Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Meeting requirements of clause 8.5.1 f) - validation

    If “motor winding & wielding” are not incorporated in your product clause 8.5.1 f) is not applicable.

    If “motor winding & wielding” services are considered relevant perhaps your organization should include requirements for your suppliers of those products.

  • Control of external providers


    8.4.2 The type and extent of the controls to be applied to the external provision and processes, products and services have been determined

    What documentation would LRQA Assessor require?

    Answer:

    As you can see the standard does not have explicit requirements for documentation regarding controls of external providers. The amount of documentation in this regard will depend on the type and extent of the controls you enforce to your external providers but in most cases the contract, work instruction or similar will the auditor require to see during the audit.

    For more information, see: How to control outsourced processes using ISO 9001 https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/

  • El nuevo contexto de la organización

    He recibido esta pregunta: Estoy en proceso de certificarme en ISO 9001:2015 y tengo dudas respecto al punto 4 de la norma que habla del contexto de la organización Respuesta: La cláusula 4 es un nuevo requerimiento de la norma ISO 9001:2015 para la organización en la cual es necesario considerar no sólo cuestiones internas sino también externas que pueden causar un impacto en los objetivos estratégicos y la planificación del Sistema de Gestión de Calidad. Esto implica que necesitará definir algunos elementos de la organización y cómo estos son reflejados en el SGC, por ejemplo, el tamaño de la organización, mercados, consumidores, etc. Para más información, vea: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

  • Benefits from ISO 27018


    To give you some context, my organisation is a SaaS, providing Cloud Products and Services to our customers (who typically use our software).
    As an organisation, we utilise Cloud IaaS from some of the Big Vendors. So, we are a SaaS, not actually a Cloud Infrastructure Service provider.

    We already understand the benefits of ISO27001, and are leaning towards establishing a program towards compliance. however, given our business profile, do you think it would be a good fit to extend our control environment to include ISO 270018.

    Answer: You can think of ISO 27018 the same way as ISO 27002, a set of detailed recommendations on how to implement controls described in ISO 27001 Annex A, the difference being that ISO 27018 focuses on recommendations to protect personally identifiable information (PII) in cloud environments. It can be used both by cloud services providers, which can use the standards recommendations to improve their security controls, and cloud custom ers, that can use the standard to help them verify is potential or current providers have proper controls to protect their PII information.

    Considering this, for your second question I can say yes, as a Cloud IaaS customer, your organization can benefit by extending you control environment to include recommendations from ISO 27018 with the purpose to have a better basis to evaluate security controls for PII implemented by your cloud providers.
    This article will provide you further explanation about ISO 27018:

    - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Scope of second party audit


    Answer:

    This situation is very strange. The scope of the customer audit can only include the processes and products they are using and you can prohibit them from auditing other processes and facilities. Taking pictures of processes and documents is completely off limits, you cannot allow this. There cannot be an agreement that can grant them this especially if they are not using products produced in this way.

    They will probably try to threaten you with canceling the contract or something like that but you should endure. This sounds like behaviour of some big company but sometimes is better to lose some contract th an to allow third party to find out all sensitive information about the company.

    For more information, see: First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/

  • Implementing clause 4.4


    Answer:

    Clause 4.4 of ISO 9001:2015contains general requirements for QMS (Quality Management System) and it cannot be fulfilled by single document or process but rather with establishing the entire system. You will need to identify all the processes, determine their interaction and sequence, inputs and outputs and so on. Basically, by defining each process, documenting procedures and performing the processes, you will meet requirements of this clause.

    For more information, see: How do you prove to the certification auditor that QMS processes are carried out as planned? https://advisera.com/9001academy/blog/2016/12/13/how-do-you-prove-to-the-certification-auditor-that-qms-processes-are-carried-out-as-planned/

  • Implantación del SGC

    The first step that needs to be done is the company´s decision to follow the ISO 9001 as the guide for the QMS. Thus, the organization will need to carry out the creation and documentation of its QMS according to ISO 9001. After some time, and having assesed internal audits and al least one management review, the implementation will be completed. Finally, a certification body will verify that the company meets the standard.

  • Controls elaboration


    Por exemplo, eu desejo falar da segurança em recursos humanos: eu desejo falar com as minhas próprias palavras e não pegaria aquelas informações que a própria norma já cita ou define.

    Answer: Primeiramente deve ser entendido que a norma disponibiliza informações sobre o que deve ser alcançado e feito, não sobre o como. Dessa forma, as organizações têm a liberdade necessária para dar a roupagem mais apropriada aos seus controles.

    Dito isso, para dar uma roupagem adequada aos seus controles você precisa considerar quais são as necessidades a serem atendidas (os requisitos de segurança), como por exemplo, contratos, leis e objetivos internos. A partir disso você pode elaborar os controles de forma a atender estes requisitos.

    Considerando recursos humanos, a norma requer que um controle seja estab elecido para tratar o não cumprimento de controles. Caso sua organização já possua um processo disciplinar implementado você precisaria apenas fazer referência ao mesmo. Caso este ainda não exista, você tem a liberdade de definir quais sanções seriam aplicáveis e como seria o processo, limitando-se apenas ao permitido por lei.

    Este artigo lhe dará mais explicações sobre a elaboração de documentação:
    - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//#
    - Como realizar treinamento e conscientização para a ISO 27001 e ISO 22301 https://advisera.com/27001academy/pt-br/blog/2014/05/20/como-realizar-treinamento-e-conscientizacao-para-a-iso-27001-e-iso-22301/
    - 8 Práticas de Segurança para Usar em seu Programa de Treinamento e Conscientização para Empregados https://advisera.com/27001academy/pt-br/blog/2015/03/04/8-praticas-de-seguranca-para-usar-em-seu-programa-de-treinamento-e-conscientizacao-para-empregados/

    Estes materiais também ajudarão você com relação a elaboração de documentação:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Records maintenance


    Answer: Regarding software requirements and software design, ISO 27001 has no specific requirement related to what to keep as records. The standard leaves this decision to the organization itself, being the single condition that the defined records are sufficient to ensure the effectiveness of the information security management system. So, your organization do not need to keep records with 100s of lines if this is not needed to ensure that information and security objectives are protected. As an example you can take a look at the free demo of our Specification of Information System Requirements at this link: https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/

    In this demo you will note that the record will be only as big as your need to specify systems requirements.

    This article will provide you further explanation about documented information in ISO 27001:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

    These materials will also help you regarding documented information in ISO 27001:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • BCP and DRP


    Answer: To get an overview of how to structure and test a BCP I suggest you to take a look at these material:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

    Regarding the differences between BCP a nd DRP, your thinking is right, BCP is wider than a DRP. BCP aims to ensure the business continues to operate after a disruptive event, while the DRP aims to handle the impacts at the affected area and bring operations back to normal conditions.

    These articles will provide you further explanation about BCPs and DRPs:
    - Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
    - What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/

    These materials will also help you regarding BCPs and DRPs:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Implementing Business Impact Analysis according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/
Page 920-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +