Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documentation toolkit content


    Objetivos de seguridad de información, resultados de la evaluación del riesgo (generalmente bajo la forma de un informe de evaluación de riesgos), los registros de competencia del empleado (generalmente en forma de certificados) y lista de disposiciones legales, estatutarias, reglamentarias y contractuales

    Sin embargo, no sabemos dónde ubicar esas plantillas en el paquete de documentos que he adquirido, por favor tu apoyo.

    (A question from the package of templates ... I was reviewing the book "Safe and Easy" and in chapter 5.1 talks about "Understanding the context of your organization", which indicates that regarding documentation is mandatory:

    Information security objectives, risk assessment results (usually in the form of a risk assessment report), employee competence records (usually in the form of certificates) and list of legal, statutory, regulatory and contractual provisions

    However, we do not know where to place those templates in the package of documents I have purchased, please support.)

    Answer: Included in your toolkit (in the root folder) there is a List of Documents file that shows you to which clause of the standards each template is related to. In this file you will find this information:

    - Information security objectives (required by clause 6.2) are covered by the "Information Security Policy" template, located at the folder 04 Information Security Policy, and the "Statement of Applicability" template, located at the folder 06 Statement of Applicability.
    - Risk assessment results (required by clause 6.1.2) are covered by the "Risk Assessment Table" template,and the "Risk Assessment and Risk Treatment Report" template, both located at the folder 05 Risk Assessment and Risk Treatment Methodology
    - Risk treatment results (required by clause 6.1.3) are covered by the "Risk Treatment Table" template, located at the folder 05 Risk Assessment and Risk Treatment Methodology, and the "Risk Treatment Plan" template, located at the folder 07 Risk Treatment Plan
    - List of legal, statutory, regulatory and contractual provisions (required by clauses 4.2 and A.18.1.1) is covered by the "List of Legal, Regulatory, Contractual and Other Requirements" template, located at the folder 02 Procedure for Identification of Requirements

    There is no specific template for employee competence records, because we consider organizations already have their own templates, as well as the training providers (they use already have their own certificates forms).

  • Responsible for asset related activities


    Answer: Asset related activities (and information must be considered one kind of asset) can be performed by the asset owner, but often this is performed by the head of the department. In either case, the responsible person can involve other people if he considers this necessary. For example, for risk assessment, people that perform daily activities related to the asset can participate in risk identification and analysis.

    These articles will provide you further explanation about asset related activities:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding asset related activities:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • BCM implementation

    https://www.theverge.com/users/custom_write

  • NC regarding QMS effectiveness monitoring


    Answer:

    There is no single measurement that will tell you whether the QMS (Quality Management System) is effective or not. QMS effectiveness is comprised from different elements of the QMS and there could be several indicators ( KPI) to measure effectiveness and health of QMS, depending on organization's processes as well as Policy/quality objectives:
    - Number of major non conformities coming from second/third parts audit
    - Customer satisfaction improvement
    - Confirmed certification from Registrar
    - Obtain new certifications to improve your business
    - Increasing the number of orders from Customers
    - Cost reduction improvement ( including cost of poor quality)
    - Time to market reduction for new products
    - Zero defects achievement
    - Compliance to law and regulation

    For more information, see : Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/

    These materials will also help you regarding QMS effectiveness:
    - Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - Conformio (online tool for ISO 9001) https://advisera.com/conformio/

  • Auditing operational controls


    Answer:

    Based on the identification and evaluation of occupational health and safety hazards in the organization and its operations, the organization needs to establish operational controls that will mitigate these hazards. Depending on the nature of the operational control, you will need to look for evidence that the operational control is implemented. For example, if the operational control for some workplace is to wear PPE (Personal Protective Equipment), you need to check whether the employees on this workplace really wear PPE.

    For more information, see: How to implement operational control in OHSAS 18001 https://advisera.com/18001academy/blog/2015/11/18/how-to-implement-operational-control-in-ohsas-18001/

  • Implementing ISO without certification


    Answer:

    Implementing any ISO standard can be beneficial for the organization even if the organization decide not to get certified and the ISO documentation as you call it can be useful in implementation and maintenance of the management system.

    For example, in case of ISO 9001, the documentation will help you define the processes and procedures, explain how the processes are carried out and also to make records whether the activities are performed as defined. By implementing this standard you will get all benefits that the standard brings, only without hanging the certificate on the wall. Here you can learn about ISO 9001 benefits: Six Key Benefits of ISO 9001 Implementation https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

    These materials will also help you regarding the implementation:
    - Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
    - Conformio (online tool for ISO 9001) https://advisera.com/conformio/

  • Scope for a small company with outsourced infrastructure to mother company


    Thus, we customer acquire the customer's, contact with them on own name but on behalf of our mother company. Data and customer information is saved in the databases and the portal which belongs to the other company. CRM system which we process is also not ours.

    However, our management has initiated ISO 27001 certification for our service company. I have selected the scope for ISO 27001 certification a business process.

    During the webinar you told me that it is very hard to get the certification if the business process will be certified.

    Answer:

    For a small company such as yours it is very difficult to lim it the scope of the implementation and certification to only one process - this is because once you define what is inside the ISMS scope, all other processes and activities that are left outside of the scope will be treated as external (third) parties. Therefore, for a company of 9 employees, the best would be to include your whole company in the ISMS scope.

    See also this article: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    The fact that your company is not an owner of the equipment or services that you are providing doesn't change much - your company is responsible for the data because it is the contractual party with your clients. Therefore, you are responsible for safeguarding data even though this data is not placed on your servers. The fact that the processing is done by your mother company doesn't make much difference - the principle is the same as if you hosted this data on e.g. Amazon AWS, in other words you need to treat your mother company as a provider of services, i.e. as a third-party.

  • Scope definition considering suppliers

    We received this question:

    >"If the client is allow to exclude the service provider or outsourcer from the scope since they do not have control over them, can they put a justification as such in the SOA to exclude the A15 control? The only concern we seen on some client, they will overlook the security matter related to services provider/outsourcer as to their understanding it has been excluded from the scope. How could we address such misunderstanding?

    Answer: Only because suppliers are excluded from the ISMS scope it doesn't mean controls from Annex A can be excluded from the SoA based on that. The scope definition and SoA elaboration are different processes that do not have this relationship.

    Considering that, a control can only be excluded from SoA if:
    - There are no law, contract or similar legal requirement demanding the control to be implemented, and
    - There are no unacceptable risks related to the outsourced service identified on risk assessments, or the organization consciously accepted the risks identified as unacceptable

    So, the fact that service providers or outsources are excluded from the ISMS scope is not the reason enough to justify excluding controls from section A.15. An organization has to evaluate first the legal requirements involved and the risks associated to the outsourced service.

    To handle this kind of misunderstanding, you can ask your clients this question: If you would consider security controls if you were running the service yourself, why do not require the same commitment from your suppliers?

  • Defining LOT number for medical device

    For the implants, yes it is necessary that the lot number must be on the device except the device is not too small. For all implants, there should be an implant card. According to the MDR 2017/745, Article 18. implant card must have the following information:

    • information allowing the identification of the device, including the device name, serial number, lot number, the UDI, the device model, as well as the name, address, and the website of the manufacturer
    • any warnings, precautions, or measures to be taken by the patient or a healthcare professional with regard to reciprocal interference with reasonably foreseeable external influences, medical examinations, or environmental conditions
    • any information about the expected lifetime of the device and any necessary follow-up
    • any other information to ensure the safe use of the device by the patient, including the information in point (u) of Section 23.4 of Annex I.
    For more information, see:
Page 844-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +