Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality Manual content
Answer:
ISO 9001:2015 no longer requires a Quality Manual as a mandatory document of a management system. That gives much more freedom about what to include in a Quality Manual. I always think of a Quality Manual as kind of identity card of an organization. So, I design Quality Manuals that answer to questions like:
Who are we? (picture of organization building and group photo of everybody working in the company)
What do we do? (pictures of products or services being provided, scope of the system and reference to any exclusion)
What are our values and commitments? (quality policy)
To whom do we work? (customers and other relevant interested p arties)
How do we work? (map of interrelated processes)
Table with documents relevant for the management system
The following material will provide you information about Quality Manuals:
ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Network policy
Answer: From our templates, the following policies cover ISO 27001 network related controls:
- Access control policy (covers control A.9.1.2 Access to networks and network services)
- Bring Your Own Device (BYOD) Policy (covers control A.13.2.1 Information transfer policies and procedures)
- Acceptable Use Policy (covers control A.13.2.3 Electronic messaging)
- Information Classification Policy (covers control A.13.2.3 Electronic messaging)
- Information Transfer Policy (covers controls A.13.2.1 Information transfer policies and procedures and A.13.2.2 Agreements on information transfer) (this one you already bought)
For a more operational approach, you should consider the Operating Procedures for Information and Communication Technology, which covers the controls A.13.1.1 Network controls, A.13.1.2 Security of network services, A.13.2.1 Information transfer policies and procedures and A.13.2.2 Agreements on information transfer.
To see a free demo of these documents and evaluate if anyone of them can fulfill your needs, please access these links:
- https://advisera.com/27001academy/documentation/access-control-policy/
- https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/
- https://advisera.com/27001academy/documentation/it-security-policy/
- https://advisera.com/27001academy/documentation/information-classification-policy/ -
Filling toolkit templates
Answer: The place to include references in our templates is section 2 (Reference documents). Applicable controls to each template are already included in this section, so you should check if the references you want to include are already there, or if you should add the ones you wish.
Also we are currently going through who our interested parties are, other than going through each of the UK legalisation in detail is any other of reviewing this element of the task?
Answer: Besides entities that issue laws your organization must comply with, you also should consider for interested parties employees, customers and suppliers that can affect, or be affected by your ISMS
This article will provide you further explanation about interested parties:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/ knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
These materials will also help you regarding interested parties:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Performing BIA
Answer: The proper approach is that the responsible for each business activity to determine the criticality of the functions in his/her department, not only because they know their activities the best, but this will create a sense of accountability that will ensure more precise results. You should act as support for them, providing real examples of relevant disaster that affected other companies (so they understand that extreme failures can happen) and orientation about the BIA methodology.
This article will provide you further explanation about Performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Consent required
Answer:
As regards to the existing emailing list, if the legal basis for processing, where consent has been given under the Data Protection Directive, it will continue to be valid under the Regulation if it also meets the requirements of the Regulation. For example, check that when you obtain the consent you were not using pre-ticked boxes and the request for consent was separate from other matters.
If you have emails of partners you can use “contract necessity as a legal basis for processing assuming you have an already existing contractual arrangement".
As for obtaining the consent by contacting the data subject on email, I would advise against that because by sending an email you are already processing personal data and you would need a legal basis for this.
As key take always:
- Review your existing processes to obtain consent to establish if they are valid under the Regulation;
- Consider if you can rely on an alternative basis for processing;
- If you do want to use consent, put in place processes to record and act on a withdrawal of consent. -
BIA exercise participants
What does the ISO standard recommend?
Answer: ISO 22301 does not prescribe who must participate in a BIA exercise, but you should consider any person or business unit that may have relevant information related to the business being analysed.
This article will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Scope definition and exclusions
Can we exclude every close related to production/ preservation/ calibration/ etc...?”
Answer:
ISO only allows exclusion of clauses from section 8. Although your scope doesn’t include production it surely includes service provision. Perhaps you can exclude some clauses of section 8 like preservation and calibration (although it is from section 7), but you can’t exclude service provision. ISO 9001 mentions the word stakeholders precisely because of organizations like yours that work with donors funds, but provide a service to others as third parties, like communities or like victims.
The following material will provide you information about scope definition and exclusions:
ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/ 2015/
How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Crear procedimientos ISO 20000 desde 0
He recibido la siguiente pregunta: Que recomienda para crear procedimientos desde cero? en este caso serian procedimiento para la gestión de capacidad, configuración y continuidad de la ISO 20000. que fuentes me pueden ayudar. Respuesta: Nuestra recomendación para crear procedimientos es usar plantillas, y tenemos muchos recursos para esto, por tanto, podrías desarrollar tus propias plantillas con nuestros recursos. Aquí por ejemplo puedes encontrar recursos gratuitos: https://advisera.com/20000academy/es/descargas-gratis/ Con respecto a la gestión de la capacidad, estos artículos te pueden ayudar: https://advisera.com/20000academy/blog/2016/02/16/itil-and-iso-20000-how-to-setup-the-capacity-management-process/ https://advisera.com/20000academy/knowledgebase/three-faces-capacity-management/ Con respecto a la gestión de la configuración, estos artículos te pueden ayudar: https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/ https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/ Y con respecto a la continuidad, este artículo te puede ayudar: https://advisera.com/20000academy/blog/2017/05/02/it-service-continuity-plan-why-do-you-need-it/ Finalmente, también tienes la posibilidad de descargarte una versión gratuita de nuestro paquete de documentos: https://advisera.com/20000academy/es/paquete-de-documentos-sobre-iso-20000/