Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Revisión de los requisitos de Producto/Servicio
Antes de que una organización acuerde suministrar un producto o servicio, es crucial que los requisitos no sólo sean identificados, sino también revisados por la empresa.
Es importante mantener unos buenos registros de la revisión y aceptación de cualquier pedido para asegurar que cualquier cambio es comunicado a todos los empleados que necesitan implementar los cambios. Asimismo, en algunos casos una revisión de cada uno de los pedidos puede ser poco práctico (como ventas a través de internet), aunque una revisión de la información de un producto relevante (como catálogos o materiales de publicidad) pueden ser adecuados, ya que éstos pueden ser utilizados en lugar del pedido.
Para más información vea "Cómo funcionan los requisitos de producto en ISO 9001"(en inglés) : https://advisera.com/9001academy/blog/2014/04/08/product-requirements-work-iso-9001/#
Estos materiales también pueden ayudarle con la documentación de ISO 9001 :
- Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso gratuito en línea: "Curso de fundamentos ISO 9001" https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Business Continuity in SLAs
How can we bind third party vendor to provide service or what will be the responsibilities of third party vendor in case of disaster due to conditions mentioned in force majeure.
I have this query related to specific vendor like security guard service provider, Electrical service provider and IT Desktop support service provider.
Answer: Regarding the force majeure clause, you do not have many options to handle it. Your organization can either try to define in the service agreement specific situations where the clause does not apply (in these cases the vendor will have to include in the service agreement how it will handle these situations), or choose vendors which do not have this clause.
These articles will provide you further explanation about supplier management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-accor ding-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
ISO 27001 controls validation
Answer: To start with your validation of controls, I suggest you to start with our free ISO 27001 Gap Analysis Tool (https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/). This tool can provide you a quick overview of how much of ISO 27001 you have implemented so far (management requirements and controls also).
For a more formal and systematic approach I suggest you to take a look at the free demo of our ISO 27001/ISO 22301 Internal Audit Toolkit (https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/). This toolkit is composed of the following documents: Internal Audit Checklist, Procedure for Internal Audit, Annual Internal Audit Prog ram, and Internal Audit Report, and will help you to plan, perform and document the results of an internal audit compliant with ISO 27001
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Developing design and development procedure
Answer:
The procedure should explain the process of design and development. The level of details will depend on the competency of the people included in the design and development process. The more competent they are, the less information is needed in the procedure.
Design and development procedure should cover the following topics:
- Design and development planning
- Design and development inputs
- Design and development controls
- Design and development outputs
- Changes management in design and development process
For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
Also, you can download free preview of our Procedure for Design and Development [ https://advisera.com/9001academy/documentation/procedure-design-development/
These materials will also help you regarding design and development procedu re:
- Book Discover ISO 9001:2015 Through Practical Examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Special approval of FMEA for product safety
Answer:
Special approval means that your FMEA assessment is approved your customer. This is, of course if the customer requires from your organization to send them FMEAs for the approval. The standard itself says "if applicable" for this requirement, so if the customer doesn't require to approve your FEMAs, your current FMEAs are sufficient to meet the standard requirements.
For more information, see: Ensuring product safety according to IATF 16949 https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/ -
Information security policy content
We received this question:
>I have another question, in the Information Security Policy we mention that the controls implemented as listed in the Statement of Applicability. Thus, users will ask question about it, e.g. what SoA is, how can I access it and etc…
>
>What should I tell my end users? Basically I’m just concern about the things which will not make a lot of sense to them.
Answer: In my understanding you are making your Information Security Policy unnecessarily complex. Since ISO 2700 standard does not require an organization to mention the SoA in the information security policy, and you think mentioning it will not make a lot of sense to your users, you should consider not referring it in the policy.
This way you will be avoiding overloading users with information that will not be directly useful to their activities. Remember, users need to see and understand the security policies and procedures that are relevant to their activities. -
Analysis of external issues
Sure. Examples of how you can apply PEST analysis to information security are:
Political: How governments and politicians see and understand information security can define state-wide agendas and impact on regulations and laws applicable to several industries.
Economic: Which costs and profit opportunities can be related to the adoption of information security practices (in some countries that have to import technology variations in the currency used to buy assets can heavily affect security decisions).
Social: Depending on the society culture, impacts perceived by society due an information breach can be far more greater than the real thing. On the other hand, depending on the culture, the assimilation of security practices can be more difficult (a perception of excessive surveillance and invasion of privacy).
Technological: the obsolescence and ascension of new technologies can lead to a complete transformation of security practices (e.g., quantum computati on can have a serious impact on cryptographic controls, and the "Internet of Things - IOT" bring a new whole set of problems related to connectivity). -
Minor non conformity
Answer: Yes. A minor non conformity does not represent a failure in the Information Security Management System with enough severity to prevent an organization to market/advertise it is certificated. But you should ensure its treatment is effective and in the agreed deadline, because failure on treating a minor non conformity can lead to a major non conformity which, depending on the circumstances, can prevent an organization to market/advertise it is certificated.
These articles will provide you further explanation about minor non conformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- ISO 27001 Certification: What’s next after receiving the audit report?
This m aterial will also help you regarding minor non conformities:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Gap Analysis AS9100 Rev C vs Rev D
Answer provided:
Unfortunately, I do not have a Gap Analysis for the changes from AS9100 Rev C vs Rev D, however, a good place to start is with our free whitepaper “AS9100 Twelve-step transition process from Rev C to Rev D” (https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d). The changes are also highlighted in our AS9100 Rev D Transition Toolkit (https://advisera.com/9100academy/as9100-rev-d-transition-toolkit/) to make it easy to see what needs to change. -
Internal Audit Impartiality
Answer given:
The requirement for selecting auditors is that you ensure “objectivity and the impartiality of the audit process”. In general, if you can show that the person you have chosen meets these requirements then this is acceptable. A few rules of thumb are that an auditor should never audit their own work, and any person who could be affected by the audit should not audit that area (such as a manager who would need to deal with the corrective actions that were found).