Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Difference between guideline and measure
Answer: I'm assuming that by "measure"you are referring to "security measure". Considering that, a "measure" is a control to treat the risk, while a "guideline" is an orientation about how to implement that control. For example, backup is a measure to treat the risk "loss of data due to hardware failure", while a guideline is the orientation that backup media should be regularly tested to ensure it is ready to use if required.
ISO 27001 provides security measures in the form of security controls listed in the Annex A, while implementation guidelines are provided in the ISO 27002 standard.
These articles will provide you further explanation about security measures and guidelines:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com /27001academy/knowledgebase/iso-27001-vs-iso-27002/
These materials will also help you regarding security measures and guidelines:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Efficiency and effectiveness of the processes
Answer:
In case of process effectiveness and efficiency, the requirements of IATF 16949 are too vague to discard this requirement of the Lead Auditor, although the standard itself doesn't say that every single process needs to be measured for efficiency and effectiveness. Unfortunately, I think you will have to measure effectiveness and efficiency of all processes, but during the management review, you can decide to stop it for some or most of the processes (topically supporting processes).
When defining and documenting processes you need to apply requirements from clause 4.4,1 for every process. To distinguish between process and procedure, the easiest way is the process is set of activities that result in certain outcome and the procedure is description on how the process is carried out. For more information, see: ISO 9001:2015 process vs. procedure – Some practical examples https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/ -
Exclusions
Answer:
Any exclusion must be explained and providing only services is not an acceptable justification for excluding clause 7.3 in ISO 9001:2008. If your company has a set of services that provides to customers and there is no intention of developing new services then clause 7.3 in ISO 9001:2008 or clause 8.3 in ISO 9001:2015 can be excluded. The management system scope decision can be very important to influence exclusion justification. A company can develop new services but exclude them from the scope by being very precise about what includes within the scope.
The following material will provide you information about exclusion:
ISO 9001 – What is an acceptable exclusion in Clause 7 of ISO 9001? - https://advisera.com/9001academy/blog/2015/03/24/what-is-an-acceptable-exclusion-in-clause-7-of-iso-9001/
What clauses can be excluded in ISO 9001:2015? - https://advisera.c om/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
[free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
A final note, although this link is not about ISO 9001 https://advisera.com/9100academy/blog/2017/10/09/can-companies-still-exclude-design-and-development-from-their-as9100-rev-d-qms/ I would like to include it because it is much more clear than the other two -
ISO 2700 implementation
Answer: ISO 2700 cannot be implemented to products. It is a management system standard aimed to protect information related to organization's processes, business units or locations. Regarding the organization, ISO 27001 can be implemented to specific processes, business units or locations or you can define the entire organization as the ISO 27001 scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2 - To start with risk assessment ISO 27001, is it mandatory to have process list identified first followed by identification of assets and then final risk assessment.
Answer: ISO 27001 does not prescribe any specific methodology for risk assessment, so orga nizations are free to choose the approach that suits them best.. That said, it is not mandatory by the standard to have a process list identified first.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding your questions:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Budgeting ISO 27001 implementation
Answer: For planning costs, I suggest you to take a look at this free white paper:
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
In this white paper you will find information such:
- The types of costs faced within an ISO 27001 implementation project
- How different implementation options could affect your budget planning
- Tips to improve budget planning
- How to verify your budget outline
I also would like to remember you that included in the toolkits you bought you also have access to expert support to help you with the templates, answer questions and evaluate documents, so you can include this approach among other consultancy alternatives you may be considering.
Unfortu nately we have no such materials for SOC 2, but many concepts and examples in the white paper can be extrapolated to SOC 2. -
Customer visit and customer satisfaction
Answer:
In reality it doesn’t matter, it is just a box, consider that it belongs to customer satisfaction, or customer communication, or even a tool to win customers, or interested parties’ relationship development. What matters is that your organization believes that customer visits is something worth investing to do it professionally
The following material will provide you information about customer satisfaction:
- ISO 9001 – Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Maintaining organizational knowledge
Answer:
The way of maintaining the knowledge depends on the way how the knowledge is stored. The purpose of this clause is to ensure the knowledge is up to date. So, in order to maintain the knowledge, you need to identify it first, and it can be in form of work instructions, procedures, etc, and then you need to define how you should keep it up to date and available to the relevant people.
For more information, see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
These materials will also help you regarding organizational knowledge:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:201 5 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Person responsible for data protection
Answer: If you have the Data Protection Officer, then this is the person responsible for data protection in your company.
If you do not have such function, you can assign a role of person responsible for data protection to someone like Head of IT department, Head of legal department, or similar - GDPR itself does not provide any guidelines on this, but it would be good to have someone with enough authority in the company to make important changes.
See also this article: The role of the DPO in light of the General Data Protection Regulation https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ -
Product safety in plastic part manufacturing
Answer:
The requirements for product safety cannot be excluded even if there are no safety issues related to the product. If you are not designing the product and get the drawing from the third party (e.g. customer), they should provide you with information on the product safety. If they don't, you should conduct risk assessment to determine if there are any risks related to the product safety and take appropriate actions. Even if there are no product safety issues, you will still need to have the product safety process.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ -
Password security and ISO 27001
Thanks for taking time from your busy schedule to reply to me.
Answer: ISO 27001 does not prescribe any solution to be applied for security controls in Annex A, only objectives to be achieved. This gives organizations freedom to implement the most adequate solutions according to their context. For guidelines and recommendations about what to consider in the implementation of security controls, you should consider the ISO 27002 standard.
That said, regarding security of system passwords, service passwords, and application passwords, including passwords at administrator level, you should consider ISO 27002 recommendations for the following controls:
- Control A.9.2.3 (Management of privileged access rights): for shared administration user IDs, you should consider practices like changing passwords frequently and as soon as possible when a privileged one user of these shared IDs leaves or changes job, and communicating these passwords to administrators through secure mechanisms. Besides that, all other recommendations from control A.9.3.1 (Use of secret authentication information), aimed for general users, should also be applicable to administrators.
- Control A.9.3.1 (Use of secret authentication information): when passwords need to be part of automated log on procedures they must be properly protected (e.g., do not store password on plain text)
- Control 9.4.3 (Password management system): when stored, password should be kept on files separated from application system data.
This article will provide you further explanation about use of passwords:- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding use of passwords:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/