Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Change Management
Answer: Regarding ISO 27001, you have two issues here:
- Clause 8.2 of ISO 27001 says that when significant changes occur, risk assessment needs to be performed.
- Control A.12.1.2 from Annex A requires changes to be managed so you can ensure they are authorized, controlled and risks of problems during the change are minimized.
Said that, first you should perform a risk assessment to re-evaluate the risks considering the new location (some new risks may arise or already identified risks may change values, requiring adjustments in your risk treatment plan). After that you should proceed with the risk management procedure.
For these two activities, I suggest you to take a look at the free demo of these documents:
- Risk Assessment and Risk Treatment Methodology https://advisera.com/27001academy/documentation/risk-assessment-and-risk-t reatment-methodology/
- Change management Police https://advisera.com/27001academy/documentation/change-management-policy/
- Business continuity plan https://advisera.com/27001academy/documentation/business-continuity-plan/
The risk assessment and treatment methodology can help you to re-evaluate the risks, the change management plan can help you organize the whole change process, and the business continuity plan can help you organize the specific activities related to the change and how to handle potential problems if they occur.
These articles will provide you further explanation about change management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
These materials will also help you regarding change management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course -
Audit findings
Answer:
When presenting nonconformities and concerns as a result of internal or certification audit, it is important to relate them to some requirement of the standard to make them have more impact. The situation you've pointed out is very interesting but there is no easy way to present such findings to the top management.
The requirement that you can reference to when prese nt these findings is from clause 5.3 where the top management should assign responsibility and authority for ensuring that the processes are delivering their intended outputs. This means that the process owner should have authority to make decisions within the process and he is responsible for the effectiveness of the process.
For more information, see: How to comply with new leadership requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/ -
Internal audit according to ISO 9001:2015
What are the changes the auditor would expect in terms of Internal Audit as per ISO 9001: 2015. Do we need to perform 1 cycle of auditing for all processes i.e. core, support, control processes etc?
Also would like to know should the top management be audited as well for the shall requirements?
Answer:
Requirements regarding the internal audit process haven't changed significantly compared to the previous version. The only change is that you no longer need documented procedure for internal audit and the requirements to be audited are different. Before having the certification audit, it is recommendable to conduct full cycle of internal audit but this was also the case with the previous version of the standard.
Internal audit should cover entire scope of the QMS, and this includes auditing requirements related to the top management.
For more information, see: Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/ -
Standard review and recertification cycle
Answer: The review of an ISO standard generally starts 5 years after its release, and this process takes up to 3 years to release a new version. Of course if an industry or community presents a justifiable request this time between reviews may change, but the duration of the review process remains within the 3 years time frame.
2 - Can you advise me how re-certification is achieved?
Answer: For the certification body, the re-certification process is the same as the certification one, the certification auditor will go through all the certification scope during the audit, to verify if all requirements of the standard, as well as the requirements defined by the organization, are in place and working as expected.
For the organization, when the recertification involves the release of a new version of the standard, the re-certification process starts with a gap analysis between the old and the new versions of the standard, so you can identify what has changed and which actions should be done to comply with the new requirements.
After the new requirements are implemented, you have to ensure they are properly operated, controlled and that they achieve the expected results, through internal audit and management review, so you can have the necessary evidences that the new requirements are all properly implemented, and that identified problems are handled through corrective actions.
These articles will provide you further explanation about certification process:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/ -
Checklist for EU GDPR
1) Is there any draft questionnaire or checklist for the compliance of EU GDPR? Like any set of questions which any company(may be from different industries) answers to show its compliance with GDPR. If there exists and you know, kindly forward me such link.
Answer: Unfortunately EU GDPR is not our main area of expertise (we work with ISO standards). Considering specific clause of EU GDPR I suggest you to consult GDPR site (https://www.eugdpr.org/more-resources-1.html). In this page you will find links to legal evaluations and other compliance information considered relevant to GDPR.
2) DLP in itself says that there should be no data leakage from the organisation so one has to monitor what data is at rest/transit/motion. But if you monitor all the data of the employee then it invades its privacy which is against the personal liberty. I am trying to figure out what is the threshold where data can be monitored and beyond which monitoring invades privacy. Is there a draft set of rules or laws which specifically implement DLP keeping in mind the personal liberty of the employee. Along with this, the DLP monitoring should be compliant with EU GDPR as well.
Answer: Privacy laws can be very different from country to country, so it is very difficult to try to identify common thresholds. In terms of ISO 27001 good practices would be:
- Establish enterprise-wide network and systems usage policies, so there are clear rules about what can be sent or received through organization resources
- Ensure every employee is aware of monitoring practices by means of newsletters and other forms of organizational communication. This measure also can help prevent undesirable data losses.
For our template Acceptable Use Policy you can take a look at this link https://advisera.com/27001academy/documentation/it-security-policy/
You just need to scroll down a little to find the free demo tab. -
Document classification
Answer:
Based on the details, I assume you are implementing Information Security process and related controls.
I would suggest that you make agreement on company level what document confidentiality levels you will use. In such way you will avoid having (e.g. for same kind of document) different confidentiality levels. -
Training on non conformities
(Hi, good afternoon, the 4 books I buy are very helpful. But I lack more training in raising NO CONFORMITIES. How can you help me on that?)
Answer: To raise a non conformity you need to identify three conditions:
1 - the situation itself that demonstrates the non conformity
2 - the requirement being followed (e.g., procedure, policy, or standard clauses)
3 - an evidence (e.g., lack of record)
These are the main guidelines for auditors.
This articles will provide you further explanation about non conformities and corrective actions, and audit:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
-ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-fo r-my-career/
To learn about audit techniques I suggest you to take a look at our ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Personal certification maintenance
Answer: Yes, you can use the hours of attended Advisera online courses to claim PDUs for your PMP certification. You only have to ensure you keep an evidence of attending the course, to present in case PMI request it, as part of its random audit process. This evidence may be the confirmation of your enrol to the course or the course certificate (I suggest you to verify on PMI PDU program which one is better). -
Understanding clause 9.3.2
I need your expertise in understanding clause 9.3.2c (3) and 9.3.2c (5) of the ISO 9001:2015 standards.
Appreciate if you could provide examples to satisfy this requirements.
Thank you in advance.
Answer:
The clause 9.3.2c) (3) requires organization to gather information on trends in the process performance and conformance of products and services which means that the organization needs to determine the key process indicators and measure them to gather information on the process performance and as an input for product conformance the company can use registry of nonconformities to see how many products o services where nonconforming to the requirements. For more information, see: How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
The clause 9.3.2c) (5) requires organization to gather information on trends in monitoring and measuring results. The organization needs to define what needs t o be monitored and measured and how frequently, for example, the organization can measure customer satisfaction twice a year and present the top management with information whether the customer satisfaction increased or not. For more information, see: Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/ -
Becoming an ISO 22301 Lead Auditor
Answer: If you are aiming for an accredited certificate (which is internationally recognized and part of the process to become an auditor for a certification body), to my knowledge there are no ISO 22301 Lead Auditor courses offered online at the moment in the market.
These material will provide you further explanation about Becoming an ISO Lead Auditor:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
These materials are focused on ISO 27001, but the logic is the same for ISO 22301.