Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Issues or risks
Answer:
Internal and external issues are factors and conditions that can have an effect on an organization’s approach to its products, services and investments and interested parties. For example, demography (an external issue) or defects level (an internal issue) act like inputs that influence top management decisions like setting a particular objective.
That particular objective is an expected result. Risks are the effects of uncertainty on an expected result. What can block us from attaining a particular expected result?
The following material will provide you information about internal and external issues and risks and opportunities:
ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
ISO 9001 - How to address risks and opportunities in ISO 9001 - https://advisera.c om/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Who verifies the implementation of controls?
Answer: It is primarily part of the management of the company to make sure that everyone knows how to handle mobile devices, and of course it is the internal and external auditor job to check if this is really true.
Regarding the word "policy" - besides a written document, it can also be in a verbal form, or a policy can be a part of an IT policy embedded in some software. Therefore you are right, only when the standards says "shall be documented" then the document needs to be written. See also: Explanat ion of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
Documenting clause 8.1 operational control
Answer:
Let us check clause 8.1 item by item.
About item a) – your company must have specifications for their products.
About item b) – your company must have process control specifications to allow process monitoring, less defects and more productivity and safety (for example, parameters for machine operation, like temperature, speed, pressure, …). Your company must have specifications for quality control of raw materials, intermediate and finished products.
About item c) – when designing and planning your production process, your company should ensure resources for the operations (people for production and quality control, equipment, materials, monitoring resources, …).
About item d) – most companies have process control plans and quality control plans that they implement
About item e) – your company must decid e what procedures and instructions will be needed and what forms it will use to record and evidence performance and results.
The following material will provide you information about control of documents:
ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Data Protection Officer
Answer:
The EU GDPR requires the appointment of a formal Data Protection Officer (DPO) only in certain cases which are listed under article 37 (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/). So, if the company you are representing does not find itself in the in the situations described in the article mentioned above you don’t need to have a dedicated DPO and you are not required to have any document in place to back up this fact.
This, however, doesn't mean that the company can leave aside the EU GDPR. Data protection specific tasks can be given to different members of the organizations such as Legal Counsels, HR specialists , IT security specialists etc. or the tasks can be outsourced to a specialized third party.
Just make sure that those members of the organization you select for the data protection tasks have at least some knowledge about the EU GDPR and other relevant data protection laws. -
ISO 27001 clauses
Answer:
ISO 27001 consists of two parts: (1) the main part of the standard has clauses 0 to 10, out of which clauses 4 to 10 are mandatory; and (2) Annex A which has 14 sections - it starts from A.5 to A.18.
Here you can see further explanation:
- A list of sections in Annex A: https://advisera.com/27001academy/iso-27001-controls/
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/ -
Defining context of the organization
Answer:
Context of the organization represents all internal and external issues that can affect the company's ability to achieve its quality objectives. Internal context includes organizational structure, culture, processes, etc, while external context includes culture of the market or the country in which the company operates, regulations, competitors, customers, suppliers, etc.
The standard does not require context of the organization to be documented, but you can document some part of it if you decide it is good for the company. In order to determine the context you can use SWOT or PEST analysis, or any other similar methodology, or you can arrange a brainstorming session with relevant people in your company and discuss the context.
For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
These materials will also help you regarding the context:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Showing data on request of data controller
Article Art. 28(3) (h) of the EU GDPR states that the processor must inform the controller if, in its opinion, the controller’s instructions would breach Union or Member State law including the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/processor/ ) so, if you have serious concerns it is your duty just to inform the controller.
It is the duty of the controllers to make sure that their instructions are lawful. Since you don’t have the full picture of the processing activity your perception about the processing being unlawful might be wrong. For example the controller could have already obtained the consent from the data subject thus you as a processor don’t need to obtain that again.
You don't need any extra conformation form the controller or the data subjects since is the job of the controller to ensure that any request that it might have is always in compliance with the EU GDPR and other data protection legislation.
For more information on the specific duties of controllers and processors I recommend to check out our article “EU GDPR controller vs. process or – What are the differences?” which can be found at : https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Processing personal data
Thanks for the answer. So if I'm correct we should focus on the software and can basically put a 'no' to all processing activities because we won't do them ourselves.
The only thing we need to make sure is that our software is GDPR compliant, regardless if the customer is using it that way. -
Does the toolkit include the 27002 documentation and best practices?
Answer: This is correct, ISO 27002 provides details on the implementation of 114 controls from ISO 27001 Annex A.
In our ISO 27001 toolkit we have 22 policies and procedures that cover Annex A controls, and all of these have taken the best practices from ISO 27002.
You have to keep in mind that ISO 27001 does not require each Annex A to be documented, therefore we didn't develop documentation for some controls like physical security - our main focus was on optimizing the number of documents for smaller companies, so that we avoid any overkill. See also this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
You can see the list of documents in the ISO 27001 Documentation Toolkit here: https://advisera.com/27001academy/iso-27001-documentation-toolkit/ - just scroll to section called "Toolkit documents". -
Importance of ISO certifications
ISO standards are becoming more and more popular, and especially ISO 27001 which explains how to manage information security. Here is an article that might help you: ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
However, there are also other security certificates you should consider - see this article CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
On our website you'll find a couple of online courses where you can get certified: https://advisera.com/training/