Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Monitoring internal and external issues
Answer:
For example, when you monitor and evaluate process performance one of your decisions can be to update internal and external issues. Another possibility is to update the determination of relevant internal and external issues when preparing for the next management review meeting.
The following material will provide you information about internal and external issues:
ISO 9001 – How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/ -
Non-scheduled audits
Answer:
ISO 9001 says nothing about non-scheduled audits. ISO 9001 refers to an audit program that includes frequency, which presupposes the existence of a schedule for audits. However, if a thing is not included in the standard does not imply that it is forbidden. If this type of audits is foreseen in your quality management system, in addition to the scheduled audits, there is no non-conformity. One final note, beware of the message: employees can consider non-scheduled internal audits as a signal of distrust.
The following material will provide you information about internal audits:
ISO 9001 – 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
BIA vs AIA
Mi respuesta: Disculpa, pero el término "Análisis de Impacto en Aplicativo" está relacionado con aplicaciones de TI, y este término no es utilizado por ISO 22301. Este estándar, quiero decir, ISO 22301, está diseñado para el negocio (no sólo para TI), y podrías utilizar el BIA (Business Impact Analysis o Análisis de Impacto en el Negocio en español), para determinar el impacto de las aplicaciones TI en el negocio (el BIA es una herramienta específica de análisis de impacto de ISO 22301). Si estás interesado en el BIA, puedes ver este artículo: https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Scope Definition
Answer: You can limit your ISMS scope to your business core offering without problems, but for small and medium-size organizations sometimes is better to include all the organization in the ISMS scope, because the effort to manage a scope that covers only part of the organization is not worthy.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/pro blems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Controls required for ISO 27001 certification
Answer: According to ISO 27001, the elements you mentioned only need to be in place in the following situations:
- to treat unacceptable risks
- are required by laws or contracts the organization must comply with
- are demanded by top management for any other reason
If you cannot link these elements to any of these reasons they are not required for ISO 27001 certification.
This article will provide you further explanation about ISO 27001 and mandatory documents:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- List of mandatory documents required by ISO 27001 (2013 revi sion) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article will provide you further explanation about risk assessment and risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding ISO 27001, mandatory documents and risk assessment and risk treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk-based approach example
Very helpful
Many Thanks -
GDPR - Supervisory Authorities
Answer:
In your case, based on provided description, since you only have one establishment in UK then the Supervisory Authority you will have to deal with is the UK Information Commissioner’s Office in terms of GDPR. -
Data importer and Data exporter
We are being asked to fill in the "data exporter" during an agreement with a third party, and my understanding is that it should refer to our company name, but I want to be sure.
Answer:
The EU GDPR does not provide a definition for the “data importer” or the “data exporter”, nevertheless these definitions can be found in COMMISSION DECISION 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
According to article 2 of the abovementioned Decision:
- “data exporter” means the controller who transfers the personal data;
- “data importer” means the processor established in a third country who agrees to receive from the data exporter personal data intended for processing on the data exporter’s behalf after the transfer in accordance with his instructions and the terms of this Decision and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC.
Learn more here: EU GDPR controller vs. processor – What are the differences?https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
ITSM Implementation
Answer:
That depends on many circumstances. But, let's assume you have management commitment and available resources (if not - gaining management commitment is -must have). Our free webinar (recording is available) "How to use a Documentation Toolkit for the implementation of ITIL / ISO 20000 " https://advisera.com/20000academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-itil-iso-20000-free-webinar-on-demand/ will give you many information that you can use to start your project and answer the question regarding necessary documentation.
Also, the article "12 steps for ISO 20000 implementation" https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/ contains guidance how to approach the implementation.
Regarding training - at least ISO 20000 Foundation is a dvisable. It will give you understanding of the standard's requirements and some hints how to approach the implementation. -
Implementar ISO 22301 sin ISO 27001
Pregunta: es posible implementar la ISO 22301 sin la iso 27001? Respuesta: Completamente, aunque si implementas ISO 27001, la implementación de ISO 22301 puede ser muy sencilla, porque ambos estándares tienen muchos puntos en común. Este webinar te puede resultar interesante: https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar/