Search results

Ensuring proper resources are on board

It refers to all persons/expertise/budget resources needed to implement the project. It depends on the dimension of the company, of course. 

For example, to implement the project and verify all risks it can be the DPO, the IT Manager, and the Head of the Legal Department, but of course, if you need to implement a Teleworking policy you may also need the HR manager. Or to mitigate the risks you need to buy new software/hardware. 

When implementing the GDPR project you need to take into account all these elements before starting.

To know more about how to start implementing GDPR, here you can find a 9 step procedure:

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/

You can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

EU GDPR representative

Yes, your company needs an EU Representative in order to be contacted by Data Subjects or from the Surveillance Authority in case of needs. It can be a person (i.e a GDPR expert) or a company.The EU Representative shall be appointed in the country where the services are offered (Article 27 GDPR), so if your company will have an Italian Client, it will be better to appoint an Italian EU Representative. 

If you need to know more about EU Representatives and Cross-border data transfer under the EU GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Toolkit content

"What documents of your Toolkit refer to the next issues:

Intragroup Data Transfer Agreement (IGDTA)

Our Toolkit is focused on small or mid-sized companies, so, unfortunately, the toolkit does not have intragroup policies since they apply only to larger companies.

Technical and Organisational Measures (TOMS)

All documents contained in the folder named “Security of Personal Data” refer to Technical and Organisational Measures. It contains:

• IT Security Policy,
• Access Control Policy
• Security Procedures for IT Department
• Bring Your Own Device (BYOD) Policy
• Mobile Device and Teleworking Policy
• Clear Desk and Clear Screen Policy
• Information Classification Policy
• Anonymization and Pseudonymization Policy
• Policy on the Use of Encryption
• Disaster Recovery Plan
• Internal Audit Procedure

Newsletter Policy

In the Folder “Website documents” you can find the website privacy policy where the newsletter is included along with the Contact form, Shop, and other parts of the website.

Here you can find our Toolkit and download the free demo or watch the video tutorial on the implementation of GDPR through our Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

SPC for big subgroups

You can use an X-R card. You can use the number of subsamples from 1 to 5 when using this card. For example, if your sub-sample number is 3, you can fill the card with a total of 3X25 = 75 values, or if your sub-sample number is 5, 5X25 = 125 values in total. As you know, d2 constant changes according to the number of subsamples. For this, you can use the SPC rev 2 blue manuals published by AIAG.   Normally, many companies use excel for this card. As you know, excel calculates itself with formulas. The X-S card can also be used. For this, the number of subgroup samples should be more than 5.

For the X-R card, I have specified the formulas used below:

X mean= (X1+X2...........X25)/25

R= X max-X min

R mean= (R1+R2........R25)/25

S(standard deviation)= R mean/d2

The d2 constant changes according to the number of subsamples. For example, if the subgroup number is 3 then the d2 constant is 1,69. If the subgroup number is 5 then the d2 constant is 2,33, as you can see on this screenshot: https://i.imgur.com/iCmdZvN.png

Cp (Product Capability)=  ( Upper Speciation Limit-Lower Specification Limit)/6xSCpk= (Upper Specification Limit-X mean)/3xS or (X mean-Lower Specification Limit)/3xS

For more information, see:

• How to establish QMS Statistical Process Control according to IATF 16949 https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/  

• Pregunta ISO 9001-2015

  El alcance del sistema de gestión de calidad lo decide la organización, y es en este alcance donde se establecen los límites de la implementación de ISO 9001:2015. Por ejemplo, el alcance de la organiación puede estar limitado a un proceso específico, a un departamento, un producto, un servicio, o una localización (en el caso de que se trate de una empresa con varias localizaciones).

  Estos materiales pueden ayudarle con la implementación de ISO 9001:2015:

  - Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/
  - Libro – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
  - Formación gratuita en línea – Fundamentos de ISO 9001:2015 : https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

• Implementing accreditation and quality assurance at a university

  First, start with the scope. The department of education and student affairs may do a lot of things. What are the things included in the scope of the QMS?

  Then, consider the interested parties. Who are the relevant interested parties of the department of education and student affairs? Now you know what is expected of the department, what are the services or products to be delivered to whom with what specifications.

  Then, design the model of how the department of education and student affairs work based on the process-approach. After this, you can add the context analysis and do a risk determination exercise. What can go wrong in the processes? What can go wrong in the context?

  The following material will provide you more information about the scope:

  • How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
  • Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
  • Please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ - where I explain how to develop process mapping, drawing a model of how an organization works, based on the process approach, and how to draw a flowchart describing each process.
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• CISO

  1.  Does the standard require that a CISO (Information Security Manager) be within the company?

  ISO 27001 does not require specific roles to be defined, only that relevant responsibilities related to information security be defined.

  Considering that, a CISO is not mandatory for ISO 27001. You can delegate responsibilities for information security to already existing roles in your organization.

  For further information, see:

  • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  2. Can I outsource a CISO?

  ISO 27001 does not prescribe that personnel with roles related to information security need to be employees of the organization, so the CISO role can be outsourced. You only need to ensure that required roles and responsibilities are included in the contract or service agreement established with the outsourcer entity.

  For further information, see:

  • What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

  3. Regarding the training plan, is it always necessary to present a certificate to demonstrate a training course?

  ISO 27001 requires evidence of competence, which can be related to education, training, or experience.

  Considering that, a certificate is one example of acceptable evidence for a training course, but you also can use a list of attendance (normally a certificate is used when the training is performed by an external provider, and a list of attendance is used for internal training courses).

  For more information, see:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  This material also can be of interest to you:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  4. How to show the free courses where you do not have a certificate?

  In these cases, you can take a print screen showing the results of the course (e.g., the screen with the final grade, or showing course completion), the attendee’s name, and date.

  5. Can the Information Security objectives be changed at any time or should a measurement period be expected?

  Normally, Information Security Objectives do not change before the first measurement but depending on the circumstances involving the need for change (e.g., a significative change in the organizational context), top management can review and define new Information Security Objectives.

  For further information, see:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  6. If a security objective is changed, can an auditor ask me to measure the old objective?

  ISO 27001 does not prescribe that changed security objectives need to be measured, so the auditor cannot ask you to measure the old objective, but he can ask for information about the need to change the objective, to evaluate if it was changed based on a significant change in the organizational context.

• 27001/2:2013 framework for Information Assets of OT/ICS

  ISO 27001 was designed to be used by organizations of any size and industry, so it can be applied to Information Assets of OT/ICS, however, please note that ISO 27001 and ISO 27002 do not go deep on technological details, so you should also consider using them together with other frameworks that provide technical implementation details, like NIST publications.

  These articles will provide you a further explanation about ISO 27001, ISO 27002, and NIST publications:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
  • How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 9001 and Quality teaching, research and Community outreach services

  ISO 9001 is about demonstrating the ability to consistently provide products and services that meet customer and regulatory requirements. So, ISO 9001 can help align an organization around a policy, a set of priorities, translated into objectives. And a management system is about working to meet those objectives. So, for each area, teaching, research, ... Who are the critical interested parties? What do they need and expect? How can the university organize itself in order to be focused on delivering those outcomes?

  ISO published in 2003, IWA 2:2003 - Quality management systems - Guidelines for the application of ISO 9001:2000 in education, a document updated in 2007 by IWA 2:2007 - Quality management systems -- Guidelines for the application of ISO 9001:2000 in education. However, as far as I know, this 2007 guideline has been withdrawn.

  ISO published in 2018, ISO 21001:2018 - Educational organizations -- Management systems for educational organizations -- Requirements with guidance for use. ISO 21001:2018 is a management system standard that is partially aligned with ISO 9001:2015 for quality management systems.

  The following material will provide you information about a QMS in an education setting:

  • ISO 9001 – Should universities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
  • Free online training I SO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

   

• Employee Job Description in ISO 9001-2015

  If your quality management system includes employee's job descriptions an auditor can ask to see them. For example, as auditor, I may ask to see a job description in order to have an idea about authorities and responsibilities, and from there organizational knowledge requirements, and from there competence requirements.

  The following material will provide you more information about organizational knowledge and competence:

  • How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
  • How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/