Search results for "iso17025 vs gmp"

Should nonconformities undergo a documented risk assessment / analysis?

ISO 27001 does not prescribe risk assessment to be performed over identified nonconformities, so a company is not obliged to perform it.

This article will provide you with further explanation about handling non-conformities:

• Complete guide to corrective action vs. preventive action https://advisera.com/articles/complete-guide-to-corrective-action-vs-preventive-action/

Request for guidance

... 7001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

This material can also help you:

• How to Make the Transition From 2013 to 2022 Revision of ISO 27001 https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
• ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/

ISO 27001:2013 VS ISO 27001:2022

HI there, I have been qualified as a Lead Auditor on 2013 objectives, can 2013 objectives still active and organisation can be certified with that objectives?

Question about gap analysis

Please note that the standard does not require a gap analysis between two versions of the standard to be performed.

For analysis between these two versions, we suggest you these documents:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
• Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
• Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

This tool can also help you:

• ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/

Surveillance audit

You can continue with the surveillance audit according to the ISO 27001:2013 standard by 10 August 2023.

But please note that you need to make the transition to the 2022 revision of the standard by October 31, 2025.

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

• ISO 9001 and Gap Analysis and Internal Audit

  ... analysis vs internal audit and the different perspectives of each. Is the checklist the same? With additional column in the case of internal audit to write what is actually being found and observed. Is this right?

  C) I was also interested in the different ways to organize an internal audit: department by department, process by process or clause by clause. I am wondering when it is best to choose which anda whether there is such a thing a department x clause and process x clause matrices.

• Support re. internal audit section of ISO 27001 2022

  ... ... rence to ISO 27002.

  Please note that ISO 27001 is the main standard for Information Security Management Systems, while ISO 27002 is a supporting standard that can be used to help implement controls from ISO 27001 Annex A. 

  Additionally, in certification audits, the auditor reference is ISO 27001, not ISO 27002.

  For further information, see:

  • ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

• Privacy Policy Template

  ... ion/policy-for-data-privacy-in-the-cloud/

  This document is based on guidelines from ISO 27018, a supporting standard to ISO 27001 which covers the protection of privacy in cloud environments.

  For further information, see:

  • ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

• Mandatory documents

  Please note that organizations can still certify against ISO 27002:2013 until October 31, 2023, and companies already ISO 27001:2013 certified still have until October 31, 2025, to make the transition to ISO 27001:2022.

  For further information, see:

  • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

• Systems vs Suppliers

  I am curious to get some input in regards to how you manage Suppliers of critical systems. At the moment I am struggling with deciding wheater we should consider all providers of citical systems also as a critical supplier and handle them in our supplier handling process. All critical systems are handled, risk assessed etc. according to our Asset management process. But I now ask myself if it is neccessary to also have all of them inserted as critical supplier and go through all the administrative work related to that. 

  example: we use Hubspot and this has been evaluated as a critical system. It is included in our system asset register, has gone though a comprehensive system review and we have the relevant contracts/agreements in the contract database. Would you also add Hubspot in the supplier register as a critical supplier? Which means that we will also evaluate the supplier on a regular basis etc. 

  Another aspect to this is that for systems that we  "purchase" via a supplier.. then we don't have the actual provider of the system registered as a supplier but the partner that the system provider is using. 

  I would love to hear your thughts on this.