Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification requirements
Answer: No. If the department has not yet undergone a certification audit and has been considered in compliance with the requirements of the standard, it can not be declared that it is certified. This article will provide you further explanation about certification process: - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ These materials will also help you regarding certification process: - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-eng lish-guide/ - ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
SA 8000 and ISO 9001 and OHSAS 18001
Am from Human resource Background. Currently Am working as HR & compliance Executive. How would ISO 9001 would help my carrier as social compliance auditor.Suggest some good certificate body from India to do ISO 9001 Allso. -
Toolkit content
- A.5 Information security policies
- A.18 Compliance
I do not see an assessment tool for ISO27K. Is there any reason for this omission? Are not included as part of the toolkit?
Answer:
1) The controls from section A.5 Information security policies are covered in many policies provided in the toolkit (e.g., Information security policy, Access control policy, Acceptable use policy, Backup policy, etc.).
2) The controls from section A.18 Compliance are covered in the following documents: Procedure for Identification of Requirements, and List of Legal, Regulatory, Contractual and Other Requirements - you'll find them in folder 02 "Procedure for identification of requirements"
3) ISO 27001 does not require the usage of a tool for doing the risk assessment, so we are offering the Excel sheets for performing this task - in our experience, this is much easier for smaller companies for which our toolkit is designed. You'll find those sheets in the folder 0 5 "Risk assessment and risk treatment methodology"
By the way, you can find the information about which controls and requirements are covered by each document in the file List of documents that you'll find in the root folder of the toolkit. -
Nonconformities and corrective actions
In my previous employment and experience, we usually initiate only a CAR for audit findings. To me, it seems like redundancy.
Do you see a reason for initiating a NCR? Is it a requirement?
Answer:
Results of the certification audit can be minor and major nonconformities and recommendations. In case of nonconformities, you will need to document them as per clause 10.2.2 regardless of who identified the nonconformity. Then you evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, and that is corrective action.
This might seem as a redundancy but, it provides traceability and also enables the organ ization to file more information on the nonconformity, then the ones stated in certification audit report.
For more information, see: How to deal with nonconformities in an ISO 9001 certification audit https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/ -
Information security career
Answer: With the increase in the number of incidents involving information leakage, impacting both final users and big organizations, and in the number and rigidity of legislation, the need for information security professionals is also increasing, both on technical and management aspects. I suggest you to look at this report for an overview: The State of Cyber Security Professional Careers https://www.esg-global.com/hubfs/issa/ESG-ISSA-Research-Report-State-of-Cybersecurity-Professional-Careers-Oct-2016.pdf
Concerning learning, there is no such thing as "right path", it is more like the path most adequate for you. ISO management systems themselves recognize this (in terms of competencies, they consider as sources either education, training or experience). So, you can go for formal academic knowledge, attending information related courses and training, or develop your skills through daily activities. Here in Advisera you can find articles, white papers a nd online courses that can give you a start point.
Take a look at these links to access our knowledge base, white papers and courses:
- https://advisera.com/27001academy/knowledgebase/
- https://advisera.com/27001academy/free-downloads/
- https://advisera.com/training/
These articles will provide you further explanation about information security profession:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/ -
Information security policies
Answer: Yes, but not in the way your are thinking. The toolkit has several commonly used policies covering different aspects of information security, like Access control policy, Acceptable use policy, Back policy, etc. You can consult the "List of Documents" file that comes with your toolkit to find them. Once you have identified the policies you need you can decide if you will use them as separated documents, or merging them in a single "Information security police", as it seems as your idea.
This article will provide you further explanation about implementing policies:
- One Information Se curity Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/ -
Documenting process to motivate employees
Answer:
This clause is addition to the awareness requirements of ISO 9001:2015 and besides quality objectives achievement, it mentioned continual improvement and promoting technical innovations. You can document this as a part o your procedure for competence and awareness or you can have a separate procedure that will describe how your company will achieve this. -
Planning the QMS and clause 6.1.1
Answer:
The planning is very important part of the QMS (Quality Management System) and PDCA cycle. Planning should be conducted on regular basis if there are no changes to the QMS or at any time when some changes are made to the QMS. For example, during the management review you can make plans for necessary resources for processes, training needs, etc and identification of risks and opportunities is also a part of the planning phase.
For more information, see: Plan-Do-Check-Act in the ISO 9001 Standard https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/ -
Updating ISO 9001 and ISO 13485
Answer:
Bot ISO 9001 and ISO 13485 have new versions, so if you implemented old versions of these standards, you need to make transition to the new versions in order to maintain the certificates. The deadline for the transition is September 2018.
If you have only ISO 9001:2008, then you only need to make transition to ISO 9001:2015. Here is one interesting article that can help you: Infographic: ISO 9001:2015 vs. 2008 revision – What has changed? https://advisera.com/9001academy/knowledgebase/infographic-iso-90012015-vs-2008-revision-what-has-changed/ Good thing with having ISO 9001:2008 implemented is that ISO 13485:2016 is based on ISO 9001:2008 and you can keep all the documents and make addition to become compliant with ISO 13485:2016, for more information, see Inf ographic: What’s new in the 2016 revision of ISO 13485 https://advisera.com/13485academy/blog/2016/12/06/infographic-whats-new-in-the-2016-revision-of-iso-13485/ -
Competence definition in IATF 16949
Answer:
Competence is defined as "the demonstrated ability to apply knowledge and skills". This means that the person is competent when it is able to perform a task successfully. Competencies refer to skills or knowledge that lead to superior performance. Measurable skills, abilities and personality traits that identify successful employees against defined roles within an organisation.
Skills define specific learned activities, and they range widely in terms of complexity. (“Mopping the floor” and “performing brain surgery” can both be classified as skills.) Knowing which skills a person possesses helps us determine whether their training and experience has prepared them for a specific type of workplace activity. In other words, skills give us the “what.” They tell us what types of abilities a person needs to perform a specific activity or job.
But skills don’t give us the “how.” How does an individual perform a job successfully? How do they behave in the workplace environment to achieve the desired result? Competencies provide that missing piece of the puzzle by translating skills into on-the-job behaviors that demonstrate the ability to perform the job requirements competently.