Search results

Role of Top Management

Top management has an invaluable role in communicating internally the importance of the environmental management system (EMS), in promoting and in financing the EMS. ISO 14001:2015, clause 5.1, gives some help in answering to your question:

• Top management is responsible for issuing and keeping updated a strategic orientation for the EMS, translating those priorities into a set of environmental objectives
• Top management is responsible for providing resources for the EMS, has a unique role in communicating the importance of the EMS not just by words but by its agenda, by the time used in analyzing performance and asking for improvement.

Please check the following information:

• What are the responsibilities of top management in the EMS according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/01/18/what-are-the-responsibilities-of-top-management-in-the-ems-according-to-iso-140012015/
• To what extent should top management be involved in your EMS after the implementation? - https://advisera.com/14001academy/blog/2016/10/03/to-what-extent-should-top-management-be-involved-in-your-ems-after-the-implementation/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

GDPR Logo

No, GDPR doesn't have a conformity mark as CE.

You can consider enrolling in this free online training:

• EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

• Question about data protection points in a contract

  Of course, it depends on the clause that is drafted in your service agreement. Service providers can be considered processors, if the service requires to process personal data on behalf of the controller (i.e., a marketing agency who process personal data of clients of brands they represent) in that case the content of the clause is often determined by the provisions of Article 28 GDPR.

  As any clause in contracts can be of course negotiated and you can also propose your own clause where you guarantee to your clients your compliance to GDPR (it can bring an added value to your service).

  Here you can find more information:

  • Article 28 GDPR https://advisera.com/eugdpracademy/gdpr/processor/
  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • EU GDPR document template: Processor GDPR Compliance Questionnaire https://advisera.com/eugdpracademy/documentation/processor-gdpr-compliance-questionnaire/
  • EU GDPR document template: Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Administrative fines for lack of compliance with GDPR

  Yes, the company will be sanctioned for non-compliance. 

  Article 83 and 84 GDPR refer to administrative fines up to 10 000 000 Euro or 20 000 000 or to the 2% or 4% of the annual turnover of the preceding financial year, whichever is higher. Therefore, depending on the infringement, administrative fines will be calculated. In the case of negative turnover, the consequences on the company may vary from State to State depending on the internal procedural law. A sanction issued by the Supervisory Authority is considered as debt that may lead to bankruptcy.

  Here you can find more information:

  • The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/
  • Which fines does GDPR designate for companies? https://advisera.com/eugdpracademy/knowledgebase/which-fines-does-gdpr-designate-for-companies/
  • Understanding the Lead Supervisory Authority concept in GDPR https://advisera.com/eugdpracademy/knowledgebase/understanding-the-lead-supervisory-authority-concept-in-gdpr/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Information Classification

  1 - Is there anything that would stop us from simply having two classifications Public and Confidential?

  ISO 27001 does not prescribe classifications to be applied to information, so it is acceptable by the standard that your organization may adopt only Public and Confidential levels.

  2 - Assuming we adopted a mandatory classification protocol at an individual document level on say December 1. What would be the recommendation as to classification of all pre-existing documents

  I'm assuming that by classification you mean define it as different from public.
   
  Considering that, the classification of pre-existing documents will depend on your needs, the results of risk assessment, and applicable legal requirements.
   
  For example, for HR processes you may need to classify all documents related to employees, regardless of how old they are (in most countries this related to laws or regulations). On the other hand, for the Marketing campaign for a new product, you only need to classify it until the new product is released.
   
  It is important to note that the classification of information at the document level is impractical for a large number of documents.

  3 - ...If the response is that every old document must  be classified this would be impossible for us. So therefore my next questions are around whether we can classify not at document level, but at a higher level.:

  ISO 27001 does not prescribe levels to consider to classify information, so you can use the classification that better suits your needs. For example, you can classify documents according to type, the processes or business units they are related to, or where they are stored (e.g., contract type documents, documents related to the software development process, documents related to the HR department, or documents stored in the CFO office).  

  4 - Would it be legitimate to have a classification policy at a document type level?

  Considering previous answers, a classification policy at the document type level is acceptable for ISO 27001 certification purposes.

  5 - Or is it legitimate to classify based upon where the electronic document is stored (eg everything  in this Microsoft Teams channel is Confidential?

  Considering previous answers, classifying documents according to where they are located is acceptable for ISO 27001 certification purposes.  

  6- Overall any general thoughts / advice you may have for creation of a workable classification policy for such a small company?

  These articles will provide you a further explanation about information classification:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
  • Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/