Search results

Is ISO 27001 applicable to all organizations?

ISO 27001 was designed to be implemented to organizations of any size and industry.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 principales aspectos para considerar para la implementación

Lo más importante desde un principio es contar con el apoyo de la dirección, puesto que será ésta la que proporcionará los recursos necesarios para poder llevar a cabo el proyecto de implementación de un sistema de gestión ambiental. Estos recursos no sólo son económicos sino también los relacionados con el personal y otros recursos. Además en la última versión de la norma uno de los requisitos está relacionado con el compromiso de la dirección en cada una de las etapas del proyecto y su posterior mantenimiento, con lo que la alta dirección tiene que tener el convencimiento de impantar este SGA en la organización.

Además es importante que exista una concienciación por parte de los empleados para que entiendan cuáles son los beneficios de ese sistema de gestión y que también puedan saber cómo pueden involucrase y los beneficios que les aporta. Aquí puede encontrar una presentación (en inglés) que le puede ayudar a la concienciación de sus empleados - Why ISO 14001 : awareness presentation: https://info.advisera.com/14001academy/free-download/why-iso-14001-awareness-presentation

Otro de los aspectos a considerar para que la implementación sea exitosa, es elaborar un Plan de Proyecto desde el comienzo de la implementación. Este Plan va a facilitar establecer una serie de hitos durante la implementación, así como responsabilidades, etc que van a ayudar a poder organizar cada una de las etapas y hacer un seguimiento de cada una de las fases. 

Estos materiales pueden ayudarle a saber qué aspectos considerar para que la implementación de la norma sea exitosa:

- What are the responsibilities of top management in the EMS according to ISO 14001:2015: https://advisera.com/14001academy/blog/2016/01/18/what-are-the-responsibilities-of-top-management-in-the-ems-according-to-iso-140012015/

- Puede descargar gratis este Plan de Proyecto - Project Plan for ISO 14001:2015 implementation: https://info.advisera.com/14001academy/free-download/project-plan-for-iso-140012015-implementation-ms-powerpoint

- Curso gratuito en línea - Curso Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Implementing EU GDPR in a small company

How can a small (1-2 person) company correctly implement the GDPR?

The first thing you need to do is to know what personal data your company processes, where are stored and secured. You need to know your business.Then, you need to verify if data subjects are informed through privacy notice and they can exercise their rights.You should also verify if you took any technical and organizational security measures to protect personal data in your company and if your suppliers and data processors are compliant with GDPR requirements.

Here you can find more information:

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• GDPR challenges for small companies https://advisera.com/articles/gdpr-for-small-businesses-the-most-common-challenges/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

Also, what tools are available for a Marketing agency to provide its clients with GDPR implementation?

There is plenty of tools in the market that help you with GDPR implementation. However, you should be aware that there is not a one-button solution that makes your company compliant with GDPR. Compliance is a process you need to implement in your company and periodically verify and update. Advisera developed GDPR Toolkit in order to make small and medium companies easily comply with GDPR requirements.

Here you can find more information:

• EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

• ISO 9001 implementation of requirements

  Establish a set of quality objectives (clause 6.2.1) based on your organization’s quality policy (clause 5.2.1 b)).

  For example: reduce customer complaints, reduce delivery delays, reduce internal defects.

  Now, for each objective your organization must develop a plan (clause 6.2.2): what needs to be done, by whom, until when, with what resources.

  Your organization should make people aware (clause 7.3) of: the quality objectives, how they can contribute to meet them, the potential consequences of not meeting them.

  Periodically your organization should monitor the evolution of the action plans and of performance associated with each quality objective (clause 9.1.3) and evaluate effectiveness of action plans (clause 9.3.2 c) 2)).

  The following material will provide you more information:

  • Article - How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
  • Article - How to write good quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
  • Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 -
    https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Appointing the manager of the institution's website

  La nomina del responsabile del trattamento dei dati, ai sensi dell’articolo 28 GDPR, è necessaria quando un altro soggetto effettui un trattamento di dati per conto del titolare.Il GDPR considera dati personali anche gli indirizzi IP dei visitatori, pertanto se il gestore del sito effettua anche il servizio di hosting e ospita i dati dei visitatori sui suoi server (o su quelli di un suo fornitore), andrebbe nominato responsabile in ottica di maggiore compliance.

  Se invece il sito della scuola è ospitato sui server dell’istituto, il gestore del sito non effettua alcun trattamento per conto della scuola, ma risulta un soggetto autorizzato dal titolare ad aggiornare e fare la manutenzione del sito. In questo caso, sarebbe opportuna inserire una clausola nel contratto di servizio inerente alla riservatezza e al rispetto delle policy interne della scuola in materia di data protection.

  Puoi anche trovare ulteriori informazioni qui:Il GDPR dell’UE: controllori a confronto con processori – Quali sono le differenze? https://advisera.com/eugdpracademy/it/knowledgebase/il-gdpr-dellue-controllori-a-confronto-con-processori-quali-sono-le-differenze/  

  Puoi considerare l'iscrizione al nostro corso gratuito:

  • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//  

  • What should I do to be compliant?

    As you said, the Shrems II decision invalidated the EU-US Privacy Shield, therefore you need to consider using another legal ground to allow personal data transfers among the US and the EU (i.e. the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR)).

    The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

    One of the suggestions made by EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers. 

    You might be also required to appoint an EU representative for GDPR compliance. It is a simple procedure with a service agreement, and you can appoint a company, a legal or another individual which can be contacted by the Data Protection Authorities in case of needs.

    Here you can find more information:

    • Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
    • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
    • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
    • EU GDPR document template: Agreement for the Appointment of an EU Representative https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/

    You can consider enrolling in our free EU GDPR Foundations Course

    • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

    • ISO 9001 Risk register

      No, it is not mandatory to maintain a risk register. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

      Having said that, I recommend organizations to maintain a risk register.

      You can find more information below.

      • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
      • Does ISO 9001 require a procedure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
      • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
      • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
      • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
         

       

    • Physical hosting in EU data centers for products and processing

      Recently the European Court of Justice (in Shrems II decision) invalidated the adequacy decision of the EU Commission claiming that US Privacy Shield granted an adequate safeguard for data protection in the United States. This means that any data transfer between the EU and the US must be on another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR). 

      The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

      One of the suggestions that arose from EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers.

      Here you can find more information:

      • Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
      • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
      • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

      You can consider enrolling in our free EU GDPR Foundations Course:

      • EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

      • ISO 9001 Different types of audits

        Answer:

        1. Upstream, and downstream audits are about doing audits along a supply chain upstream or downstream from a reference point

        2. A horizontal audit is when you audit one process across many departments in the organization. A vertical audit is when you audit all the processes used by a department. 

        3. Process audits are another name for horizontal audits

        4. These are the more common types

        You can find more information below

        • ISO 9001 Horizontal audit vs. vertical audit - https://advisera.com/9001academy/blog/2015/03/03/iso-9001-horizontal-audit-vs-vertical-audit/
        • ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
        • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
        • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
        • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/