Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data retention policy
Answer:
The EU GDPR states that personal data should not be kept for longer than necessary (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/) thus all records of personal data need to be deleted at some point when no longer needed for a specific activity.
The documents listed in the Data Retention Policy are one of the most common records where personal data can be found, you can delete or add records based on your own business activity. Remember that the retention refers only to personal data thus records that do not contain personal data are not in scope of the policy or the GDPR. -
Quality Manual in IATF 16949
Answer:
IATF 16949 defines additional requirements to ISO 9001 specific for the automotive industry. ISO 9001 doesn't mention the manual, but IATF 16949 requires the Quality manual that will follow the structure of the standard, so it does not only requires organizations to have the manual but it also defines how it should be structured.
For more information, see: How to write the IATF 16949 Quality Manual https://advisera.com/16949academy/blog/2017/05/31/how-to-write-the-iatf-16949-quality-manual/ -
Preguntas sobre el libro Seguro & Simple
Respuesta: El libro está desarrollad o para guiarte en la implementación de la ISO 27001, y la mayoría de tus cuestiones están cubiertas por el libro: alcance del SGSI, definición de roles y responsabilidades para la gestión del equipo, y el tratamiento de la implementación como un proyecto.
Con respecto a los costes, este artículo puede ser interesante para “How much does ISO 27001 implementation cost?” : https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
Con respecto a los tiempos, esta herramienta gratuita puede resultarte útil “Duración de la implementación de ISO 27001 e ISO 22301” : https://advisera.com/27001academy/es/herramientas/calculador-gratuito-del-tiempo-de-implementacion-para-iso-27001-iso-22301/
Con respecto a la línea base, mi recomendación es definir un plan de proyecto, y seguirlo. El libro proporciona información sobre la definición de un proyecto para la implementación, y puedes ver también este artículo “ISO 27001 project - How to make it work": https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
Con respecto a las minutas y registros, este artículo te puede interesar “Records management in ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
Con respecto a la comunicación, generalmente los comunicados internos/externos relacionados con el SGSI se gestionan con un plan de comunicación. Este artículo te puede ayudar “How to create a Communication Plan according to ISO 27001” : https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/
Con respecto a las reuniones, generalmente la frecuencia depende de la empresa, aunque mi recomendación es que sean anuales (como mínimo)
Con respecto a las cuestiones relativas a riesgos del proyecto, puedes cubrir esto con el plan de proyecto, aunque esta cuestión no es de ISO 27001, es una cuestión relacionada con la gestión de proyectos, y tienes otros estándares para este propósito (como PRINCE2, PMP, etc)
Con respecto al control de la calidad, supongo que te quieres referir a "la revisión de la efectividad de los controles de seguridad, y puedes usar métricas/indicadores, por tanto este artículo también te puede interesar “Key performance indicators for an ISO 27001 ISMS” : https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/ . Este artículo también te puede ayudar “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ . Por otra parte, las auditorías pueden ser usadas también para verificar la implementación del SGSI, el estado de los controles, etc, y esto es cubierto por el libro, aunque aquí puedes ver más información para realizar la auditoría interna “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finalmente, si estás pensando sugerir el proyecto a la alta dirección, este artículo sobre los beneficios de la ISO 27001 te puede ayudar “For key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Y también este webinar gratuito “Beneficios de ISO 27001: Cómo obtener el apoyo de la Dirección” : https://advisera.com/27001academy/es/webinar/iso-27001-benefits-how-to-obtain-management-support-free-webinar/ -
Numbering documents
Thank-you Carlos, moving forward into an electronic system, I appreciate your help. -
ISO 9001:2015 and confidentiality
Answer:
Confidentiality matters related to relevant stakeholders are treated under clause 8.5.3. Internal confidentiality matters are treated under clause 7.5.3.1 b) and clause 7.5.3.2
The following material will provide you information about documented information:
- ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Transition from ISO 9001:2008
Answer:
You should contact your certification body because they are the ones that can help you more with that question. Some certification bodies stop issuing ISO 9001:2008 certificates after September 2016, and most importantly ,last October the International Accreditation Forum decided that certification bodies will no longer certify QMS according to ISO 9001:2008 after 15 March 2018. After that date, even if your QMS is according to ISO 9001:2008, certification bodies will conduct all ISO 9001 initial, surveillance, and recertification audits to the new version (ISO 9001:2015).
The following material will provide you information about transition:
- ISO 9001 – How to make the transition from ISO 9001:2008 revision to the 2015 revision (be careful some information about dates is no longer valid) - https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/
Tools for ISO 9001:2015 transition - https://advisera.com/9001academy/2015transition/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Minimum monitoring and measuring requirements
Answer:
It is hard to determine what is the minimum requirements for monitoring and measuring within ISO 14001 based Environmental Management System simply because it heavily depends on the significant environmental aspects the organization has.
But besides the monitoring and measuring that are part of the operational controls, the organization has to, as a very minimum, conduct monitoring and measuring of the environmental performances, evaluate compliance with relevant environmental legislation and conduct internal audits and management review.
For more information, see: How to measure the effectiveness of your EMS according to ISO 14001:2015 https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/
These materials will also help you regarding monitoring and measuring in ISO 14001:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-foundations-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Lead implementer and lead auditor
a) Should I take ISO 27001 LA or Implementation course ?
b) What's the difference between the two ?
Answer: Let's start with the differences:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).
So, the decision about which one to take will depend on your professional purposes. If you plan to work on an information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification.
These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Information system certification
Não sei como funciona a certificação, gostaria de contratar alguém para me guiar nesse processo.
(I need to develop a system that should be certified, it's a small system, which will save aircraft flight records.
I do not know how certification works, I would hire someone to guide me in this process.)
Answer: ISO 27001 does not certify systems or products, but processes and sites.
Considering this, you can to use ISO 27001 to certify your development process in order to provide confidence that the system's requirements, including security requirements, have been properly identified, implemented and tested.
These articles will provide you further explanation about ISO 27001 and the certification process:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These mate rials will also help you regarding ISO 27001 and the certification process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] ISO 27001/ISO 22301: The certification process [free webinar on demand]
If you want more information, ask to schedule a conversation with one of our specialists through this link: https://advisera.com/27001academy/consultation/