Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS Controls
Regardless of the control measures applied (open source, proprietary, etc.), the SoA should be always considered a sensitive document, because it contains information about the organization's security strategies and measures, and this information in wrong hands can help find or explore vulnerabilities.
This article will provide you further explanation about the Statement of Applicability:
-The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
EU GDPR requirements for data controller and data processor
Answer:
Under the provisions of the EU GDPR there are no requirements for companies acting either as a data controller or a data processor to obtain and maintain any specific certifications.
Under art. 42 of the EU GDPR is stated that Member States, Supervisory Authorities and the European Data Protection Board are encouraged to establish data protection certification mechanisms to be used by both controllers and processors.
These certifications will voluntary and will not reduce the responsibility of the controllers and processors to comply with the EU GDPR provisions. However these mechanisms are yet to be established and most likely will become available after the 25th of May 2018. The same stands for individual certifications as well.
There are various courses and trainings on the market, some accompanie d by exams and certification, but these are not in any way mandatory, so you are free to choose based on your needs and budget. -
Security control context
(I'm learning about your system, I'm looking for information to make the context of a control, is there any document on that?)
Answer: The main approach to built the context to decide to apply or not a security control is to perform a risk assessment, and for this approach I suggest you to take a look at these articles
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding risk assessment and security controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ ontrols-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Iso 9001 Job card
thank you, i mean by the job card, the job description -
Future of the Management Representative
I would like to know how an organization should deal with the Management Representative being non-mandatory in 2015 version? What's the suggestion?
The fact that the management representative is not mandatory doesn't mean it is forbidden, so if your organization find this role useful, you should keep it. This person is usually the most familiar with the standard and the system, so keeping management representative as a coordinator of all QMS related activities can be beneficial for the organization.
For more information, see: What will be the destiny of the management representative in the new ISO 9001:2015? https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
And I also want to know, if I want to be a consultant for implementing ISO 9001:2015 standard requirements within an organization, do I need only the standard knowledge or there are other formal training, certificates or requirements needed?
No additional training and certificates are requi red. For consultants, the best measure of their success and competence is the certification audit. If your client fails the certification audit, they won't care about your certificates and also if they get the certificate. On the other hand, this is a way to demonstrate to your clients that you are competent and able to implement the standard. Usually consultants take courses for Lead Auditor and Lead Implementer, but the key is to build up your reference list because it will say much more that the certificates themselves.
For more information, see: How to become an ISO 9001 consultant https://advisera.com/9001academy/blog/2016/11/15/how-to-become-an-iso-9001-consultant/ -
The transition and certification audit schedule
SWOT analysis is not required by the standard, but it is useful tool to help organization determine the context and identify risks and opportunities. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
2. As our company got certification under ISO 9001:2008 in 2016 and there is a revision now so next year audit will happen and the certification will change to ISO 9001:2015. Correct.
It will depend on how you arrange it with the certification body, if you want to have surveillance audit according to the previous version so be it. In my opinion, it is better to have certification audit against the new version. Anyway, the certification body cannot made this decision without your organization agreeing to it.
3. My next audit is due in Aug'2018. The surveillance audit will be based on 9001:2008 or 9001:2015. Please advise.
Again, this depends on how you will arrange the audit with the certification body, but it doesn't make too much sense on having the 2018 audit based on 2008 version of the standard since after September 2018, ISO 9001:2008 certificates will seize to be valid. -
Interested parties versus customer satisfaction
Answer:
First, ISO 9001:2015 does not require documented information related with sub clause 4.2. Second, please do not confuse sub clause 4.2 with customer satisfaction (sub clause 9.1.2). Sub clause 4.2 is about determining who are the interested parties and what are their relevant requirements. Sub clause 9.1.2 is about monitoring customers perceptions of the degree to which their needs and expectations have been fulfilled. By the way, most organizations consider other interested parties besides customers:
The following material will provide you information about interested parties:
ISO 9001 – How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015// 015/
free white paper - Clause-by-clause explanation of ISO 9001:2015 - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Various questions
Operational controls should be implemented in processes where significant aspects emerge. This is requirements of the clause 8.1. For more information, see: Defining and implementing operational control in ISO 14001:2015
https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
Are all records to be maintained in hard copy. Is it true or false and justify.
That is false, the record and documents in general can be kept in any media, paper or electronic. This requirement is stated in clause 7.5.2 b). For more information, see: How to structure ISO 14001 documentation https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/
The top management shall ensure that the responsibilities and authority for relevant roles are assigned and communicated within the organization aspects what is your understanding.
The roles and respons ibilities within EMS (Environmental Management System) must be communicated by the top management to the employees. This can be done either through the documents (e.g. procedures, work instructions, announcements, etc.) or verbally. For more information, see: How to Allocate Roles and Responsibilities According to ISO 14001 https://advisera.com/14001academy/blog/2017/10/17/how-to-allocate-roles-and-responsibilities-according-to-iso-14001/
Which clause of iso 14001 cover the use of calibrated or verified monitoring and measuring equipment.
The clause that requires monitoring and measuring equipment to be calibrated is clause 9.1.1. The standard states that: "The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained as appropriate".
These materials will also help you regarding ISO 14001:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Information Classification and Handling according ISO 27001
Answer: To see an example of how information classification and handling according ISO 27001 looks like, I suggest you to take a look at the free demo of our Information Classification Policy at this link: https://advisera.com/27001academy/documentation/information-classification-policy/
This document covers ISO 27001 controls related to information classification and handling
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding information classification:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/