Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Management system scope change
Answer:
Will the acquired company be merged with your organization with the same brand(s) and logo? If yes, your organization is changing the scope of the management system with a new geography/site. In that case your company should contact the Certification Body to inform them about the change.
The following material will provide you information about the management scope:
ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
How do I get consultancy work?
Thanks. All very good advice and I will follow it up. -
EU GDPR for the banking sector
Answer:
There are no specific DSGVO (EU GDPR) for the banking sector alone, the GDPR is meant to be applicable across industries as long as personal data is being processes. The same is applicable for software development.
Generally when you are developing a software banking solution this solution would have to be compliant with the “privacy by design” and “privacy by default” principles as provided by article 25 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/).
In terms of security measures article 32 of the EU GDPR provides some some security measures you should be considering (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) but there are high level measures so companies are free to take whatever security measures they see fit. Y ou can always use ISO 27001 as a good starting point for your security requirements. For more insight on ISO27001 and EU GDPR you can check our article “ How does 27001 implementation satisfy EU GDPR requirements at: https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
Another thing you should consider, if your software is front facing the data subjects, it is the notices you would have to present to the data subjects. Guidance on the notices can be found in folder 2 “Personal data policy framework” in our EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Don`t forget also local banking sector specific requirements that might be applicable for banking software especially in terms of security. -
Risk assessment and BIA
A risk assessment was done for our company recently. The follow through from here is un-clear.
Also, how to calculate the Risk rating for the critical services?
Answer: The information from risk assessment can be used to prioritize which activities to focus first in your BIA, by indicating which business processes are under greater risk, saving time and effort to perform the initial BIA.
For rating critical services considering the results of a risk assessment you can consider the value of the risks, or the number of risks, associated to a specific service. For example, you can have a service with two high risks associated to it and other with ten medium risks associated to it. Considering your context, in terms of risks maybe the second service is more critical.
This article will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ -
BCP and DRP tests
https://www.theverge.com/users/custom_write -
AS9100D Operational Risk Management
Response:
With AS9100 Rev D the requirements of clause 8.1.1 are identical to the requirements of AS9100 Rev C Clause 7.1.2. The only difference is that the clause has been changed from being about "risk management" to being about "operational risk management". The reason for this is to separate it from the new requirement (from ISO 9001:2015), clause 6.1, on actions to address risks and opportunities. This new clause deals with identifying and addressing the risks for the QMS (not necessarily risk management, but risk assessment) where as the requirement you ask about is risk manag ement for the operational processes of the organisation only (for example, what risks are there in the product design, the tight delivery schedule, the assembly process, etc). In truth, this has not changed from before.
So in short, if the process you had in place before was acceptable, then it should remain acceptable now. The only difference in thinking is that now all of operations applies to products and services, so if there is a service you provide the customer (such as turning the customer drawing into computer files for your machines) then the risks from these services need to also be included in the operational risk management.
If you need to know more about the operational risk management process see this article: https://advisera.com/9100academy/blog/2017/05/15/5-key-elements-of-risk-management-in-as9100-rev-d/ -
Improving an information security program
Answer: Considering that your audit was based on ISO 27001, the first thing you should do is consider the results of your audit against the results of your risk assessment (if you did not performed a risk assessment, this is a good moment to do that). By doing that you can identify and prioritize which controls to work first based on the quantity or relevance of the risks affected by them.
Once you have identified which controls to treat first, you should:
- define objectives to be achieved (based on already existent goals or on new defined goals);
- analyse the situation of each control, to identify what should be done (eliminate root causes for the problems, or implement potential improvements)
- define action plans to establish resources, deadlines and respon sible for each action that will be implemented.
This article will provide you further explanation about implementing improvements:
-Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding implementing improvements:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk registry
Answer:
There is no requirement from ISO 9001:2015 to keep documented information about risks. So, you are quite free about how to do it, if you want to do it. For example, you can keep a risk registry for quality and for process objectives. In columns, for each objective, you list determined risks, you classify each risk, you decide what action will be taken and you define the date of evaluation of its effectiveness. If you do this in your computer you can add new risks whenever you decide it and you can update your classification and actions.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Updating NCRs in the OASIS database
NCR DetailsStatus: Auditor assigned to Supplier Representative for follow-up.
NCR #: 7 and 6 others that I am not sure how to answer
The answer:
For the OASIS database each company needs to be assigned a login and password in order to access the database, and this will need to be setup by your certification body. It is best to follow up with the certification body auditors, because it may be that the responses only need to go to them and not to be submitted by you to the OASIS database itself. The auditors will be able to guide you on how to respond, either to them or to the OASIS database. Best of luck with your NCR responses.