Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 9001:2015 specific clauses
1. Customers related process – check clauses 8.2 and 9.1.2
2. Branding and Public relations – nothing specific about branding or PR, but check clause 7.4
3. Business development – check clauses 4.1, 4.2, 5.2 and 6.2You can find more information below:
- Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
- How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
- Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
How to record external issues (not legal or contractual) in Conformio
First it is important to note that the Register of Requirements module is intended only for listing regulatory and contractual requirements, i.e., laws, regulations, and agreements. Further, ISO 27001 does not require internal or external issues to be documented.
Considering that, in case the requirement refers to an external/internal issue, it does not need to be documented, and you can record it in the SoA as a management decision for each related control (e.g., “control applicable due to management decision to ensure availability requirements”).
In case the requirement needs to be documented, because it refers to laws, regulations or contracts, then you can record it in the ‘Register of requirements’ module.
When the requirement refers to parts of the organization which are outside of the scope, you can define it within the Register of Requirements as a requirement of the third party since this part of the organization is not within the ISMS scope.
Please note that ‘Contractual Agreement’ can vary from fully formal agreements that can be legally enforced, to lesser formal agreements established internally through memos or emails.
-
Approving Residual Risk in Conformio
You need to approve residual risk so you can proceed to the next step of the implementation process.
After this approval, you will define the risk treatment plan, where you will define the dates for the implementation of the controls not yet in place.
-
GDPR compliance for B2B software applications
At Advisera we have a large set of resources that can help you drive your GDPR compliance project. B2B Companies need to demonstrate compliance to GDPR when they process data of people in the EU or when they monitor their behaviour. You can start with our article “9 steps for implementing GDPR” (link below), followed by “A summary of 10 key GDPR requirements” and “Understanding 6 key GDPR principles”. I would also recommend to consult the “List of mandatory documents required by EU GDPR”, link below. These documents can be found in our EU GDPR Toolkit that can be purchased on our website. This Toolkit contains a step-by-step approach on driving a GDPR-compliance project, providing also a full set of templates needed for GDPR compliance.
Please also consult these links:
- 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
- A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
- Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
- List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
- EU GDPR Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
-
Risk assessment question
First of all, sorry for this confusion.
Third-party is any entity that is not under the direct control of an organization. Examples of the third parties are: customers, suppliers, visitors, contractors, consultants, etc.
A cleaner that does not belong to the organization’s staff can be considered a third party.
-
Establishment of the scope of the ISMS ISO 27001:2013
First is important to note that an ISMS scope can be defined in terms of processes, location, or information to be protected.
Considering that, and your stated scenario, you should define your ISMS scope either in terms of processes (development process, sales process, account process, etc.) or information to be protected (e.g., customer information, financial information, etc.).
By the way, included with your toolkit you have access to a video tutorial that can help you define your ISMS scope. This video contains examples.
For further information, see:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Management of change
Requirements for change management in an ISO 22301 BCMS can be found in the Business Continuity Policy template, section 3.8 – Changes in the BCMS, located in folder 03 Business Continuity Policy.
ISO 22301 does not prescribe a change management procedure to be written, but in case you decide you need one, please take a look at this Change Management Policy template for ISO 27001. Even though it is an ISO 27001 document, it can be adapted to be used with ISO 22301:
- https://advisera.com/27001academy/documentation/change-management-policy/
For further information, see:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/ -
Risk Register question
Since you are considering the weak password vulnerability to be related to people's behavior, then it makes sense to consider it for Human-related assets in this case, but please note that you can also have situations where this vulnerability can also be defined for IT equipment.
For example, some equipment only allows pin numbers as passwords, or it is not possible to enforce password rules o them, then in this case you can also define weak passwords as a vulnerability for IT equipment. You can use only one of these two vulnerabilities, or you can use both if they are all applicable.
-
CE Marking
1 - Bewtween the end of June and when they get the renewal, can I sell the products I hold that were manufactured under a valid CE, even though they will be out of date?
For all medical devices that are produced until the expiry date of the MDD certificate, you can sell until the expiry date of the device.2 - If I purchase new products that have been produced without a valid CE, they will not be compliant will they?
The manufacturer is not allowed to produce the device anymore after the expired certificate. -
Inquiry about the following ISO27001 controls
1. Physical office security for site 1:
Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent).
If the site 1 office does not contain highly sensitive information, and if the people from this site have only restricted access to offices within the scope, then you can exclude office 1 from the scope.
For further information, see:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes
In case the parent company acts as a service supplier accessing information your ISMS needs to protect (i.e., information included in the ISMS scope), then you need to treat this parent company as a supplier, and controls applicable to suppliers need to be applied, but please note that in this case, the agreements signed with such "suppliers" do not need to be fully formal (i.e., instead of full formal contracts you can use something like internal memos).
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/