Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How to be on top of OH&S

    The best way to keep on top of the OH&S performance of the OHSMS is to develop some Key Performance Indicators that you can track to show how the organization is doing for OH&S performance. These indicators may start with “number of accidents” which you can then improve, but organizations that are working towards more prevention may look closer at “close calls” (incidents that could have cause injury but did not) and try to reduce these incidents so that in future they do not cause injury. Monitoring and measurement in the OHSMS is the key to keeping on top of what is happening.

     

    For mor on how monitoring and measurement works in the OHSMS, see the article: How to establish and evaluate key performance indicators for ISO 45001, https://advisera.com/45001academy/blog/2015/07/22/how-to-establish-and-evaluate-key-performance-indicators-for-iso-45001/

  • Comparison between ISO 27001 Documentation Toolkit and the EU GDPR & ISO 27001 Integrated Documentation Toolkit

    1) 11.1 Measurement Report in the ISO 27001 is Not Referenced as Mandatory whrereas in the integrated toolkit it is17.1 Measurement Report - Referenced as Mandatory

    First of all, sorry for this confusion.

    The Measurement Report is to be considered mandatory.

    Please note that the Measurement Report is related to ISO 27001 clauses 6.2 and 9.1, and both require documented information about security objectives (clause 6.2) and monitoring and measurement results (clause 9.1).

    2) A.16.1 Appendix 1 - Incident Log can you please advise where that is referenced in the integrated toolkit?

    In the integrated toolkit, the document to be used to log incidents is the Data Breach Register, located in folder 14 Security Controls >> 14.A.16 Incident Management and Data Breaches

    3) Can you please advise where the below are included in the ISO-27001 toolkit

    14.A.13.1
    Includes Annex 1 – Standard Contractual Clauses for the Transfer of Personal Data to Controllers applicable to ISO-27001
    14.A.13.2
    Includes Annex 2 – Standard Contractual Clauses for the Transfer of Personal Data to Processors applicable to ISO-27001

    The requirements regarding privacy applicable only for ISO 27001 are covered in the Information Transfer Policy, located in folder 08 Annex A Security Controls >> A.13 Communications Security

  • Interviewing an auditee

    “A) say notes will be taken of their response as evidence that they are doing their job.

    Answer:

    Saying that “notes will be taken of their response ”is a good approach, you are warning them, but it is better to justify that you have a report to write and you don’t trust your memory, you have to write your notes


    B) establish a good rapport with the auditee: as short questions and listen.

    Answer:

    Establishing a good rapport with the auditee is a good approach. Present yourself, put people at ease, some may have never been audited and they may be scared. Explain why you are doing the audit. Ask them things about what they are doing, rephrase their answers when you want to check you really understood their answer.

    C) put the auditee at ease and encourage them to mark out existing nonconformities."

    Answer:

    No, “encourage them to mark out existing nonconformities” that is not a good approach. You know the audit criteria, interview people, observe actions, check documents and records. If you think you found nonconformities state them, to allow any clarification.

    The following material will provide you information about audits:

  • Can ISO 27001 and certification body be from any country?

    From a certification point of view, provided the certification body is accredited, it can be from any country, not only the one from the on of the company to be certified.

    However, you also need to check if you have local laws/regulations, or customer contracts, about the country of origin of the certification body.

    If you have no legal or contractual limitations, you can get ISO 27001 certified by a certification body from any country.

    These materials will provide you a further explanation about selecting a certification body:

  • Increasing the Scope of the ISO27001

    To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, on a scale equivalent to the size of this extension.

    While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.

    In the Secure and Simple book, you should take a look at chapter 5 - FIRST STEPS IN THE PROJECT, which explains how to develop the ISMS scope.

    These articles will provide you a further explanation about implementing ISO 27001 (the concepts are the same for scope extension):

    This material will also help you regarding implementing ISO 27001:

  • Uncertainty Measurement

    There are several points to note regarding the requirements. Firstly irrespective of whether the testing is reported as a pass/ fail result or not,  all laboratories must identify contributions to the measurement of uncertainty (MU). Secondly, a distinction is made between identifying contributions and evaluating measurement uncertainty, which involves quantifying the MU. The standard states in a note that when a well-recognized test method is used (i.e. standard methods) and controls are in place to limit the major sources of uncertainty, then the laboratory need not evaluate measurement uncertainty. This applies to both qualitative and quantitative results.  Bear in mind that even if a result is reported qualitatively, for example, a positive or negative for a diagnostic test,  it is still necessary to identify contributions to uncertainty to ensure that they are being controlled sufficiently. Typically a laboratory will state that a standard method is being used and performance parameters are met (verified); therefore, measurement of uncertainty wasn't fully evaluated. However, they need to list the major contributions to uncertainty, such as temperature affecting the volume of solutions in volumetric glassware and the uncertainty of calibrated mass balances. These controls can be considered as measures to minimise risk as part of addressing the risk that results may not be fit for purpose.

    If the test involves a measurement rather than an observation, and the method is not a validated standard method, the measurement of uncertainty must be fully evaluated.

    For more information, see a previous response to Measurement uncertainty in chemical process at https://community.advisera.com/topic/measurement-uncertainty-in-chemical-process/ and Calculating uncertainty at https://community.advisera.com/topic/calculating-uncertainty/

  • Questions for DPIA

    Do we have to perform DPIA for all our processing activities, or only for some of them? If only for some of them, what is the criteria to distinguish for which activities to perform the DPIA? Is this covered in some of the documents in your GDPR Toolkit?

     

    You have to perform a DPIA for all processing activities following under art. 35 par. 3 GDPR which are:
    a) profiling or tracking activities
    b) processing of particular categories of personal data falling under Article 9 GDPR
    c) video surveillance on a publicly accessible area on a large scale.

    In our toolkit, you can find the template of our

     

    If we have a data breach, do we have to report each data breach to the supervisory authority? If not, what is the criteria to distinguish between the breaches we need and do not need to report? Is this covered in some of the documents in your GDPR Toolkit?"

     

    You need to report any data breach unless it is unlikely to result in a risk for the freedom or rights of data subjects. Risks are fraud, identity theft, unauthorized access, monitoring, financial loss, or sensitive data are involved. When a data breach occurs, you need to assess the level of risk and then define whether there is a need to report to the national Data Protection Authority or not. You should keep a register of a data breach.

    Our white paper on assessing the severity of personal data breaches according to GDPR can help you in the process: https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr 
     

    Here you can find more information about Data Protection Impact Assessment and Data breach:
    5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
    5 steps to handle a data breach according to GDPR https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/


    If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Dúvida no preenchimento dos documentos

    Dúvida 1: Alguns links apontados nos comentários não estão mais disponíveis, existe alguma atualização?

    Em primeiro lugar, desculpe por esta situação.

    Por favor forneça informações sobre os links com materiais ausentes e enviaremos os corretos.

    Dúvida 2: Alguns documentos falam em “[cargo]”, gostaria de saber qual a forma mais aconselhável de alterar essa variável? Se por um cargo existente mesmo que esse cargo esteja em várias funções ou preencher com um cargo a ser criado mas que interinamente será ocupado pela mesma pessoa?

    Em primeiro lugar, é importante observar que ambas as abordagens são aceitáveis para cumprir os requisitos da norma. A abordagem sugerida é utilizar o cargo que será responsável pela atividade no longo prazo, independentemente da pessoa que for designada para tal. Desta forma, você minimizará a necessidade de atualização do documento para alteração da posição do responsável.

    Comentários incluídos em cada [cargo] sugerem quais cargos você pode usar. Além disso, incluído no kit, você tem acesso a tutoriais em vídeo que mostram como essas cargos podem ser preenchidas para alguns documentos. 

    Para mais informações, consulte:

    - Como documentar papéis e responsabilidades de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/06/22/como-documentar-papeis-e-responsabilidades-de-acordo-com-a-iso-27001/

    Dúvida 3: Com posso saber quais legislações são obrigatórias para minha empresa/situação?

    Para esta situação, nossa recomendação é que você procure aconselhamento jurídico local.

    Como ponto de partida, você pode usar as informações deste link:

    - Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Page 129-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +