Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Question on List of legal, regulatory, contractual and other requirements
Should we list these contracts with partners in the “List of Legal regulatory contractual and other requirements”?
Answer: You should list them only if in those contracts there are some clauses where you have the responsibilities to protect the information.
When selling our product to a company coming from another country, it’s not clear to me if we should list these country’s laws and regulations…
Answer: Only if those regulations are applicable to your company - for example, if you are selling some consumer products to other countries, then you probably need to comply with their local legislation; if you are selling some business-to-business products, then the chances are you do not need to comply with local legislation in foreign countries.
We have an helpdesk system h osted by another company were we store confidential information about our customers. Should the contract between us and this helpdesk company be listed too?
Answer: I assume in this contract there are some security obligations for the hosting company, but not for you - if this is the case, then you do not need to list this contract in the List of legal, contractual and other requirements.
By the way, did you know we have a free online course that explains all the important elements of ISO 27001? It is called ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
IO 9001:2015 and production process
Thanks for the reply Strahinja.. That helped..
coming to pt 2 ; No it is not using wrong equipment.. But a fixture that is now obsolete but has not been identified properly & hence stands chance of being used by mistake. So which ISO clause is applicable ?? -
OHSAS 18001 and ISO 45001
Answer:
Purpose of both standards is to provide framework for establishing occupational health and safety management system, the difference is that OHSAS 18001 is published by BSI (British Standardization Institute) and ISO 45001 will be published by ISO organization (keep in mind that it isn't published yet).
Unlike the case with ISO 9001 and ISO 14001 where was a change in the version so we entered the transition period when every company must make the transition and update it system to meet requirements of the new versions, Publication of ISO 45001 won't force companies to migrate to it and abandon OHSAS 18001, but it will be in line with other ISO standard which will facilitate the integration and it will be modern standard that is up to date with current requirements for occupation health and safety so it will eventually replace OHSAS 18001 but the migration won't be so strict as in case of transition of ISO 9001 and ISO 14001.
For more information, se e: First glance at ISO/DIS 45001 – How different is it from OHSAS 18001? https://advisera.com/18001academy/blog/2016/01/20/first-glance-at-isodis-45001-how-different-is-it-from-ohsas-18001/ -
SoA and A.16 controls
Would it be acceptable justify the implementation of all A.16 controls using "All risks" instead of a specific risk?
Answer:
Basically, you are right - Incident management as described in section A.16 is applicable because of any risk that you have. You could have some exceptions to that rule - e.g. A.16.1.7 Collection of evidence might be applicable to only some types of incidents; however in general for each control you can say that the reason for their applicability is all the risks that you identified. -
Lean and ISO 9001
Answer:
Although there is a lot of overlapping between ISO 9001 and Lean in terms of purpose and principles, they are different in many ways.
Lean is the set of management practices based on the Toyota Production System (TPS). The Toyota Production System, a.k.a. Lean is defined as having three primary pillars:
1. Just-in-Time (improving flow)
2. Quality at the source
3. Waste reduction
On the other hand, ISO 9001 is a management system that is focused on quality of products and services and customer satisfaction. ISO 9001 represents a set f requirements that organization needs to meet in order to establish quality management system, while Lean represents set of tools and practices that should enable company to reduce waste, ensure quality and improving processes. If you ask a consultant to implement ISO 9 001 you will get one one type of the system, and if you ask him to implement Lean you will get another type of the system. They can be implemented at once to create one system and they are good at supplementing each other but they are not the same.
For more information, see: ISO 9001 vs. Lean: How they compare and how they are different https://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/ -
Excluding physical location from the ISMS scope
Again, you should approach this issue from the point of view of protecting your most sensitive information.
If your sensitive information is located in that office, or if this office is crucial to protect the access to your information, then you should include the office in your scope. The fact that the office is leased doesn't prevent you from either (a) asking the owner to invest in physical controls, or (b) invest in physical controls yourself.
Perhaps this article could help you: Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/ -
Check remote host
Thank you Ajsegovia -
Time-frame for OHSAS 18001 implementation
2. How do I need to use local legislation? or will 18001 cover all ground?
3. What do I need to consider with KPI values?
Answer:
1. Usual time-frame for implementation of OHSAS 18001 is three to six months, but it depends o the size of the company, number of locations and the method you choose for the implementation. If you decide to do it completely by yourself, using only resources inside the company, it will take you from six months to a year. If you hire a consultant it will take from one moth to three moths and this is the fastest way. The third option is to use some online tools like ours (OHSAS 18001 Documentation Toolkit https://advisera.com/18001academy/ohsas-18001-documentation-toolkit/) and in this case you will do it by yourself with our online support and it takes up to three months.
2. OHSAS 18001 does not prevent organizations from applying legislation, on the contrary it provides a framework for identification of applicable requirements and co mpliance assessment. It relies on application of the legislation but it cannot replace them. For more information, see: How to identify and comply with legal requirements in OHSAS 18001 https://advisera.com/18001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-ohsas-18001/
3. A key performance indicator (KPI) is a measurement of a certain type of activity that a company or organization partakes in. Basically, you need to determine some values that relate to occupational health and safety, define aimed values and monitor and measure those values over the year. For more information, see: How to establish and evaluate key performance indicators for OHSAS 18001 https://advisera.com/18001academy/blog/2015/07/22/how-to-establish-and-evaluate-key-performance-indicators-for-ohsas-18001/ -
Backup
Answer:
Backup is not strictly required in ISO 20000. That's just one of the recovery options which are part of the IT Service Continuity and Availability process. So, when you are preparing IT Service Continuity plan - prepare backup options. And - don't forget data recovery i.e. tests where you will see how long does it take to recovery all data. -
Preparing for certification audit
Answer:
First thing the certification body will look for is documentation, and this includes mandatory documents and records required by the standard (for more details, see List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/) and the documents that you determine as necessary for operating your QMS. This is usually audited during 1st stage audit.
In the second stage, the auditors will visit you on site and they will audit your processes and whether you are following the procedures and filling in the records.
For more information, see: How to prepare your company for the ISO 9001 certification audit https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/