Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11275 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Competitor as an interested party

Answer:

Competitor can't be considered as an interested party because his interests are colliding with the interests of the organization. For example, Competitors are interested in gaining bigger part of the market so they would like the organization to provide low quality products by higher price and this is definitely not the kind of need and expectation you want to meet.

For more information about identification of interested parties, see: How to determine interested parties and their requirements according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
ISMS challenges

Answer: In terms of challenges, you can mention production losses due to information security related incidents, fees and legal actions for non compliance with legal requirements, internal confusion regarding who must do what and when, and the difficulties on maintenance of a good public image. An ISMS can help handle all these items. For example, by implementing proper security controls you can minimize the occurrence and/or impact of incidents, and by establishing policies and procedures you can define clear responsibilities and actions to be performed in relevant situations.

For detailed examples I suggest you these materials:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Free webinar - ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
- How a change in thinking can stop 59% of security incidents https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
- What is cybersecurity and how can ISO 27001 help? https://advisera.com/27001academy/blog/2011/10/25/what-is-cybersecurity-and-how-can-iso-27001-help/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
Compliance with EU GDPR
Or if you can help me with sample DLP framework defining exactly what it should contain or relevant references/links?

Answer: Unfortunately we do not have such specific material, but for determination of rights of employees I suggest you to take a look at these material:

ISO 27018 guidelines: This standard aims to protect Personally Identifiable Information from customers that makes use of cloud services, considering the point of view from both customers providers. You can check the orientations for customers to have an idea on what consider for your employees. For detailed information see: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

CISPE Code of conduct: Cloud Infrastructure Service Providers in Europe (CISPE) is a coalition of technology companies focused on provisioning of cloud computing infrastructure services, and this code is an effort to help customers and providers comply with EU GDPR. You can find more information here: Data Privacy Protection, ISO 27001 and CISPE Code of Conduct https://advisera.com/27001academy/blog/2016/10/31/data-privacy-protection-iso-27001-and-cispe-code-of-conduct/

For additional information about ISO 27001 and EU GDPR I suggest you these materials:
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/27001academy/blog/2016/10/03/what-is-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
Análisis DOFA
Mi duda es: Un factor interno como es una fortaleza (coge el ejemplo que quieras: documentos, informática, personal, error en objetivos, error en fabricación, en ventas en ofertas, en compras, en fabricación, en post venta, en almacenes etc…) se me convierta en una debilidad y se deba analizar ese riesgo
Entonces, ¿Qué profundidad alcanzáis cuando hacéis el análisis de riesgo?:
Todo (las amenazas + las fortalezas que se me pueden volver debilidades)
Sólo lo más evidente,
En aquellas situaciones y/o aspectos en que “suenan campanas” (por ejemplo “estamos en una burbuja inmobiliaria” y a más de uno le exploto por no tener el análisis realizado y las acciones,..).
Es evidente que si cogemos todo podemos estar escribiendo un año (eso sí, luego siempre son repeticiones y un porcentaje “vale para siempr e” y vale para todo tipo de empresas)

Mi respuesta:

La norma ISO 9001:2015 no requiere de un formato específico para la identificación de riesgos, así que puedes hacer este análisis de identificación de riesgos y oportunidades como quieras y llegar tan lejos como creas que sea necesario. Sin embargo es siempre recomendable encontrar la manera más simple y fácil de llevarlo a cabo en tu organización.

En cuanto a las oportunidades y amenazas (normalmente referidos a factores externos), un análisis PEST puede ser de ayuda para asegurar no pasar por alto factores externos como requerimientos legales o cambios tecnológicos.

Algunos consejos a la hora de utilizar un análisis DOFA son:
.- Aceptar sólo información precisa y verificabl.
- Intentar reducir largas listas de factores y priorizarlas, de este modo inviertes más tiempo en pensar en los que son realmente significativos.
- Aplicar al nivel correcto, por ejemplo, aplicar la herramienta al nivel de producto o de línea de producción en vez de a un nivel más amplio y vago de la empresa.
- Asegurar que las opciones que se han generado son llevadas a cabo en fases posteriores dentro del proceso estratégico.

Para más información puedes ver: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/#
Defining scope of QMS
You can cover with the scope only one product, but you just need to write that in your document about the scope of QMS
Quality manual in IATF 16949

Answer:

When it comes to IATF 16949 requirements regarding the manual, it requires at minimum:
a) the scope of the QMS including justification for any exclusion
b) documented processes established for the QMS or reference to them;
c) the organization's processes and their sequence and interactions (inputs and output, including type and extent of control of any outsourced processes;
d) a document (i.e. matrix) indicating where within the organization's QMS the customer specified requirements are addressed.

Previous version of the standard, ISO/TS 16949:2009 required the same as bullets a), b) and c), so if your manual meets all requirements of the new version, you do not have to make changes to it except aligning clauses of the standard. In other case, you need to make an update of your manual to meet all above mentioned requirements.
Clause 1 Scope vs clause 4.3 Scope of QMS

Answer:

Clause 1 Scope of ISO 9001:2015 explains to what kind of companies the standard applies in terms of size, type of business, type of product or service, etc. On the other hand, the clause 4.3 defines requirements for organization to define scope of its QMS (Quality Management System).

Clause 1 does not have any requirements for the QMS, it just explains to what kind of organizations the standard can apply and clause 4.3 contains actual requirements of the standard and these requirements will be audited during the certification audit. For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
Certifying non-IT organization

Answer: Yes, you can certify a company if you justify the exclusion of certain controls - this is done through a process of risk assessment, see this article for explanation: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

By the way, the fact that your company is not an IT organization does not mean you will exclude all of IT controls - most of the companies today need to include controls like backup, antivirus, access control, etc. This article will help you with the controls: Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

These materials will also help you learn the basics of ISO 27001 and how to implement i t:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
ISO courses for individuals

Answer: Regarding ISO 27001, the courses you should consider are:
- ISO 27001 internal auditor: this course is made for beginners in information security and internal auditing, requiring no prior knowledge.
- ISO 27001 Lead Auditor: this course will clarify you about management system purpose and structure and how to plan and conduct an audit, alone or leading an audit team. This is the only course for which someone receive an international recognized certification, if the course is done with an accredited provider.
- ISO 27001 Lead Implementer: this course will clarify you about the process how to implement an ISMS according ISO 27001 requirements.

This articles will provide you further explanation about ISO courses for individuals:
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- What does ISO 27001 Lead Auditor training look like? ht tps://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- How to learn about ISO 27001 and BS 25999-2 https://advisera.com/27001academy/blog/2010/11/30/how-to-learn-about-iso-27001-and-bs-25999-2/

These materials will also help you regarding ISO courses for individuals:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Implementing ISO 9001 in a library
ok

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11275 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Competitor as an interested party

ISMS challenges

Compliance with EU GDPR

Análisis DOFA

Defining scope of QMS

Quality manual in IATF 16949

Clause 1 Scope vs clause 4.3 Scope of QMS

Certifying non-IT organization

ISO courses for individuals

Implementing ISO 9001 in a library

Didn’t find an answer?