Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Access control policy template content
A.9.2.5 Security of equipment off premises
Control
Security shall be applied to off-site equipment taking into account the different risks of working outside the organization’s premises.
I am not seeing the relationship there. Perhaps I'm missing an important point here. Can you lend me some guidance?
Answer: Sorry, but you are making a mistake here. ISO 27001:2013 control A.9.2.5 refers to "Review of user access rights" (Asset owners shall review users’ access rights at regular intervals). The control about "Security of e quipment and assets off-premises" is the A.11.2.6, which is not covered by this template (this control was A.9.2.5 in the ISO 27001:2005, which was withdraw when version 2013 was released). Here you can find the current version of the standard: https://www.iso.org/standard/54534.html
This article will provide you further explanation about Access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
This material will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
ISMS statement
Answer: From your question I'll assume you are referring to the Statement of Applicability (SoA). Considering that, you have to evaluate if the SoA must be updated when there is a significant change in the ISMS scope or risk scenario, or at least during the management review, which normally is performed at least once a year. For controlling the SOA version you have to verify what is defined in your procedure for control of documents and records, because the SoA is a mandatory record for ISO 27001 certification.
This article will provide you further explanation about SoA:
-The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding SoA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead generation service
Answer:
The lead generation service that you buy your services from would need to be GDPR compliant before sending you the data. After the application date that is. -
Consent under the EU GDPR
Answer:
Where consent has been given under the Data Protection Directive, it will continue to be valid under the EU GDPR only if it also meets the requirements of the Regulation.
This may be difficult given the new and stringent requirements for consent. If the consent is does not meet the requirements of the EU GDPR you should consider approach the existing customers or to obtain a fresh consent that is valid under.
Consent under the EU GDPR needs to be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. This means among others that:
- Inactivit y or silence is not enough and the use of “pre-ticked boxes” is not permitted so the opt-out solution will not work.
- “Bundle consent” is not allowed. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
- The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.
If your consent does not comply with these requirements you would need to approach he data subjects again to obtain fresh new EU GDPR compliant consent.
You might find these materials on consent useful for your task:
- https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/;
- https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/;
- https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ -
Integrity, responsibility and security of the data systems
Answer:
ISO 27001 is a good starting point and it constitutes a best practice in terms of implementing technical and organizational measures to protect company IT assets including data and personal data as well (if you have defined personal data as an asset). You can check out this article https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Notice in local language
Answer:
Yes, the notices need to be written in "clear and plain language". This also includes the fact that all the affected data subjects would need to understand the content within. -
QMS as a preventive system
Answer:
You are right in one important point. The whole QMS is, or should be, a preventive system. Your procedures and instructions reduce risks, they prevent wrong things from happening. But, please, check the definition of risk. There is an important point: uncertainty. Your procedures and instructions can’t consider everything. You should review activities and procedures/instructions to evaluate if there are new risks to be considered worth of changes in the way of acting.
The following material will provide you in formation about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Shortning the quality manual
When I saw in the content “Job preparation (very detailed check-list of tools and…” I remembered quality manuals made in the late 80’s, because the standard at that time mentioned that the manual should refer to the documentation or include it. As you know, ISO 9001:2015 does not require a quality manual nevertheless most organizations are keeping a document that they call the Quality Manual, or the Management System Manual. I advise you to proceed with your idea or making it as short as possible, perhaps 10 pages. 10 pages where you answer to questions like:
a) Who are we?
b) What do we do?
c) Whom do we serve?
d) What kind of compromises do we assume?
e) How do we work? (where you can map your processes)
Your idea of a separated Operations Manual for example, seems very good.
Please see bellow some material with information about the quality manual:
- ISO 9001 – Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk based approach
Answer:
1. For example, in a Test Lab setting or in an Inspection Certification Body I would act in the same way:
a) what are the overall results that you intended to meet with your QMS in those settings?
b) did you map the processes for each of those settings? For each process, what are the overall intended results? For each process, what is its purpose?
c) for each service provided by each setting, what are the performance objectives, the specifications?
Then, for those three kinds of expected results you can ask: what can go wrong? In what ways can those expected results not being met? Each of those ways of failure is a risk. That would be my starting point. I would improve this baseline assessment with iterations done after non-conformities and performance evaluation.
2. ISO 31000 is for doing more than what is requested by ISO 9001:2015. It gives guidance, for example, about possible types of actions concerning risk mitigation, risk avoidance and risk reduction.
Please see bellow some material with information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Time scale for assessments
< 1 hour
1 hour < 4 hours
4 hours < 24 hours
24 hours < 2 days
1 week
Would the results be affected drastically compared to the initial time scale assessments?
Answer: The values presented in the template for time scale can be changed to fit your organization's needs without problem. They are only examples based on our experience, and changing them won't have effects on your results considering your organizational context.
This material will provide you further explanation about continuity strategy:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/