Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Demonstrate evidence of understanding the context
Answer:
Determining context of the organization in terms of ISO 14001 includes considering environmental conditions being affected by or capable of affecting the organization. This means that you need to consider environmental conditions around the company and how thy can affect the company and how company operations can affect the environment. You do not have to create any document regarding this since the standard does not require it, but you can refer to some environmental study conducted by the local community or something similar regarding the external context. As a part of the internal context you can refer to your environmental aspects assessment.
For more information, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/ -
How to identify assets
Answer:
Regarding the first question, basically you need to list all the assets in your company and group them in some categories like hardware (laptops, printers), software, etc.
This article can help you to identify assets in your organization “How to handle Asset register (Asset inventory) according yo ISO 27001” : https://ad*********m/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
The risk assessment is done by assets, not by controls, so controls are selected after the risks have been identified. This article can be also interesting for you “The basic logic of ISO 27001: How does information security work?” : https://ad********* m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Regarding your second question, you are right, ISO 27001:2013 does not require an asset based method for the risk methodology, although it is our recommendation because is very easy to understand, and the consequences and likelihood are still required in the current version of the standard.
Finally, these materials will help you to know more about how to perform the risk assessment & treatment in your organization:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://ad*********m/27001academy/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Violation of the ISO 27001 certification
Answer: During the time your company is certified against ISO 27001, if you become non-compliant with the standard, then the certification body might revoke your certificate during the surveillance visit (depending on whether the nonconformity is major or minor.)
You can get legal penalties only if you break some law/regulation, or if you violate the contractual obligations.
See also these articles:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
New employee in charge of ISO 9001 transition
1) Is that a person who assist them to get ISO 9001:2015 should know how the company person their sales and purchasing activity, can a newly joined member execute that ?
2) Products and services with no feedback from the customer etc these documents are must for ISO 9001:2015 or you need to include ISO 9001:2008 along with that 2015 documents are made
3) Rather than documentation like in ISO 9001:2008, in 2015 they said documented information, is that any existing information is enough or how does your tool kit will make it easy, can you list the advantages.
Answer:
1) When formulating procedure for sales or any other process you must consult the person responsible or even better, assist them in making the procedure by themselves. In this way you will avoid missing something out and the procedure will be accurate and therefore followe d within the process. This is the best practice for any process, not only the sales, with greater involvement of all relevant personnel in the company, you will implement the standard more easily and effectively.
2) You do not have to make any significant changes in the procedure for measuring customer satisfaction if the existing procedure is compliant with new version of the standard. But if you choose to create new procedure and new record, they are the only documents to be used and the documents according to ISO 9001:2008 should be withdrawn.
3) Documented information is a new term that comprises both documents and records. There is no real change compared to the previous version except the terminology and to some extent extended requirements for document and record control. Existing documentation can be enough if it complies with requirements of new version of the standard.
Our documentation toolkits are fully compliant with the standard and they comprise best practices and experiences with the standard requirements. They are easy to use with an average of 20 comments per document that explain how they should be filled in. Also, together with the toolkit you will get an access to video tutorials and have online meeting with an expert that will help you in implementation of ISO 9001:2015 -
Gaining competence for ISO 9001:2015
Answer:
There is no formal requirement for internal auditors to attend internal auditor training or get any certificate. They only need to be familiar with the requirements of the standard in order to be able to perform the audit. This can be achieved through courses or awareness sessions or seminars or even independently if they have previous knowledge of ISO 9001:2008.
Having the certificate, or any other testimonial of competence would just make it easier for the auditor to prove that he or she is capable of conducting the audit. I can recommend you our free ISO 9001:2015 online courses:
- ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/ -
ISO 27001 and personal data protection
Answer:
Personal data protection regulations are slightly different in various countries, however generally speaking ISO 27001 covers ca 90% of those requirements.
We are currently working on an article about the relationship between ISO 27001 and EU GDPR - it will be published on our ISO 27001 blog https://advisera.com/27001academy/blog/ in couple of weeks - you can subscribe to the Newsletter and you will be notified automatically.
By the way, standard ISO 27018 is focused on personal data protection in the cloud - this article explains the details: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Nonconformity and CA
Yes, but new version of the standard does not require documented procedures for control of nonconformities or corrective actions. That is the reason why we decided to merge those two procedures into one to decrease number of documents and yet to provide more efficient way to address requirements regarding nonconformity and corrective actions.
Procedures can be merged into one or separated, it mostly depends on the needs of the company. If you are more conformable with having two separate procedures, you can divide the Procedure for Management of Nonconformities CA into two procedures. -
Whatsapp Privacy policy
Answer:
The privacy policy of Whatsapp (by the way, Whatsapp was bought by Facebook at 2014), is about personal data, which is a part of information security, but really information security covers much more (software development, business continuity, communications security, etc.).
And from my point of view, this privacy policy is similar to other companies, for example Google: they can use your personal data (name, mobile number, address, etc.) to know you better and to offer you specific services.
So, if you accept this privacy policy, the information that you have in Whatsapp can be shared to Facebook, which means that you will receive specific services (based in your interests), although you have an option in Whatsapp to no accept this policy, which means that you won’t receive specific services.
Anyway, if you are an active user in Facebook, probably th ey have many information about you, because they can know your “Likes”, “Loves”, etc., your groups of interest, etc.
My recommendation: take care with your personal data, protect it, and don’t share it with people that you don’t know.
By the way, there is an ISO standard related to personal data, and maybe can be interesting for you “ISO 27001 vs. ISO 27018 - Standard for protecting privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
And this article about information security controls for cloud services (everything, including your personal data is in the cloud), can be also interesting for you “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Finally, these materials will help you to know more about the information security:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Application Management
Answer:
Application Management function is your "place" where the expertise regarding application you use is "located". This means that such function will have your best application experts on disposal. What's the use? In incident resolution, root cause analysis (Problem Management process), change evaluation/assessment and planning...etc. So, whenever you need experts for applications in use (and, we use a lot of them throughout our working day) - you should know where to look for them.
Now, experts are expensive workforce. So, most probably, you'll not use them for incident troubleshooting (except when incident diagnosis is beyond your incident management staff) but for more complex tasks. Service Desk staff (as an example) is usually part of Incident Management process. Application experts are on some further level of support (e.g. 2nd or 3rd, depending how many people you have in IT Service Management).
Read t he articles to learn more:
"ITIL Application Management Function – Custodian of application knowledge" https://advisera.com/20000academy/blog/2014/09/09/itil-application-management-function-custodian-application-knowledge/
"ITIL application management within the service lifecycle" https://advisera.com/20000academy/blog/2014/03/18/itil-application-management-lifecycle-within-service-lifecycle/ -
Benefits of ISO 27001 for a Care company
Answer:
Basically you need to show to the CEO what are the benefits of the implementation of ISO 27001, which are mainly 4: compliance, marketing edge, lowering expenses and putting your business in order. This article can be interesting for you “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#benefits
Anyway, if your company is in a business of providing care to numerous people where confidentiality is important, then ISO 27001 can help you maintain all those information secret.
And our free webinar can be also interesting for you “ISO 27001 benefits: How to obtain management support” : https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
Finally, these materials will help you to know more about the benefits of ISO 27001 and how to implement it:
- free online training ISO 27001 Foundatio ns Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/