Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SLA and ISO 27001
You can use the same logic, but backwards, that is, instead of you being a customer demanding security conditions from a supplier, your clauses would be about the security conditions you, as a provider, is offering to a customer.
For example, in a clause about backup, as a client demanding from the provider you would include a clause like "provider should ensure backup copies are made of all information classified information and handled according their respective classification". As a provider offering this service for a client you would have a clause something like "as service provider, we will provide to customer backup copies from all his information stated by him as sensitive information, handling them according their respective classification"
To better prepare SLAs for Customers, you could check ISO 27001 clause 4.2 (Understanding the needs and expectations of interested parties) and control A.18.1.1 (Identification of applicable legislation and contractual requirements), so you can have a better understanding on the rationale a potential customer can use to id entify his security needs.
This article will provide you further explanation about interested parties requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding interested parties requirements identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Security controls and SaaS
Answer: The quantity of controls that would become not directly applicable would depend of the results of your risk assessment, so there is no way I can precise you a number of controls, but most of controls in sections A.10 to A.13 would not be directly applicable. I used the expression "directly applicable" because in a situation like this, when an organization adopts a SaaS provider, what happens is a risk transfer (your organization transfer the risks related to the operation and maintenance of an IT infrastructure to a third party).
In this case, the organization has to establish clear security clauses in the service agreement, including the monitoring of provider services, or it may find itself with an environment that is riskier than one r an by the organization itself.
For this situation, ISO 27001 has the Annex A.15 (supplier relationships), which covers controls regarding on what clauses to include in agreement's and how to monitor suppliers. Basically, the security clauses would define that the provider should ensure at least the same security levels the organization would deem necessary if it was was running the environment itself.
So, at the end what happens is that you change your direct application of many IT-related controls to the application of few administrative ones, related to contracts and monitoring.
This article will provide you further explanation about security in cloud computing:
- Cloud computing and ISO 27001 / BS 25999 https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ -
Risk assessments
1. The first column of the Risk Assessment Table and Risk Treatment Table ("Number"): should I refer to the applicable unique Asset ID Number that I placed in the first column of the Asset Inventory Table? or do I have to place complete new numbers (i.e. Risk Identification Number)?
Answer: No, you do not need to refer to the ID number from the inventory list, only use the asset name and asset owner information. You will have to place new numbers, one for each risk associated to the assets in the Risk Assessment Table.
2. The Risk Assessment (likelihood / consequence) do I have to score from a residual risk perspective (i.e. keeping in mind the effect of all existing control measures that are already in place)?
Answer: Yes, you have to assess the risk considering the effects of all the already implemented controls, and you should identify these implemented controls in the observation column.
In the vid eo tutorials that come with your toolkit you can access videos that can guide and help you fill the risk assessment table and risk treatment table. -
Scope of stage 1 certification audit
Can they ask you many questions?
Answer:
The purpose of the Stage 1 audit is to review the QMS documentation and determine whether it is compliant with requirements of the standard. There is no requirement to have quality objectives for every procedure. All process procedures are part of operational controls, different processes need to meet requirements of different clauses, for example, production process need to meet requirements of cause 8.5, purchasing process needs to meet requirements of clause 8.4, etc. I noticed that you are mixing processes and procedures and this is not the same thing, here is an article that might be interesting to you: ISO 9001:2015 process vs. procedure – Some practical examples https://adv isera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/
The organization needs to determine what should be monitored and measured, as well as the methods and frequency of monitoring and measuring activities. The standard does not explicitly requires that every process has monitoring and measuring but it can be beneficial in order to monitor performance of the processes. For more information, see: Analysis of measuring and monitoring requirements in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/analysis-of-measuring-and-monitoring-requirements-in-iso-90012015/ -
Incoming inspection results and clause 9.1.1.1 of IATF 16949
The standard requires records of actual values and/or test results of variable data, so you need to add these values to the pass/fail format. -
Continual vs continuous improvement
Continuous improvement asks the organisation to continuously improve its processes already in place, while continual improvement asks the company to look outside its boundaries at the external competition and continuously benchmark itself to not only improve but also innovate its processes. Breakthrough improvement here forms a part of continual improvement.
Continuous improvement does ask the organisation to sustain its developments, whereas continual improvement asks to develop, implement and sustain and again repeat the cycle
Am I right in my understanding? Could you kindly point out more differences ?
Thank you for your time and support.
Answer:
"Continuous improvement" and "Continual improvement" are often used interchangeably and shouldn't be used in that manner. Continuous indicates duration without interruption. Continual indicates d uration that continues over a long period of time, but with intervals of interruption.
Continuous improvement means that organizations are in a constant state of driving process improvements. This involves a focus on linear and incremental improvement within existing processes. Continual improvements means that organizations go through process improvements in stages and these stages are separated by a period of time. This period of time might be necessary to understand if the improvements did actually help the bottom line. In some cases, the results might take a while to come to realization.
Continual and continuous improvement have nothing to do with how the organization achieves the improvements but rather with whether the improvement is linear or not. -
Complying with clause 8.4 of ISO 9001:2015 in trade company
Since we are a trading company (buy and sell), we have "Control" with our suppliers of the goods however, the forwarder company we used are normally good in service.
We did not have any control for the forwarder. We would like to know whether it would be OK for being audited against the NEW ISO 90001 2015.
In addition, we will use some caliper to measure the length of the product. The caliper will be calibrated by external accredited laboratory. Since they are accredited,
We did not have any control measure with the laboratory. Would it be OK being audited against with the New ISO 9001 2015?
Answer:
The standard requires organization to establish control over externally provided processes products and services but it doesn't specify what kind of controls. So, the organization can decide on the level of controls necessary, in your case it can be only counting the amount of goods received or measuring the length of the product. As fa r as the laboratory is concerned, if they are accredited, no further control is necessary, you only need to have an evidence that they are accredited.
For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/ -
Transition of ISO 9001 and ISO 13485
I want to know if there is no production of medical machine after successfully ISO 13485 and ISO 9001:2008 what will be the consequences in future surveillance audits, as ISO 9001:2015 is update from 2008 so it is necessary to implement ISO 9001:2015 in surveillance audit?
If you want to maintain your ISO 9001 certificate, you will need to make transition to the new version of the standard until September 2018. This can be done during surveillance audits or re-certification audits. In my opinion, it is better to conduct it during re-certification audit since the cost of the surveillance audit is smaller than the re-certification and getting certified against new version of ISO 9001 is practically a certification audit and will be charged appropriately. The same rule applies to ISO 13485 as well.
Since ISO 13485:2016 is developed according to ISO 9001:2008, you won't have too much problems making the transition because all elements of ISO 9001:2008 will remain in the new version. When making transition to ISO 9001:2015 you will basically only need to add new requirements (context of the organization, risks and opportunities, etc) and leave all the old elements (quality manual, preventive actions, etc) because they are still required by ISO 13485:2016.
For more information, see: How to make the transition from ISO 9001:2008 revision to the 2015 revision https://advisera.com/9001academy/blog/2015/10/06/how-to-make-the-transition-from-iso-90012008-revision-to-the-2015-revision/ -
Surveillance audits
Answer: The activities in a surveillance audit are practically the same as for a certification audit (opening meeting, documentation review, operations review, etc.), the difference being that the surveillance audit scope is smaller and they are more focused on daily management system operations, instead on the verification if all mandatory requirements are implemented.
2 - What requirements are evaluated during this audit?
Answer: The requirements to be reviewed will depend on the surveillance plan that is established after the certification audit by the certification body. But there are elements that are always present, like management review, SoA review, audit process review and non conformity and corrective actions review.
This article will provide you further explanation about audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
These materials will also help you regarding audits:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Conformity with EU GDPR
Answer: Only ISO 27001 is not enough. EU GDPR focus is on protection of personal information, and ISO 27001 focus is to protect information in general. From the ISO 27000 family, ISO/IEC 27018 should also be consulted (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
This article will provide you further explanation about ISO 27001 and EU GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
This material will also help you regarding ISO 27001 and EU GDPR:
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help