Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal audit according to ISO 9001:2015

    What are the changes the auditor would expect in terms of Internal Audit as per ISO 9001: 2015. Do we need to perform 1 cycle of auditing for all processes i.e. core, support, control processes etc?

    Also would like to know should the top management be audited as well for the shall requirements?

    Answer:

    Requirements regarding the internal audit process haven't changed significantly compared to the previous version. The only change is that you no longer need documented procedure for internal audit and the requirements to be audited are different. Before having the certification audit, it is recommendable to conduct full cycle of internal audit but this was also the case with the previous version of the standard.

    Internal audit should cover entire scope of the QMS, and this includes auditing requirements related to the top management.

    For more information, see: Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/

  • Standard review and recertification cycle


    Answer: The review of an ISO standard generally starts 5 years after its release, and this process takes up to 3 years to release a new version. Of course if an industry or community presents a justifiable request this time between reviews may change, but the duration of the review process remains within the 3 years time frame.

    2 - Can you advise me how re-certification is achieved?

    Answer: For the certification body, the re-certification process is the same as the certification one, the certification auditor will go through all the certification scope during the audit, to verify if all requirements of the standard, as well as the requirements defined by the organization, are in place and working as expected.

    For the organization, when the recertification involves the release of a new version of the standard, the re-certification process starts with a gap analysis between the old and the new versions of the standard, so you can identify what has changed and which actions should be done to comply with the new requirements.

    After the new requirements are implemented, you have to ensure they are properly operated, controlled and that they achieve the expected results, through internal audit and management review, so you can have the necessary evidences that the new requirements are all properly implemented, and that identified problems are handled through corrective actions.

    These articles will provide you further explanation about certification process:
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

  • Checklist for EU GDPR


    1) Is there any draft questionnaire or checklist for the compliance of EU GDPR? Like any set of questions which any company(may be from different industries) answers to show its compliance with GDPR. If there exists and you know, kindly forward me such link.

    Answer: Unfortunately EU GDPR is not our main area of expertise (we work with ISO standards). Considering specific clause of EU GDPR I suggest you to consult GDPR site (https://www.eugdpr.org/more-resources-1.html). In this page you will find links to legal evaluations and other compliance information considered relevant to GDPR.

    2) DLP in itself says that there should be no data leakage from the organisation so one has to monitor what data is at rest/transit/motion. But if you monitor all the data of the employee then it invades its privacy which is against the personal liberty. I am trying to figure out what is the threshold where data can be monitored and beyond which monitoring invades privacy. Is there a draft set of rules or laws which specifically implement DLP keeping in mind the personal liberty of the employee. Along with this, the DLP monitoring should be compliant with EU GDPR as well.

    Answer: Privacy laws can be very different from country to country, so it is very difficult to try to identify common thresholds. In terms of ISO 27001 good practices would be:
    - Establish enterprise-wide network and systems usage policies, so there are clear rules about what can be sent or received through organization resources
    - Ensure every employee is aware of monitoring practices by means of newsletters and other forms of organizational communication. This measure also can help prevent undesirable data losses.

    For our template Acceptable Use Policy you can take a look at this link https://advisera.com/27001academy/documentation/it-security-policy/

    You just need to scroll down a little to find the free demo tab.

  • Document classification


    Answer:
    Based on the details, I assume you are implementing Information Security process and related controls.
    I would suggest that you make agreement on company level what document confidentiality levels you will use. In such way you will avoid having (e.g. for same kind of document) different confidentiality levels.

  • Training on non conformities

    (Hi, good afternoon, the 4 books I buy are very helpful. But I lack more training in raising NO CONFORMITIES. How can you help me on that?)

    Answer: To raise a non conformity you need to identify three conditions:
    1 - the situation itself that demonstrates the non conformity
    2 - the requirement being followed (e.g., procedure, policy, or standard clauses)
    3 - an evidence (e.g., lack of record)

    These are the main guidelines for auditors.

    This articles will provide you further explanation about non conformities and corrective actions, and audit:
    - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
    -ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-fo r-my-career/

    To learn about audit techniques I suggest you to take a look at our ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • Personal certification maintenance


    Answer: Yes, you can use the hours of attended Advisera online courses to claim PDUs for your PMP certification. You only have to ensure you keep an evidence of attending the course, to present in case PMI request it, as part of its random audit process. This evidence may be the confirmation of your enrol to the course or the course certificate (I suggest you to verify on PMI PDU program which one is better).

  • Understanding clause 9.3.2


    I need your expertise in understanding clause 9.3.2c (3) and 9.3.2c (5) of the ISO 9001:2015 standards.

    Appreciate if you could provide examples to satisfy this requirements.

    Thank you in advance.

    Answer:

    The clause 9.3.2c) (3) requires organization to gather information on trends in the process performance and conformance of products and services which means that the organization needs to determine the key process indicators and measure them to gather information on the process performance and as an input for product conformance the company can use registry of nonconformities to see how many products o services where nonconforming to the requirements. For more information, see: How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/

    The clause 9.3.2c) (5) requires organization to gather information on trends in monitoring and measuring results. The organization needs to define what needs t o be monitored and measured and how frequently, for example, the organization can measure customer satisfaction twice a year and present the top management with information whether the customer satisfaction increased or not. For more information, see: Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/

  • Becoming an ISO 22301 Lead Auditor


    Answer: If you are aiming for an accredited certificate (which is internationally recognized and part of the process to become an auditor for a certification body), to my knowledge there are no ISO 22301 Lead Auditor courses offered online at the moment in the market.

    These material will provide you further explanation about Becoming an ISO Lead Auditor:
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    - ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

    These materials are focused on ISO 27001, but the logic is the same for ISO 22301.

  • Risk Assessment


    Now that the Asset Register is complete, including all assets; Soft, computer, accessories, server, information and infrastructure, is it best to risk assess each item on the register to understand the threats and vulnerabilities?

    Answer: Yes, you should have to assess the risks for all assets on asset register. The understanding of ISO 27001 control A.8.1.1 - Inventory of assets is that all assets in the inventory (asset register) are considered relevant in the life cycle of the information, so if you do not assess the risk for one asset you have on the register, you either have a non conformity issue, or that asset should not be in the register at all. But you should note that you also have to add to the register your employees, and suppliers (because of competencies and resources provided) - you need to perform risk assessment on them, too.

    These articles will provide you further explanation about Risk Assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assess ment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding Risk Assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Framework for IT audit.


    I need to ask you Which framework should we use to do an IT Audit, I know that there are different methodology like (COBIT, ISO27001, NIST).

    Answer: This answer will depend upon the purpose of your audit:
    - If your purpose is to verify IT governance practices, you should use COBIT as main reference.
    - If your purpose is to verify IT information security management practices, you should use ISO 27001 as main reference.
    - If your purpose is to verify IT practices related to computer security, you should use NIST SP-800 series as main reference.

    In case your audit covers a mix of these purposes, you should make a combination of these standards.

    These articles will provide you further explanation about IT frameworks and audit:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
    - How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

    These materials will also help you regarding IT frameworks and audit:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 905-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +