Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and Data privacy protection regulations
Is there a document that supports us when it comes to the point of ISO 27001 and the above mentioned? Data privacy protection regulations. Is there a checklist that would help us to deal with the new regulations we have from May 2018 on?
The requirement is that we need to show that we can align ISO 27001 A. 18.1.4 and the DSGV. Clause A. 18.1.4 is often considered as not really up to the DSGV and its tight measures of Data privacy protection regulation.
Answer: I approximately 2 months from now we will launch the EU GDPR Toolkit which will contain checklists and all other documentation required to ensure compliance with EU GDPR. At this moment I can suggest you other material that can help you:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- Data Privacy Protection, ISO 27001 and CISPE Code of Conduct https://advisera.co m/27001academy/blog/2016/10/31/data-privacy-protection-iso-27001-and-cispe-code-of-conduct/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help -
ISO 27001 software
Answer: Only some activities related to ISO 27001 can be semi-automated (e.g., control of documents, controls measurement, risk assessment, etc.). Being a management system, ISO 27001 still requires some human intervention to analyse and evaluate information.
At this link you can see our online tool Conformio, which can help you manage ISO 27001 implementation project and documentation after implementation: https://advisera.com/conformio/
This article will provide you further explanation about automated tools:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/
These materials will also help you regarding automated tools:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Planning changes in ISO 9001
Could you explain to me what can cause a change to QMS? and where the change can happen in QMS?Should I need to have documented information for changes(e.g. change management procedure)?
Answer:
Changes in the QMS can be caused by the organization itself wanting to improve its processes, the customer who wants to ensure that provided products or services meet its requirements, or changes in the relevant legislation. The changes can happen in the processes, their sequence and interaction, documentation or any other aspect of the QMS.
The standard does not require any document for this requirement, but it can be beneficial to have some kind of record to demonstrate that the changes are carried out according to the plan and in compliance with the standard.
For more information, see: QMS Change Management in 7 steps https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
These materials will also help you regarding change management in ISO 9001:
- Fre e online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ " -
Risks and opportunities and life-cycle stage
Answer:
The standard does not require risks and opportunities to be determined for life-cycle stages of the product, but significant environmental aspects. Risks and opportunities need to be determined regarding context of the organization and its EMS (Environmental Management System) effectiveness. For more information, see: Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/
On the other hand, the standard requires life-cycle of the product to be examined in order to determine significant environmental aspects related to different life-cycle stages. This can be done by examining each stage and determining whether thee are significant environmental aspects that require control. For more information, see: How does product life cycle influence environmental aspects according to ISO 14001:2015? https://advisera.c om/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
These materials will also help you regarding environmental aspects:
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ " -
Rework vs repair
@Strahinja Stojanovic thank you
-
Pursuing career in quality management
How much experience is needed and what is the exact procedure..
And if we want to do ISO documentation of any organization what are the things to be followed.
Answer:
If you want to pursue career in quality management, you need to get competence on ISO 9001 and this is the first step. Although having background in engineering or production processes can be beneficial, it is not mandatory, and there are no requirements for experience other that ones your employer defines. I suggest you take a look at our free ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
When developing documentation for any ISO standard, you need to identify first requiements for mandatory documents and also to determine the organization needs for some additional procedures, records, work instructions etc. Here you can see what documents are required by ISO 9001:2015: List of mandatory documents requir ed by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
These materials will also help you regarding the documentation:
- Book Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Documenting the context and interested parties
Answer:
Determining interested parties and their needs and expectations is part of the process of determining context of the organization. However, determining internal and external issues (i.e. the context) and identifying relevant interested parties and their needs and expectations is different in terms how it is carried out and how it can be recorded. Therefore, I think it is better to have different sections of the manual or separate documents dedicated to these two topics. It doesn't really matter from the perspective of the standard how you choose to document this since there are no requirements to document the context or interested parties, so you can adopt the approach that you find the most suitable for your organization.
Both interested parties and issues can be external and internal, for example internal interested party is the top management, employees, unions, etc, and internal issue are organization chart, internal communication process, organizational culture, etc. Also, you need to determine needs and expectations of the interested parties and there is no analogue requirement for the context.
For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
These materials will also help you regarding the context and interested parties:
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001:2015) https://advisera.com/conformio/ " -
Information Security Risk Metrics
Answer: There is no specific answer for this question, because each organization has an unique context (e.g., competitors, customers, legal requirements, risk appetite, etc.) that will define its security objectives, and after them, which risks should be monitored through indicators. For example, for an Internet-based business, a security objective may be system's uptime, and a risk indicator could be the number of discovered zero-day vulnerabilities that can result in infrastructure downtime.
These articles will provide you further explanation about control objectives and key indicators:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
These materials will also help you regarding control objectives an d key indicators:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Versión vs. Revisión y Control de la Documentación
Mi respuesta:
Generalmente Versión es una variación de un documento previo u original: normalmente un cambio mayor. Revisión es utilizado para pequeños cambios.
Un cambio en el nivel de revisión de un procedimiento lleva consigo un cambio menos, por ejemplo un cambio en el título de alguien (gerente de rrhh a director de personal si la organización tiene la misma persona llevando a cabo la misma función en el procedimiento).
El cambios en el nivel de versión se produce si la función pasa a un departamento completamente diferente donde el énfasis puede ser distinto.
Para el control de la versión, es necesario asegurarse de que existe un nivel de revisión (número o letra) para cada documento. . Cada vez que el documento se revise tiene que avanzar en la letra o número en una unidad.
Sin embargo, depende del sistema que se implemente y siempre y cuando se emplee de manera consistente y todo el mundo en la organización entienda el sistema.
2) llevamos la documentación en copia magnética. Me llamó la atención que el auditor de la certificadora cuestionara que la documentación llevara el nombre de la persona del cargo que aprueba y revisa. Permite que se valide el estilo de quien lo validó en caso que cambie el individuo. Que sólo debía llevar el cargo. Posteriormente a raíz de un reclamo, pedí el procedimiento de reclamo a la empresa certificadora. Y ...sorpresa... copia digital con el nombre del individuo que aprobaba, quien revisaba y quien elaboraba.... Finalmente en una copia digital ¿va o no va el nombre del individuo?
Mi respuesta:
Los documentos y registros deben de contener títulos, número de documento o algo que indique su identidad. Siempre y cuando pueda diferenciarse entre la distinta información documentada, y que se sepa qué documento o registro identifica qué cuestión, entonces se cumple con este requisito
.
Estos materiales además le ayudarán con respecto a la norma ISO 9001:
- Libro "Gestión de Documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/
- Formación gratuita en línea "Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Filling documentation
We're advised to finish security audit until this Oct 1st, otherwise it will become more difficult (new items will be added).
1 - Do you think we can finish the documentation in a week?
Answer: No, it is not possible to finish the whole documentation for ISO 27001 in a week because: (1) you will have to write at least a dozen documents (for a smaller company), up to ca 50 documents for a mid-sized company, (2) each document needs to be agreed, reviewed and approved by a couple of people, and most importantly (3) it will take a while before your employees start changing their activities according these new rules.
Here are a couple of materials that will help you:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- ISO 27001 / ISO 22301 Implementation Duration Calculator htt p://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- How long does it take to implement ISO 27001 https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/
2 - What is the most time consuming part while doing security audit?
Answer: The most time consuming part is the audit of implemented practices, because you have to walk around the company and talk to employees, check the computers and other equipment, observe physical security, among other things. To help you go through this as quickly as possible, it is crucial to have a checklist of things you have to check.
These articles will provide you further explanation about performing an audit:
- 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding documentation and auditing:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/