Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Competence evidence
Answer: According ISO 27001, clause 7.2 (Competence), competences are based on appropriate education, training, or experience, which can be evidenced by means of certificates, registered hours of work on specific activities, and records of attended trainings.
These articles will provide you further explanation about evidencing competencies:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/?icn=free-blog-27001&ici=top-how-personal-certificates-can-help-companys-isms-txt -
Sample texts in templates
Is this meant as an example on how to fill it in???
Answer: The purpose of this section is to define how to control the records defined in a procedure or policy, and the Incoming Mail Register is a record defined in this procedure (section 4), to show evidence on how external documents are handled, so it is not a a sample of what you can fill in this section, but a true text that you must use (of course the text in brackets you have to customize to your organization context).
Included in the toolkit you bought you have access to a video tutorial that can help you fill in the Procedure for Document and Record Control. -
Delayed audit report
Due to difficulty to close out the audit finding by collecting bits and pieces of the auditors report, as I am new to the company, I proposed to reaudit the whole process and deliver the new audit report and finding instead. Alternatively we submit RCA to reasons as to why we could not closed out the NCR raised on the Client Audit finding.
Our client still insisted that to close out the NCR raised during the Client Audit finding, is to submit the complete audit report and its analysis of the previous audit. How should I go about this situation?
Answer: You may try to explain to your client that since a very long time has passed since this audit (almost a year by now), the effort to complete and submit this report may not be worthy, since the condition may have changed and the non-conformity treatment may not reflect the audited situation. Besides that you also may argue that the next audit is close and you can use that audit to cover this gap, avoiding unnecessary costs. -
Documents review criteria
Answer: ISO 27001 does not prescribe which criteria to use to define conditions for document review, so you can use only the review "if necessary" conditions. However, it is a good practice to define a time frame, so you can ensure that documents are reviewed before events that have a time frame defined (e.g., you have to define a time frame for the management review and this review has inputs that can lead to the need of documentation review).
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Security policy
Answer:
The requirement you refer to is meant to be complied with the data processor that is processing personal data on your behalf so, any of your processors would need to have at least a security policy in place to protect personal data. Of course a supplier can have a whole security framework in place with a multitude of documents.
As for you own security setup you can find a couple of security related policies in folder 8 of our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ , from which you can choose which is most relevant in terms of your business activities. I can also warmly recommend ISO 27001 as a good example of a security framework.
You can find out more about ISO 2700 1 and the EU GDPR in our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” here : https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/” -
Legal grounds
Answer:
There are six legal grounds for processing which can be found a article 7 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/). These six legal grounds are:
- Consent - The individual has given consent to the processing for one or more specific purposes;
- Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
- Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
- Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person . This is typically limited to processing needed for medical emergencies;
- Public functions (public interest) - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
- Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition.
You can also check out or article “Is Consent needed? Six Legal Basis to Process Data According to GDPR” on https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ -
Internal audit findings
Answer:
ISO 20000 contains many required records ,documents or other information. So, it's hard to generalize. In e.g. Incident Management or Change Management processes - you will look for tickets related to incidents i.e. changes. Same for Problem Management. Availability or Capacity Management will require measurements - so you'll look for measurement files.
Further on, Configuration Management requires CMDB. So, you need to check whether it exists, in which form, does it fulfill standard's requirements...etc. CIs need to have recorded incidents and changes...so, these are all items you need to check.
Also, see these articles to learn more:
"ISO 20000 internal audit – What is it and why is it important?" https://advisera.com/20000academy/blog/2016/06/07/iso-20000-internal-audit-what-is-it-and-why-is-it-important/
"What is the purpose of the internal audit report in ISO 20000?" https://advisera.com/20000academy/blog/2017/03/07/what-is-the-purpose-of-the-internal-audit-report-in-iso-20000/ -
Cláusula 7.4 de la ISO 22301
Pregunta: He estado trabajado con la documentación que me enviaron, sobre todo con la del BIA, pero ahora necesito abordar el tema de la comunicación cláusula 7.4 de la norma, tienen documentos para este punto, no lo he podido identificar en el pack de documentos. Respuesta: Puedes cubrir todas las cuestiones relativas a las comunicaciones con el Plan de Respuesta a Incidentes, el Plan de Continuidad de Negocio, y el Plan de Recuperación. Por tanto, básicamente no tenemos un documento específico para la cláusula 7.4 de la ISO 22031, pero puedes usar los documentos que he mencionado para cubrir con los requerimientos de esta cláusula. -
Implementation of knowledge management?
Answer:
You should determine the knowledge that your organization needs to operate their processes and make products and services according to requirements.
You should maintain this knowledge and make it available as needed, for example, when new people are contracted.
Consider your current knowledge when making changes, and determine how you will gain additional or updated knowledge if necessary for the changing needs.
The following material will provide you information about knowledge management:
ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementation of risk management
Answer:
There are no mandatory documents required by ISO 9001:2015 to evidence implementation of Risk Management.
So, you are free to decide how to perform and evidence Risk Management. Normally, organizations create a non-mandatory procedure for addressing risks and opportunities, and generate a Risk Registry to keep a list of updated determined risks and opportunities, their evaluation according to action need; the actions performed and the evaluation of their effectiveness.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
List of mandatory docum ents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/