Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Standards controls
Answer: In the ISO 27001 series of standards there is no standard with 27 groups of controls. ISO 27017 (for cloud services security), ISO 27018 (for privacy protection), and ISO 27019 (for energy utility industry) have additional controls that can be used with ISO 27001 Annex A controls, but they do not compose additional groups of controls.
This article will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Scope definition
There is no need to include the customers as an exception in the audit scope. The fact that your customers may require the results of your internal or certification audit to complete their own audits (e.g., if their auditor is auditing their supplier management process) is not reason for you to include them in the scope of your audits either as an exception. The proper document to ensure customers access rights over your audit results is the contract or service agreement you signed with them.
These articles will give you an idea on how customers may handle the audit of their suppliers according ISO 27001:
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Major Incident questions
Answer:
There is no pre-defined or out-of-the-box question set to resolve major incidents. One question that needs to be set for all major incidents is - How do we prevent repeating of such an incident. Rest of the diagnosis depends on the incident itself.
This article may help you dealing with major incidents - "Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/ -
Questions on document management
To establish a process means to define how the process is conducted, what are the inputs, outputs, responsibilities and resources necessary within the process. It can be done in different ways depending on the complexity of the processes and risks of nonconformities emerging in the process. If you have complex processes where lot of things can go wrong, it is better to have documented procedure that explains in details how the process is carried out. If you have simple processes or your employees are very competent, you can define the process just with flowchart or quality plan.
2. Which documents exactly should be recorded or retained?
The standard has significantly decreased the amount of documents that are mandatory, basically only the scope, quality policy and the objectives are considered as a mandatory documents. The focus of the new version of the standard is more on providing evidence on whether something was done in ac cordance with requirements than how it was done.
For more information, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
3. If an organization already has a number of documented procedures but with 2008 reference, how to dispose of them?
You should follow your current procedure for document control and apply rules for document disposal defined by this procedure. If you don't have such rules defined, I would suggest you to mark the documents as obsolete and keep them as a part of the archive.
4. How to determine the required types of mandatory or non-mandatory documents & records based on different types of industries?
The mandatory documents will be the same regardless of the type of industry, this will depend on which requirements of the standard are applicable to your organization. For example, if you exclude design and development, you don't need to have records required by the clause 8.3 design and development.
When it comes to non mandatory documents that will be part of your QMS, you need to make a decision on what documents should be included. Usually for more complex activities or processes you will have more documents simply to ensure they are carried out as planned.
These materials will also help you regarding the documentation:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
External DPO
Answer:
As regards to the duties of the Data Protection Officer (DPO) you can find a full job description in our EU GDPR consultation toolkit https://advisera.com/eugdpracademy/consultants/ . Among the responsibilities of a DPO I could mention:
- providing and maintaining the necessary documentation to demonstrate compliance with the GDPR;
- monitoring compliance with the GDPR and relevant local laws and regulations;
- ensures that training and awareness is available and delivered to all members of staff involved in the processing of
personal data; etc.
The role of the DPO in light of the General Data Protection Regulation is described also at : https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/. You might find useful to go through Article 29 Working Party Guidelines on Data Protection Officers as well as Art. 39 of the EU GDPR "Tasks of the data protection officer".
Regarding what to be expected from an external DPO, he or she should be performing the same tasks mentioned above, there should be no material differences between an internal and an external DPO. A key point to have in mind is that regardless if the DPO is a employee or an external consultant he/she must report directly to the organization’s management, must be guaranteed a degree of independence and must not be required to take instructions regarding the exercise of his/her functions
What the external DPO would expect from you is a question that I cannot answer since is dependent on the mandate given to him/her. -
KPI for QMS MR
Answer:
If I had to design KPI for a Quality Management System Representative, I would start by the end, by the purpose, by the reason for its existence. What does your organization want from the QMS MR? One important outcome should be to get and maintain certification. Another can be quality and timing of information about the QMS performance, and another can be about customer satisfaction, complains and lost customers as a measure of customer promotion in the QMS.
The following material will provide you information about the Management Representative:
ISO 9001 – What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/
What will be the destiny of the management representative in the ne w ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
IT policy development
Answer: According to ISO 27001, the main issues you should consider in the development of policies and procedures are: legal requirements (e.g., laws and contracts), results of risk assessments and top management decisions (e.g., decisions based on strategic or operational plans and objectives).
Considering your specific scenario, you also should consider a cross evaluation of the requirements related to each country involved, as well as the contracts related to cloud providers (e.g., cloud providers may have operations in additional countries that also should be evaluated.
I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology at this link: https: //advisera.com/27001academy/documentation/operating-procedures-for-information-and-communication-technology/
This document will give you an idea on ahat to consider to to ensure correct and secure functioning of information and communication technology.
This article will provide you further explanation about policy development:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
These materials will also help you regarding policy development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Policies approval process
Answer: First of all, to be sure about which policies the Governance board should approve you need to verify the current set of roles and responsibilities defined to it (e.g., the documented top management decision that established the Governance board). In general, policies can be divided in two types:
- High level policies, which define the organization's approach to broad issues, like quality policy, information security policy and IT security policy.
- Support policies, which define the organization's approach to specific issues, normally related to a high level policy like development polic y, information classification policy and access control policy.
Normally, a Governance board is responsible to approve high level policies, delegating the approval of support policies to specific roles in the organization, such as the HR department head or the IT senior manager.
Regarding how to name the policies, the word "standard" has a general understanding that is different from the purpose of a policy, then you should avoid use it to designate a policy not to cause confusion. A better approach would be to use the word "policy" to refer to high level policies approved by the Governance board and terms like "support policy", "detailed policy" or "complementary policy" to indicate policies that are related to a high level policy.
These articles will provide you further explanation about policies development:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
This material will also help you regarding policies development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Publishing personal data
Answer:
You can transfer personal data to the US if certain safeguard are in place such as the Model Clauses or consent. In your particular case if you display the birthday dates I would suggest you either to find a legitimate interest to do that or stop showing them. Consent taken from employees is not considered valid consent under most circumstances.