Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and EU GDPR
Can you please help me to outline this process.
Answer: For information about ISO 27001 and EU GDPR I suggest you these materials:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
ISO 27002 compatibility
Answer: In fact the questions is in the other way around, is IBM QRadar SIEM (a technical implementation) compatible with ISO 27002 (a guidance of best practices)?
According to manufacturer information (https://www.ibm.com/us-en/marketplace/ibm-qradar-siem) IBM QRadar SIEM:
-Provides real-time visibility to the entire IT infrastructure to threat detection and prioritization
- Reduces and prioritizes alerts to focus security analyst investigations on an actionable list of suspected, high probability incidents
- Enables more effective threat management while producing detailed data access and user activity reports
- Produces detailed data access and user activity reports to help manage compliance
- Offers multi-tenancy and a master console to help managed service providers provide security intelligence solutions in a cost-effective manner
These features do help comply with controls of ISO 27002 like 12.4 Logging and monitoring, 12.6 Technical vul nerability management, 16.1 Management of information security incidents and improvements, but for a precise answer information about specific parameters of this tool and ISO 27002 controls applied should be analysed.
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/ -
Structuring work instructions
Answer:
The standard does not prescribe how the work instruction should be structured neither it prohibits to use different structure for different work instructions or even procedures. Instead of focusing on the form, the standard allows organizations to use any style or format that they find the most appropriate and effective.
For more information, see: 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/ -
Risks with IATF 16949 implementation
Answer:
IATF 16949 implementation project suffers from the same risks as any other project, it can stretch for too long, it can go over budget and so on. Such risks can be mitigated by being identified at the beginning on the project and by taking appropriate actions.
As far as risk assessment requirements goes, there are no significant changes between the old and new version of the standard. FMEA is still a must and as far as risks and opportunities are concerned, there are no extension of requirements that ISO 9001:2015 has. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Evaluation of outsource partners
Answer:
The company needs to evaluate all its external providers of processes, products and services and it can be done in different ways. Due to difference of nature of relationships with customers and suppliers, the company will have to use different methods. Survey wouldn't be appropriate methodology but rather the company should define crtiria that are important for it and evaluate the suppliers against those criteria. Criteria can be quality of products and services, price, packaging, etc.
For more information, see: Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/ -
No training records
Answer:
In theory, the organization doesn't have to have any training records. For example, if it has only low skilled workers that do not need any training, then the company can have a certificate without any training record. The standard requires organization to retain appropriate documented information as evidence of competence. This means that the company needs to have at least some evidence of employee's competence such as college degrees, high school diplomas, licences, etc. but they do not have to have training records if they determined that no training is needed. There is no requirement for employees to attend training on the polic y or the standard itself, but if they attended any training, there should be a record about it.
For more information, see: How to ensure competence and awareness in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/ -
Risk acceptance criteria
Please let me know if this is sufficient for the ISO 27001 audit.
Answer: Yes. If your risk evaluation, considering your acceptance criteria, has defined that only 5 risks are considered unacceptable, you can have treatment plans only for these 5 risks.
This article will provide you further explanation about Risk acceptance criteria:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
In the video tutorials that came with your toolkit, you have access to a video about Risk Assessment Methodology that can provide you more information about risk acceptance criteria. -
New ISO 27001, ISO 27002, ISO 27003
Answer: BS ISO/IEC 27002:2017 is not a new standard, this is only a "corrigendum" - meaning that existing version of the standard (from 2013) got corrected with some minor details - see the BSI webpage here: https://www.screencast.com/t/neKnflQucNt.
Regarding ISO 27003, we have already included the recommendations that are applicable to smaller companies into our documentation toolkits.
Of course, when a new revision of ISO 27001 and ISO 27002 are published (probably not before 2019), we will update the toolkit as well.
2) I noted a reference to 27001/22301 training in your updates, but I am not clear if your company has any online training for the latter? (By the way, I thought that the ISO27001 IA course was very worthwhile, but cannot really justify the exam in addition to my pre-existing LA and LI certifications.)
Answer: Unfortunately, we do not have online courses for ISO 22301, but we have a couple of free webinars - see their list here: https://advisera.com/27001academy/webinars/ -
Marketing and Sales in QMS
We are a small company and trying to get the ISO 9001:2015 certification. One of the processes is Marketing&Sales. What records related to Marketing&Sales will be audited for ISO 9001:2015 certification? There is one person for marketing and one for sales but only one process. Can 2 persons have a join ownership of the process (Marketing&Sales)?
Answer:
ISO 9001 does not have any explicit requirements regarding marketing but customer satisfaction monitoring (clause 9.1.2) can be considered as requirement related to the marketing. Requirements that can be audited in Sales and Marketing department are from the clause 8.2.
It is very uncommon to have two persons as a process owners, especially if there are only two persons in the process. It is better to define marketing and sales as a separate processes and each person can be owner of its process. They can still be part of the same department.