Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and EU GDPR
Answer: You can use ISO 27001 together with ISO 27018, an specific standard for protection of Personally Identifiable Information (PII) to cover most of the requirements of EU GDPR.
These articles will provide you further explanation about ISO 27001 and EU GDPR:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.adv isera.com/course/iso-27001-foundations-course/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help -
Enterprise risks
Answer: ISO 27001 was designed to cover risks related to information security from operational to enterprise levels, but enterprise risks cover much more than information security, so you should consider to complement it with some other frameworks, like COSO, which provides recommendations for managing enterprise risks, like economical, social, and others.
2. Do we have high level classification of enterprise risk?
Answer: General classification for risks like low, medium and high are used when we talk about enterprise risks, so we can compare risk from different types, like technological, economical, strategic, etc.
These articles will provide you further explanation about enterprise risks and monitoring:
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://adviser a.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
SOA
Answer: You assumption is right concerning controls that are to be implemented, or aren't to be, considering the results of risk assessment. But you also have to remember that you may have some controls already implemented before the ISMS implementation practice, either because you adopted them as a market practice, or a contract or legal requirement required you to do so. So, some controls can already be stated as implemented during the implementation of the risk treatment plan.
This article will provide you further explanation about SOA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Thes e materials will also help you regarding SOA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Evaluation of suppliers
Answer:
The standard requires organization to determine criteria for evaluation, selection and monitoring of external providers i.e. suppliers, so you as a company can decide what kind of criteria and method to use to evaluate the suppliers. If you find your existing suppliers questionnaires redundant, you can exclude them from your supplier evaluation activities.
For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/ -
Documentation requirements for production process
Answer:
I assume by "iso" you mean ISO 9001:2015. When it comes to explicit requirements for documentation in the production process, ISO 9001:2015 requires following:
- The characteristics of the products to be produced, the services to be provided, or the activities to be performed (clause 8.5.1)
- Records about customer property (clause 8.5.3)
- Production/service provision change control records (clause 8.5.6)
But, you may also decide to document production procedure, work instructions, etc. For more information about mandatory documents, see: List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ -
Example of statutory and regulatory requirements for products
Answer:
Most of the products are not regulated in terms of quality, but for some of them , there are requiremnets for raw materials, packaging, users manuals, etc. For example, plastics used for producing toys for children must comply with regulations regarding the content of the plasctics, concentration of some chemicals withing the plastics, etc.
For more information, see: How to include statutory and regulatory requirements in your QMS https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/ -
Documentatio audit
Is that the documents of the SMI are treated according to the requirements of the three ISO standards written separately or integrated?
Answer:
QMS documentation comprises of alldocuments and records required by the standard itself and the documents for which the company determined to be necessary to maintain effective QMS (Quality Management System). All documents that are part of your QMS will be audited and the same document and record control rules should be applied unless the procedure for document and record control states otherwise.
For more information, see: How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Retention of tooling records
For example a part is manufactured continuously and the expected product life is 10 years. does that mean 10+1 year records of tools needs to be maintained?
Answer:
The records for the tools need to be maintained during the active time of production which means that to be kept as long as the product is being produced plus one calendar year, not product lifetime plus one calendar year. Considering the changes in products this time probably wouldn't take 10 years, but you also need to consider customer and legal requiremnets when it comes to retention of this type of documents. -
Cláusula 6.1. riesgos y oportunidades
Mi respuesta:
La norma ISO 14001:2015 no determina requerimiento alguno para la gestión de riesgos ni tampoco ningún documento, así que depende de la propia empresa elegir la metodología más apropiada para la identificación de los riesgos y las oportunidades. Puede llevarse a cabo mediante un simple sistema cualitativo o un análisis más complejo en el que también se consideren aspectos cuantitativos. Como guía, se pueden examinar los métodos incluidos en la familia de las ISO 31000, que incluye el análisis DOFA y otros métodos de evaluación. Sin embargo, siempre es posible hacerlo de manera más sencilla, organizando una sesión de tormenta de ideas con los empleados más relevantes de la organización. -
Environmental aspects in consulting agency
Answer:
Most of the environmental aspects will be the same as for any office based business, waste paper, toners and other electronic waste, ower consumption, etc. Depending on the type of consultancy you performe (e.g. engineering consultancy), maybe you will have to include environmental protection requiremnets in your deign and development or project management process.
For more information, see: How to identify environmental aspects in your office using ISO 14001 https://advisera.com/14001academy/blog/2015/05/18/how-to-identify-environmental-aspects-in-your-office-using-iso-14001/