Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Context and risks and opportunities in ISO 9001
ISO 9001:2015 requires that the company identify a risk management plan, does this plan fall in as a QMS or safety and health?
Answer:
I'm not sure if I understand the question but, beside interested parties and definition of the scope you need to consider internal and external issues relevant to your company QMS. For example, internal issues can be organizational structure, organization culture, resources needs, etc. while external issues might be condition on the market, availability of raw materials, tax policy of the company, etc. For more information, see: How to identify the context of the organization in ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
ISO 9001 does not require risk management plan or any other document regarding risks. It only requires risks and opportunities to be identified and addres sed and to monitor and evaluate effectiveness of the actions taken to address risks and opportunities. It shouldn't be mixed with occupational health and safety or environmental risks since its focus is on quality and there is no requirement to establish methodology or write a procedure. For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/ -
Transition of ISO 9001 and ISO 14001
Answer:
The transition process is the same for both standards. First, you need to conduct GAP analysis to determine to what extent your existing system is compliant with new requirements of the standards. Once you have this information, you can create a project plan with defined activities, responsibilities, resources and deadlines for the transition to new version of the standards.
For more information, see:
- Tools for ISO 9001:2015 transition https://advisera.com/9001academy/2015transition/
- Tools for ISO 14001:2015 transition https://advisera.com/14001academy/2015-transition/ -
Combining ISO 27001 and ISO 9001 risk assessment
Answer:
At the moment we do not see a practical way to combine risk assessment according to ISO 27001 and ISO 9001 - the methodologies are different, types of risks are quite different, and also the treatment is different. So we think it is better to do a separate risk assessment for ISMS and for QMS.
However, risk assessment in ISO 9001 is quite a new topic, and we're watching closely how the best practice will develop - if some methodology appears that will cover both standards, we will certainly recommend it.
There articles may also help you:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ -
Certificar ISO 27001 en Perú
Respuesta:
Si tu pregunta es sobre entidades certificadoras que puedan certificar tu organización en ISO 27001, existen muchas empresas en Perú ofreciendo este servicio, y es muy fácil encontrarlas (quizás a través de la entidad local INDECOPI sea más sencillo).
En cualquier caso, aquí lo importante es seleccionar la mejor entidad certificadora para tu organzación, y para ello, debes tener en consideración algunos puntos como por ejemplo la reputación, acreditación, especialización, experiencia, etc. Este artículo te puede resultar interesante “How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
Y este webinar también te puede resultar interesante “ISO 27001/ISO 22301: El proceso de certificación” : https://advisera.com/27001academy/es/webinar/iso-27001iso-22301-the-certification-process-free-webinar/
Finalmente, estos materiales te ayudarán a conocer más la ISO 27001 y el proceso de ce rtificación:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Security controls and the internal audit
Answer:
Some certification bodies requires you to check all security controls during the first internal audit, so our recommendation is that you review all the security controls during the initial internal audit.
There is no global accepted way, but you can distribute the 114 controls (133 control was in the previous version of the standard, not in the current) in the way that you want. For example, maybe you can review 1/3 of security controls each year.
By the way, maybe this article can be interesting for you, because can help you to perform the internal audit “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
And maybe this article about the transition from ISO 27001 20 05 revision to 2013 revision can be also interesting for you “How to make a transition from ISO 27001 2005 revision to 2013 revision” : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/
Finally, these materials will help you to know more about the internal audit:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
ISO 27001 for health organizations
Answer:
ISO 27001 is not specifically developed for health organizations, but there is also another ISO standard that can help you: ISO 27799.
So, you can implement an Information Security Management System based on ISO 27001, and complement it with the ISO 27799, which basically is a guide of best practices about security controls related to health organizations.
From my point of view, these standard are the best option to protect information in health organizations.
This article can be useful for you “How ISO 27001 and ISO 27799 complement each other in health organizations” : https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
Finally, these materials will help you to know more about the ISO 27001:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Busi ness Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Certification against ISO 27018
ISO 27018 is not a certifiable standard. What an organization can offer to its customers is being ISO 27001 certified and include in its Statement of Aplicability (SOA) controls with ISO 27018 recomendations. That will accomplish what its customers expect. See more about SOA [here](https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/). -
Cloud service customers and ISO 27018
Answer:
ISO 27018 is not a certifiable standard. It is a code of practice that can be used to support certifiable management systems, like ISO 27001 for information security management systems. For more information click [here]( https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/)
So, a cloud service customer could be certified against ISO 27001 and include in his/her Statement of Aplicability (SOA) controls with ISO 27018 recomendations, but this decision is up to him/her, and cannot be enforced. To know more about SOA click [here](https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/) -
PII role identification
Answer:
Its a relative question, depending upon if it has its own data on this cloud service it uses, because:
- When you talk about your own data on the cloud service you use, you are the PII principal. You define by your own how the data can be used.
- When you deal with your customer data on the cloud service you use, you are the PII controller. You receive personal data from customers (the PII principals) and use a third party (the PII processor) to perform operations previously agreed with customers. -
Certification against ISO 27108
Answer:
ISO 27018 is not a certifiable standard. It is a code of practice that can be used to support certifiable management systems, like ISO 27001 for information security management systems. For more information click [here](https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/)
In case someone decides to use ISO 27001 to implement PII controls in a certifiable manner, either principal, controller and processor can be part of the certified scope, but with different purposes:
- For the PII principal, the certification purpose would be to ensure the PII principal can demand and verify actions from those who collect, store and process his/her PII
- For the PII controller and PII processor, the certification purpose would be to ensure they protect properly the PII they collect, store and process from their users