Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR
Answer: An interesting question. In Article 4, definitions, in any moment the regulation mentions the type of media that contains the information. The definitions covers what is done with the information. So, in a broader sense, EU GDPR is applicable to physical data. You may note that when data is not on transit it is stored in some physical place, e.g., a server or a back up media, that must be protected properly. 2 - What eugdpr saya about channels like cloud, mobile?? Answer: EU GDPR does not make reference to specific technologies (when they are referred, the term used is only technology or technologies). Thus, for EU GDPR, it does not matter where information travels or by what means it is processed. If you deal with personal information from EU citizens, the EU GDPR applies. This article will provide you further explanation about EU GDPR: - What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/articles/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/ - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Management Representative in ISO 27001:2013
There is no universal rule about which role should be in a higher position (e.g., both can answer to top management, CISO may answer to MR, both can answer to other different roles in the organization, etc.), so you have to evaluate your organizational context to define which case is more adequate to your organization.
Regarding policies and procedures elaboration, both roles are required to have competency in elaborating policies and procedures, with CISO specialized in information security requirements and the MR specialized in management system requirements (in an ISMS with no MR, the CISO has to cover both information security and management system requirements).
As for documentation approval, generally policies and procedures which have overall impact on the organization are approved by top management (e.g., quality policy, information security policy, procedure for control of documents and records, etc.), specific information security related policies and procedures are approved by CISO, and other policies and procedures are approved by the MR.
These articles wi ll provide you further explanation about CISO and document management:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Document control
Answer:
The standard requires the documents to be available on place of application, so the approved versions of procedures, work instructions and records must be available where they are needed. Original or approved version of document can be kept in the library but the copies must be distributed to the place of application.
This requirement raises many other issues as availability of right version of the documents, withdrawal, update and distribution of the documents and records. For that reason, the standard defines all these activities and for every document there should be information about the valid version as well as distribution list so when the document is updated the company knows where are the documents that need to be withdrawn and replaced with new ones.
For more information about document control, see:
- Some Tips to make Document Control more useful for your QMS https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/ -
ITIL for Network Management Station
Answer:
ITIL Service Operation lifecycle contains function which correspond to your question - IT Operations function, which consist of two parts: Facility Management and Operations control.
Operations Control is what we consider daily job in maintenance of IT services and its task is execution and monitoring of operative activities and events.
Read the article "IT Operations Management Function in ITIL" https://advisera.com/20000academy/knowledgebase/operations-management-function-itil/, and
"Is the NOC (Network Operations Center) still viable according to ITIL?" https://advisera.com/20000academy/blog/2015/04/21/is-the-noc-network-operations-center-still-viable-according-to-itil/ to learn more. -
ISO 27001 Internal auditor course vs Lead auditor course
Answer: Certainly, if you finish the Internal auditor course, it will be easier for your to finish the Lead auditor course because Internal auditor course is a "mini" version of Lead auditor course. Other than this I don't think you need any other preparation.
These materials might also help you:
- free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- webinar ISO 27001 Lead Auditor Course preparation training https://advisera.com/training/iso-27001-lead-auditor-course/
- article What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/ -
Evidencing organizational knowledge
Answer:
The standard requires organizations to determine knowledge necessary for operating processes and achieving conformity of products and services. This includes necessary work instructions and other documents needed for operating processes but also the competence level of employees. Another requirement is to make the knowledge available where necessary and this can be addressed by providing those work instruction on place of application.
Since the requirement regarding this clause are very vague, the auditor cannot require documented procedure or anything of that sort, the company itself can decide how the knowledge will be defined, maintained and updated. The best the auditor can do is to do an interview with Quality Manager and talk about the clause and how it is met.
For more information about organizational knowledge , see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/ -
FMEA and addressing opportunities in ISO 9001
Answer:
FMEA (Failure Mode Effect Analysis) has a limited applicability when it comes to addressing risks and opportunities within QMS. Although it is highly applicable for risk assessment within production and design and development process, it fails to cover entire scope of the risk related to the QMS, since it doesn't perform well with the risks emerging from external context of the organization.
As far as opportunities are concerned, FMEA doesn't cover them at all. The best way to identify opportunities is to arrange a brainstorming session with most relevant people in the company and discuss the opportunities in terms of improving processes, enhancing customer satisfaction and achieving QMS or the company's objectives. Another problem is how you will take actions to address the opportuni ties, it can be done through corrective actions or any other action or project, what is important is to plan the actions and evaluate its effectiveness later.
For more information, about risks and opportunities, see:
- How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
How are Risk assessment table and Risk treatment table different?
Answer: Risk assessment table and Risk treatment table should be used separately, because in the Risk Assessment table you should list all the risks, whereas in the Risk treatment table you should copy only those risks that are not acceptable. The point is, in the Risk treatment table you will add controls only for the unacceptable risks and this is why you shouldn't mix this table with the Risk assessment table.
When doing the risk assessment and treatment, you should develop the Risk assessment & treatment methodology first, because it will define all the rules for performing this task; also very important is that you view the video tutorials that came with your toolkit - they will explain all the details on how to fill out the documents and provide you with couple of real-life examp les.
These materials will also help you regarding risk assessment and treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online ISO 27001 tool) https://advisera.com/conformio/ -
HACCP and hierarchy of documents
Answer:
Documentation hierarchy is the same for any kind of management systems including HACCP. Good tip on how to determine the document level on the pyramid is t see who writes it and who uses it. Documentation created and used by the top management and records used by workers are at the bottom.
Policy is on the top of the pyramid because it defines strategy, mission and vision and general direction o the organization and it is written by the top management.
The second level is the manual, it defines the system and represents a foundation for it. It sometimes includes procedure but usually reference to them.It is usually written by the management representative.
The third level are procedures, work instructions and SOPs. They define how activities and processes are carried out and by whom. They are usually written by mid management.
Ath the bottom of the pyramid are records and reports that are used to demonstrate that the process was carried out as planned , they are used by workers.
For more information about documentation structure, see: How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Excluding engineering process from ISO 9001 scope
Answer:
Organizations are allowed to exclude any clause from ISO 9001:2015 if such clause is not applicable for the organization. In your case, you can exclude clause 8.3 Design and development and you should consider excluding clause 8.5.3 Property belonging to customers or external providers.
For every clause you exclude form your Quality Management System, you must provide justification, in your example, it can be a simple statement that you exclude clause 8.3 because you do not perform design and development as a process in your company.
For more information about exclusions in ISO 9001:2015, see: What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/