Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
The transition and certification audit schedule
SWOT analysis is not required by the standard, but it is useful tool to help organization determine the context and identify risks and opportunities. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
2. As our company got certification under ISO 9001:2008 in 2016 and there is a revision now so next year audit will happen and the certification will change to ISO 9001:2015. Correct.
It will depend on how you arrange it with the certification body, if you want to have surveillance audit according to the previous version so be it. In my opinion, it is better to have certification audit against the new version. Anyway, the certification body cannot made this decision without your organization agreeing to it.
3. My next audit is due in Aug'2018. The surveillance audit will be based on 9001:2008 or 9001:2015. Please advise.
Again, this depends on how you will arrange the audit with the certification body, but it doesn't make too much sense on having the 2018 audit based on 2008 version of the standard since after September 2018, ISO 9001:2008 certificates will seize to be valid. -
Interested parties versus customer satisfaction
Answer:
First, ISO 9001:2015 does not require documented information related with sub clause 4.2. Second, please do not confuse sub clause 4.2 with customer satisfaction (sub clause 9.1.2). Sub clause 4.2 is about determining who are the interested parties and what are their relevant requirements. Sub clause 9.1.2 is about monitoring customers perceptions of the degree to which their needs and expectations have been fulfilled. By the way, most organizations consider other interested parties besides customers:
The following material will provide you information about interested parties:
ISO 9001 – How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015// 015/
free white paper - Clause-by-clause explanation of ISO 9001:2015 - https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Various questions
Operational controls should be implemented in processes where significant aspects emerge. This is requirements of the clause 8.1. For more information, see: Defining and implementing operational control in ISO 14001:2015
https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/140012015/
Are all records to be maintained in hard copy. Is it true or false and justify.
That is false, the record and documents in general can be kept in any media, paper or electronic. This requirement is stated in clause 7.5.2 b). For more information, see: How to structure ISO 14001 documentation https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/
The top management shall ensure that the responsibilities and authority for relevant roles are assigned and communicated within the organization aspects what is your understanding.
The roles and respons ibilities within EMS (Environmental Management System) must be communicated by the top management to the employees. This can be done either through the documents (e.g. procedures, work instructions, announcements, etc.) or verbally. For more information, see: How to Allocate Roles and Responsibilities According to ISO 14001 https://advisera.com/14001academy/blog/2017/10/17/how-to-allocate-roles-and-responsibilities-according-to-iso-14001/
Which clause of iso 14001 cover the use of calibrated or verified monitoring and measuring equipment.
The clause that requires monitoring and measuring equipment to be calibrated is clause 9.1.1. The standard states that: "The organization shall ensure that calibrated or verified monitoring and measurement equipment is used and maintained as appropriate".
These materials will also help you regarding ISO 14001:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Information Classification and Handling according ISO 27001
Answer: To see an example of how information classification and handling according ISO 27001 looks like, I suggest you to take a look at the free demo of our Information Classification Policy at this link: https://advisera.com/27001academy/documentation/information-classification-policy/
This document covers ISO 27001 controls related to information classification and handling
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding information classification:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Elaborating an audit checklist
We received this question:
>If for example under access control, in the XXX document of business I am doing an internal audit for, it clearly states that access requests are made by the IT administration and any approval or rejection is dealt with by the information and security manager or senior clerk. Would I still need to speak to the relevant people to ask this question, or would I simply note down that this information is in policy document number xxxx and effectively tick it off my list?
>
>The reason for asking is because this document is around 72 pages long and it could take considerable time to do these for each area within this one document. I would just like to be sure before I proceed with the checklist.
Answer: You must include asking some questions to relevant people about this document to ensure people are acting accordingly what was planned (remember, in an audit you must verify if controls are planned and implemented properly and if people are performing as expected).
Regarding the size of the document, you can choose some critical questions to make (you do not have to cover all the document in a single audit) considering the time you have to perform the audit. One interesting question is if you ask to the auditee to show you one access request he has made, explaining how he performed it. -
Lead auditor and lead implementer courses
thats what i need advise on…
Answer: Since you work as a consultant, the ISO 27001 Lead Implementer course would be a more adequate alternative to you, since this course can help you understand and implement an ISO 27001 ISMS, and how to apply controls in Annex A.
The ISO 27001 Lead Auditor Course is more adequate to a person who wants to become a certification auditor.
These articles will provide you further explanation about lead implementer and lead auditor courses:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https:// advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Approaches beyond asset-based for risk assessment
Answer: Since other methods besides the asset-based approach to risk assessment are not commonly used by small and medium organizations, we do not have specific material about them, but we can suggest you to take a look at the ISO 31010 standard (www.iso.org/standard/51073.html), which will provide you examples of other risk assessment methodologies, including the scenario-based approach.
This article will provide you further explanation about ISO 31010:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
ISO9001 Scope
The scope of the QMS (Quality Management System) should include all processes that affect quality of products and services and customer satisfaction. Also, in the document about the scope you need to document what locations of your organization are covered by the QMS scope.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
These materials will also help you regarding the QMS scope:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Privacy Framework
Answer:
Based on the information you provided it looks like your question relates to cross border personal data transfers, more precisely to the safeguards needed in order to ensure that a cross border transfer is lawful.
Before jumping into the matter at hand we should first clarify what does a cross border data transfer means: a cross border data transfer means a transfer to non EU/EEA countries as well as countries that have not been deemed by the European Comission as providing an adequate level of protection as regards to personal data (adequacy decisions countries). In a nutshell any transfer out of EEA or to countries without adequacy decisions is a cross border data transfer.
As a general rule the EU GDPR states that cross border data transfers are forbidden unless proper safeguards are used.
Coming back to the question:
1. transfers to UK are not considered cross border data transfers since UK is still in the EU thus no need to have any safeguards. Once UK will leave EU this issue would have to be reconsidered based also on the results of the Brexit negotiations.
2. transfers to Canada are not considered cross border because Canada has been issued an adequacy decision by the EU Comission.
3. Australia is not in the EU/EEA and no adequacy decision has been issued thus adequate safeguards must be set in place. One of the most commonly used safeguards are the use of the "Model Contracts for the transfers of personal data to third countries" (Model clauses) . The EU GDPR implementation Toolkit provides guidance on how to use these contracts - see details here : https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
4. US and EU have agreed (July 2016) on the new framework for transatlantic data flows: EU-US Privacy Shield. This new framework replaced Safe Harbour which was declared invalid by the European Court of Justice (EUCJ) in October 2015. Currently transfers between EU and US can be grounded on Privacy Shield although this is currently challenged in front of EUCJ as well and, there is no telling what would be the outcome. As an alternative "Model clauses" can be used as safeguards instead of Privacy Shield and this approach would cover the risk of Privacy Shield being invalidated.