Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11272 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Summary of changes in AS9100 Rev D
Please give me the highlights on what the Rev D invokes.
Example:
1) Risk Assessment
2) Leadership Context
3) Process Capability

Answer:
The main changes in the new standard are the additions of requirements for understanding the context of your company, the interested parties of the QMS and their requirements, risk assessment for the QMS, leadership commitment, product safety and the prevention of counterfeit parts. Most other sections have few changes with the exception that they talk about the products and services that a company provides.
In the near future there will be a whitepaper matrix of the changes from Rev C to Rev D being released on 9100Academy, but in the mean time the best place to look is the whitepaper on understanding the standard (https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d ) and the infographic on the changes (https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/ )
Risk Register vs Incident Log
Risk register and incident log are complementary documents. The first records what may happen, and the second what really happened.

Identified risks are required by ISO 27001, as part of the risk assessment and treatment process. Incident log is only required if there are unacceptable risks that justify controls that require its implementation (e.g., A.16.1.2 Reporting information security events).

These articles will provide you further explanation about risk register and incident log:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

These materials will also help you regarding risk register and incident log:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Medical data

Answer:

As the doctors are sharing patient data with you, they should both obtain consent and present the patient with a privacy notice that is GDPR compliant.
Minimum standard

Answer:

The information you need to provide to the data subject is the same as for written/online notices. So there is not difference in term of content. However, make sure you keep the recordings of you presenting the notice.
DPO
Indeed as mentioned before no formal certifications are required at least for the time being. However, keep in mind that a strong knowledge about the EU GDPR as well as other relevant privacy laws is needed since most likely the DPO will be the one running the whole EU GDPR framework within the company.
¿Apéndices en la ISO 22301?

Respuesta: Disculpa, pero ISO 22301 no tiene apéndices, por tanto, este estándar no habla sobre apéndices. Donde puedes ver apéndices es en nuestro paquete de documentos de la ISO 22301, por ejemplo, el documento “Procedimiento para identificación de requisitos” tiene el apéndice “Lista de requisitos legales, normativos, contractuales y de otra índole” que simplemente es un documento adicional que se utiliza como soporte al procedimiento. Puedes ver aquí nuestra lista de documentos con sus apéndices, y también puedes ver qué documentos son obligatorios : https://advisera.com/wp-content/uploads//sites/5/2015/06/Lista_de_documentos_Paquete_de_documentos_sobre_ISO_22301_BS-25999_ES.pdf
Inventory of processing activities

Answer:

Inventory of processing activities need to be filled in by the companies themselves, there are no “most used processing activities” since these are closely linked to the business. For example a call center processing activities will be different than the ones form a recruitment company. This is why we provided in the EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ the ”Guidelines of Processing Activities Inventory” that will explain how you could tackle this task.

As for the Retention Schedule it is somehow the same story especially for certain types of records for which retent ion period is established by local legal requirements for example the retention period for CCTV footage is different between various Member States the same goes for payroll related documents as well.
ISO 27017 and ISO 27018 certification

Answer: Although there are some certification bodies issuing certificates for ISO 27017 and ISO 27018, these are unofficial (to ISO these standards are not certifiable), and cannot be issued without a formal ISO 27001 certification.

ISO27017 and ISO 27018 are support standards to ISO 27001, providing specific guidance and orientation on security controls form ISO 27001 Annex A that are applicable to cloud environments and Personally Identifiable Information.

These articles will provide you further explanation about ISO 27001, ISO 27017 and ISO 27018:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. I SO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Maximum Allowable Outage and non financial impact

Answer: You can have situations where the non financial impact is high and the financial impact is low, so the non financial impact is more significant to determine the MAO. In such cases the MAO is not calculated, but determined considering the perceptions of the interested parties about how much time the outage should last so the organization wouldn't be able to resume business activities. Since this is a subjective approach, you should involve personnel with as much as experience and knowledge about the impact as possible, to ensure some degree of confidence in the MAO value.

This material will also help you regarding Maximum Allowable Outage and non financial impact:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Book Becoming Resilient: The Definitiv e Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
ISMS implementation

Answer: First of all I suggest you ISO 27001, the ISO standard with requirements for implementing an ISMS, which will provide you a structured framework for the implementation. To have an overview of the process of implementing an ISMS according ISO 27001, I suggest you the following material:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
- Seven key problems to avoid in ISO 27001 implementat ion [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Case study: ISO 27001 implementation in an IT system integrator company https://advisera.com/27001academy/blog/2017/05/08/case-study-iso-27001-implementation-in-an-it-system-integrator-company/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Specifically about defining the scope, I suggest this material:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Finally, to support you implementation, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit will provide you easy to fill templates and expert support to guide you in your implementation process.

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11272 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Summary of changes in AS9100 Rev D

Risk Register vs Incident Log

Medical data

Minimum standard

DPO

¿Apéndices en la ISO 22301?

Inventory of processing activities

ISO 27017 and ISO 27018 certification

Maximum Allowable Outage and non financial impact

ISMS implementation

Didn’t find an answer?