Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mandatory roles in ISO 9001

    ISO 9001 does not prescribe any particular role. ISO 9001 gives total freedom to organizations about the way they distribute responsibilities and authorities among their people.

    You can find more information below:

  • Record Retention

    AS9100 does not dictate where to identify the record retention for each of your records, so you can do so in either procedure that you choose. We often recommend that each procedure that has a record includes a listing of records that gives the detail of how long the record will be kept, but exactly how you do this is up to you. You should also not that not all processes in the QMS require a documented procedure to be written in order to meet the requirements.

    You can read more on the new requirements for procedures and records in AS9100 in the article: A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/

  • Changes to consider in regulating data transfer between EU and US

    The Schrems II decision revoked the adequacy decision that the EU Commission made over Privacy Shield. Before this decision data transfer between the EU and the US was allowed, because Privacy Shield was considered to provide an adequate safeguard for data and rights of EU individuals. Now the US is not considered to provide adequate safe space for privacy and rights of individuals, so the GDPR requires that controller and processor adopt Standard Contractual Clauses (SCC) in order to implement rights and safeguards on behalf of data subjects.

    You need to consider that your US recipient of data transfer can offer you a standard of data protection which is compliant with GDPR and use in your legal undertaking the Standard Contractual Clauses.

    Here you can find our free template with Standard Contractual clauses: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes

    You can find some information about data transfer under GDPR here:

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Is acceptance of COOKIES part of GDPR?

    Cookies are mainly regulated by e-privacy EU Directive 2002/58/EC (actually there is a discussion to approve the e-privacy Regulation but there is no prevision about its final adoption and entering into effects). However, cookies can be considered as part of GDPR compliance, because of Article 7 GDPR on consent request that the data subject needs to give consent for each data processing activity. This means that if I run a website, I need to ask consent to users to track them and maybe to monitor their behavior on the website. I need to ask consent for each data processing which is not strictly necessary to make the website working. 

    The importance of consent on cookies had been stressed in May 2020 by the European Data Protection Board with its Guidelines on consent:  https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

    Here you can find more information:

    You can also consider enrolling in this free foundation course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

  • Numerically estimating probability of occurrence and severity in context of risk assessment in the processing of personal data

    "Vorrei capire meglio come è possibile stimare numericamente la probabilità di accadimento e la severity nell'ambito della valutazione del rischio nel trattamento dei dati personali: esistono metriche descritte nelle norme ? Es. se scala probabilità è da 1 a 5, considerare 1 se si verifica un evento ogni più di 20 anni, 2 se tra 10 e 20, ecc.. Analogamente si dovrebbe fare per la gravità di un evento: come quantificare l'entità del "danno" ? Credo che questo approccio possa trovare applicazione nel DPIA, quando previsto."

     

    Il rischio viene definito come il prodotto della gravità per la probabilità del verificarsi di un evento. Il rischio preso in considerazione dal GDPR è quello relativo all’impatto sui diritti e le libertà dell’individuo che deriverebbero dalla violazione delle norme del GDPR (mancata informazione sul trattamento, violazione dei diritti dell’interessato del trattamento, rischio di discriminazione). 

    Le linee guida sulla DPIA emanate dall’Agenzia Europea sulla cibersicurezza (ENISA) offrono proprio la guida che cerchi anche con riferimento a settori particolari come quello medico e sicuramente sono uno strumento utile per effettuare una valutazione del rischio.

    Qui puoi trovare altre informazioni:

    Puoi anche valutare di seguire il nostro corso
    EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Statistical techniques used while analyzing the data according to ISO 13485

    It really depends on your knowledge, what kind of data do you collect and analyze. However, the most used methods are:

      1. Mean, average - allows for determining the overall trend of a data set, as well as the ability to obtain a fast and concise view of the data

      2. Standard deviation – a method of statistical analysis that measures the spread of data around the mean

      3. Regression - is the relationship between a dependent variable (the data you’re looking to measure) and an independent variable (the data used to predict the dependent variable)

      4. Statistical process control - statistical techniques to control a process or production method. This method can help you monitor process behavior, discover issues in internal systems, and find solutions for production issues. Statistical process control is often used interchangeably with statistical quality control. 

      5. Pareto analysis - simple decision-making technique for assessing competing problems and measuring the impact of fixing them. This allows you to focus on solutions that will provide the most benefit.

    • Scope of areas under ISO 27001

      1. Kindly send the scope of areas under ISO 27001. 

      I'm assuming you are referring to the areas covered by controls of ISO 27001 Annex A.

      Considering that, these are the areas covered by ISO 27001:

      • Information security policies
      • Organization of information security
      • Human resource security
      • Asset management
      • Access control
      • Cryptography
      • Physical and environmental security
      • Operations security
      • Communications security
      • System acquisition, development, and maintenance
      • Supplier relationships
      • Information security incident management
      • Information security aspects of business continuity management
      • Compliance

      For further information, see:

      2. Does it cover all areas under IS Audit

      I'm assuming that by IS Audit you mean Information System Audit.

      Considering that, ISO 27001 Annex A controls cover most of what would be expected in an Information System Audit.

      For further information, see:

    • ISO 45001 - addressing life cycle perspective

      ISO 45001, occupational health and safety management system, does not include life cycle perspective into the requirements like ISO 14001 (environmental management system) does, but it does mention life cycle in the appendix about risks and hazard identification. Here the ISO 45001 standard the appendix talks about including OH&S as early in the life cycle of faculties management as possible (not the life cycle of the product). The second mention of life cycle is regarding hazard in the workplace, and mentions that hazards should be identified during the life cycle of the product through design to delivery, but not post delivery.

      It is important to note that all of this is in the appendix, and therefore is not a requirement to meet but rather further information to help with implementation.

      For more on hazard identification, see the article: How to identify and classify OH&S hazards, https://advisera.com/45001academy/blog/2015/05/14/how-to-identify-and-classify-ohs-hazards/

    • Determined vs Provided controls

      ISO 45001, occupational health and safety management system, does not include the terms “determined controls” or “provided controls”, so as such it is difficult to give you a generic answer since this may be something specific to your industry or area.

      In the standard controls are considered for addressing hazards that have been identified in the workplace. It is possible that these terms are referring to controls that you determine yourself as part of your assessment (such as the need for a work instruction so that work happens safely) as opposed to controls that you are directed to use (such as a legal requirement to provide safety glasses, or to put guards on machinery with pinch points)

      For more on hazard controls, see the article: 5 levels of hazard controls in ISO 45001 and how they should be applied, https://advisera.com/45001academy/blog/2015/09/02/5-levels-of-hazard-controls-in-iso-45001-and-how-they-should-be-applied/

    • Table Top Exercise /Drill Validity in meeting ISMS Certification

      Our organization has achieved ISO27001:2013 certification for few years back for a Data Center (DC). Recently, we have established a Security Monitoring Center (SMC) and we are exploring to have the SMC being certified with ISO 27001.

      We are considering to extend the existing DC ISMS Certification scope to the SMC or to have the SMC to gain a separate ISMS certification.

      Below are my doubts that requires your expert advice:

      a) Would it be fine to have the same ISMS team who take care of DC ISMS certification to manage the SMC ISMS Certification programme?

      In terms of the ISO 27001 standard, there are no restrictions regarding using one team to manage multiple certifications. In fact, the experience of the team with the previous certification will help make the second implementation easier.

      b) Would it be fine to deploy the existing relevant DC ISMS SOPs to the SMC ISMS Certification? Meaning that we maintain a single set of SOPs but to be used for two separate ISMS Certification;DC and SMC respectively.

      Commonly used SOPs can be deployed for both DC and SMC, but you need to take care when managing such documents, to ensure that when any changes are made on them you make clear to which scope it is related.

      For further information, see:

      c) What are the advantages and disadvantages to maintain a single ISMS Certification for both centers versus each center has its own ISMS certification?

      The main advantage of a single certificate is the reduced maintenance and recertification costs because you will need to go through only a single set of surveillance audits and recertification audits.
       
      The main advantage of separated certificates is that if something happens that affects the certificate of one scope it will not have an impact on the other.

      It seems to me that you are talking about two different areas in the same company, and it is extremely rare for one company to have two separate certificates for one standard. What normally happens in situations like this is companies deciding to expand the existing ISMS scope to include the new area.
Page 270-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +