend on the purchased toolkit). We'll provide our comments on how you can improve them or correct items so the documents are compliant with ISO 22301 standard.
Specifically for your needs, these documents are included in the toolkit and will help you with exercising and testing:
- Disaster recovery plan
- Exercising and testing plan
- Exercising and testing report
Please access this link to have an overview of our toolkits documentation review features: https://advisera.com/27001academy/iso22301-documentation-toolkit/#toolkit-options
Access this link to understand the support: https://advisera.com/27001academy/iso22301-documentation-toolkit/#toolkit-expert -
Assessment criteria rationale
-
ISO 20000 Lead Auditor
Answer:
ISO 20000 Lead Auditor training is what you need. Certification should be also part of the training. Look for an training (and certification) provider in your area.
ITIL knowledge i.e. ISO 20000 knowledge and experience is of great help. -
Customer feedback and organizational memory
Answer:
If your organization:
receives and handles customer complaints, one example of customer feedback, that should be kept as documented information;
asks feedback from customers about their satisfaction, that information could be obtained in a conversation but, as a good practice, should be recorded and kept as documented information at least as an input for management evaluation;
receives from customers a sort of supplier performance rating, that is also customer feedback, that should be kept as documented information at least as an input for management evaluation, or input for corrective actions;
Keeping documented information is a way of keeping the memory of the organization, people can change, personal memories can play tricks on us, having an organization’s memory is an important feature to learn.
T he following material will provide you information about Customer complaints:
- ISO 9001 – Effective complaints management in a QMS - https://advisera.com/9001academy/blog/2014/09/16/effective-complaints-management-qms/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Auditor competence
Answer:
As an auditor you should be able to demonstrate your competence to your customers. As a minimum you should demonstrate certification as lead auditor, and certification that you know the standard. So, I would recommend a training to formalize your knowledge of ISO 9001:2015. Please see bellow links about how to integrate ISO 27001 and ISO 9001
The following material will provide you information about ISO 9001 and ISO 27001 integration:
- How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
- Using ISO 9001 for implementing ISO 27001 - https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ -
Exeptions
1. Information about other people -
a) does this mean that we do not need to disclose any email content to a requester that contain reference or information to other people
b) does this mean that we do not need to disclose CCTV foootage that contains other people in it?
2. If we were to classify all documentation and electronic communication as ‘Confidential’ and/or as only “opinions held by the company” do we need to disclose any information at all. It would appear that if we can show that we have classified as “Opinions” we are not bound to share. "does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence” and "In general, privileged information includes any document which is confidential”
Answer:
Regarding your 1b question you can provide the email content to a requester if the information only concerns him if there are other information concerning other persons those information should be removed.
As far as CCTV goes unless you can blur the faces of the other data subjects you don’t need to disclose the images. There is also the situation where the requester could provide you with the consent of the other data subject that were caught on tape to disclose the footage (this is most likely only in theory). Be aware that if the requester is a law enforcement agency you need to comply based on your local legislation.
The “Opinions held by the Company” refer to legal opinions provided by qualified lawyer that are under “lawyer–client privilege” as for “Confidential” information you can always remove the confidential part of the document and just leave the information about the requester.