Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Adding new control to SoA after audit
Adding, changing, or excluding a control from SoA is a natural and necessary thing to maintain the ISMS.
To do that, considering the requirements of the standard, you need to review your risk assessment and risk treatment, and your list of applicable legal requirements, to verify if there is any change in your context that can justify a change in SoA. Additionally, you need to check if there is any management decision to implement a control (in such cases there will be no changes in risk management nor in legal requirements).
Once a need for change is identified, you need to define an implementation plan to perform the change.
These articles will provide you a further explanation about SoA:
The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Sending personnel data from UK or Europe for analysis.
The data you are going to process belongs to the special category of personal data under Article 9 GDPR (some legislation call them sensitive data) because this kind of data contains information which may end up in discrimination and in threats to the freedom and rights of individuals. Therefore, the EU GDPR requires controllers and processors to pay particular attention when processing this kind of data.
Before starting processing, you will need a Data Protection Impact Assessment as Article 35 GDPR requires in order to verify the risk for freedom and rights of data subjects arising from your data process and assess the risks with appropriate safeguards. This will also help you to comply with privacy by design and privacy by default principles.
From the information you wrote, your data processing will be likely based on consent. Therefore, you will need to pay attention to the information provided to data subjects in your privacy notice and the request for consent.The register of processing activities will also be required.You will need to establish a procedure to deal with Data Subjects Access Request (DSAR) because data subjects may always withdraw the consent and you need to be able to verify the request and proceed with the exercise of DSAR and also comply with the right of erasure if requested so.
Be sure to inform data subjects that their data will be processed also in the US.
Then, transferring data to a processor in the US may request safeguards: adoption of a data protection agreement with the approved standard contractual clauses is necessary because the EU Court of Justice invalidated the US Privacy Shield with the so-called Shrems II decision. You may also adopt secure transfer protocols and encryption (if you can anonymize data it would be a plus while pseudonymization is highly recommended).
Here you can find more information:
- A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
- List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
- Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
- Everything you need to know about the GDPR Privacy Notice https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
- 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
- What is privacy by design & default according to GDPR? https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/
- 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
Sample size in the field of valve calibration
Thank you so much
-
Format of procedure preparation
You can write the procedures in either world, excel, or another format.
The procedure writing method for IATF 16949:2016 standard is not different from ISO 9001:2015 standard.
As you know a procedure states how the process needs to be done.
A procedure offers a general description of how a company meets a process requirement and the procedure consists of more specifics.
This includes scope, objective, responsibilities, references, application, specific tools, methods, measurements, and historical change of procedure.
There are 7 steps in writing quality management system procedures for ISO 9001:2015 and IATF 16949:2016 standards.
These 7 procedure writing steps are listed below, respectively:
- Decide on the process limits.
- Gather the information
- Align with other documents and processes.
- Define your document structure.
- Write your document.
- Get approval for your document.
- Train the relevant employees.
- 7 steps in writing QMS policies and procedures for ISO 9001 https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/
For more information please read the following article:
You can also see our IATF 16949:2016 Documentation Toolkit here: https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/
Purchase persuasion
I’m assuming you are referring to convince leadership to support an ISO 27001 implementation.
Considering that, to improve your chances to get support for an ISO 27001 initiative in your organization you should provide real examples of benefits related to:
- compliance with regulations regarding data protection, privacy, and IT governance applicable to the organization
- competitive differential that can be achieved by being capable to demonstrate your organization can protect customer information
- decrease in costs incurred by information related incidents
- improving internal organization
Another important point to be considered is the presentation. For top management, you should avoid using technical jargon (concentrate on business benefits).
These articles will provide you a further explanation about ISO 27001 benefits and top management:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
These materials will also help you regarding ISO 27001 benefits and top management:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
ISO 22301 Compliance Matrix
You can download an explanation of ISO 22301 standard here: Clause-by-clause explanation of ISO 22301 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-223012008
In the ISO 27001 & ISO 22301 toolkit you purchased, you will find the document called "List of documents" - it defines which documents are needed for ISO 22301 implementation.
To simplify this, if you want to implement only ISO 22301 without ISO 27001, you would need to implement documents from these folders, in this very sequence:
00 Document management
01 Preparations for the project
02 Identification of requirements
05 Risk assessment and treatment
08 Annex A controls - A.17 Business continuity
09 Training and awareness
10 Internal audit
11 Management review
12 Corrective actions
Writing quality SOP for work infrastructure
In SOP for infrastructure you need to consider the following:
- Description of the buildings, workspace, and associated utilities
- What kind of the process equipment you have (both hardware and software)
- What kind of supporting service you have
More information on this topic you can find in the following article:
- Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/
You can also see how the procedures for infrastructure and records of the infrastructure maintenance in our ISO 13485:2016 documentation toolkit look like:
- Procedure for Infrastructure and Work Environment https://advisera.com/13485academy/documentation/procedure-for-infrastructure-and-work-environment-iso-13485-2016/
- Record of Infrastructure Maintenance https://advisera.com/13485academy/documentation/record-of-infrastructure-maintenance-iso-13485-2016/
-
EU GDPR membership and countries outside of the membership
Concerning the EU GDPR membership and countries outside of the membership;The EU GDPR will be mirrored by the UK-GDPR version - would this be subject to regular reviews?
The UK chose to mirror the EU GDPR in order to have an adequate decision by the EU Commission and not lose the free flow of data among EU and UK. It is difficult to forecast regular reviews, either on the EU GDPR or the UK GDPR side.We can imagine a coherent evolution for both regulations in order to provide a standard to controllers and processors, but most will depend on how the relationship between the UK and the EU will continue.
Hypothetically, if the EU were to break up - would the GDPR be able to continue under a unified, but individual country membership?I live in the UK (Scotland) and hope this does not become a reality.
The EU GDPR is a regulation of the EU and it produces effects in Member State on the basis of the EU Treaties. In the unlikely event of EU break up, the Treaties will not produce their effects anymore and the GDPR will have no effects in the former EU States unless the country mirrors it with internal legislation. The negotiation on the dissolving EU may also end with an international agreement adopting the GDPR as a separate treaty in order to benefit each State of the same regulation.
Here you can find more information on the territorial scope of the GDPR
- What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
GDPR Certification
There is no certification process of compliance with GDPR. However, some ISO standards like ISO 27001 and 27701 may end up in conformity to GDPR requirements.
Here you can find more information about ISO 27001 and GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- Privacy, cybersecurity, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001
There is also our Free webinar:
- How to integrate GDPR with ISO 27001 https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/
To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
Discussion regarding CSR
If the organization's OEM automotive customer is Ford, Customer-specific requirements (CSR) are already available on the IATF web page and the FORD portal. Therefore, FORD does not give its specific requirements separately.
Your customer portal usage is opened by the customer and you enter it with your password. Portal usage is available for all automotive IATF OEM customers and CSR’s are also uploaded on the IATF website.
If your customer is not Ford, you should use your main customers' customer-specifics requirements (CSR). You should request CSR from your main customer.
The major finding is that CSRs are not reviewed, included in the quality management system, and not implemented
For more information, please see the following article:
- How to satisfy customer-specific requirements when implementing IATF 16949 https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/