Search results

Are we allowed to change ISMS policies on our own

You can change ISMS policies anytime you identify the need to, but you need to evaluate who will be impacted by the changes, and what the impacts will be, to decide who needs to be informed, and what is the information to be communicated. For example:

• a change in the Information Security Policy needs to be communicated to all personnel
• a change in a Backup Policy, regarding the change in technology, may need to be communicated only to IT personnel
• a change in a Supplier Management Policy may need to be communicated to the organization's suppliers

Personal vs. Generic emails regarding B2B email marketing

A “generic” email address is an email address that does not incorporate personal information (i.e. info@company.com or marketing@company.com ) while a “personal” email address refers to a specific individual (i.e. name.surname@company.com, or n.surname@company.com, or surname@company.com, etc).

Germany and the UK are both ruled by the European Union General Data Protection Regulation 2016/679 which has direct application across all EU. 

In the UK the GDPR will be enforceable until the 31st December 2020 when the Brexit transition period will end and of course, it will continue even after for companies subjected to its application (companies processing personal data of individuals living in the EU). However, UK privacy law has many principles in common with GDPR which has been taken as a model for data protection law across the world.

You can find more information about GDPR and email marketing here:

• Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/

ISO IMPLEMENTATION For Start Up Companies

Unfortunately, I can not answer about CMMI. However, I can answer about ISO 9001. Startups, in reality, are not yet companies, they are still projects of companies in search of a successful business model and customer fit. So, a startup is like an experiment being done. The startup can be called a company only after finding the right business model, a customer fit, and when it starts scaling. Only then, the procedures and internal standards are ready to be documented.

You can find more information below:

• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 Quality objectives

Check all the promises your organization makes in its quality policy and try to translate each one into a measurable challenge, a quality objective.

You can find more information below:

• How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Risk Assessment - Defining asset ownership

First is important to note that ISO 27001 does not prescribe who the asset owner must be, so organizations are free to define the asset owners as best fit them.

Considering that, company board/managers can be the owners of assets like contractors or employees, but as a good practice, you should consider as the asset owner the first management level with responsibility for protecting and managing the asset, because this will make the decisions about the asset faster and more effective.

For example, if the asset is a server, the owner should be the server's administrator. In the case of contractors and employees, you should consider the asset owner the HR manager

This article will provide you a further explanation about the asset owner:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding asset owner:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 Waste manager / processor - specific requirements

What specific requirements are likely to be placed on a waste manager/processor in regard to the traceability of material they handle?

Answer:

Unfortunately, I have no experience in working directly with a waste manager/processor. According to my experience, in my own country, the only traceability requirements that I am aware of are: to ensure a chain of type of waste, according to a regulated definition, amount generated, transported, and whom it is processed by. Some countries use a paper trail, others use digital documents.

What processes are waste managers likely to be required to install/undergo in order to be compliant with the ISO?

Answer:

ISO 14001:2015 has no extra requirements beyond what is already prescribed in regulation or legislation. If your organization already complies with regulation and legislation, the main requirement from ISO 14001:2015 is to: define improvement priorities, translate those priorities into objectives, and design action plans to meet those objectives.

Please check this information below with more detailed answer:

• 7 steps in handling waste according to ISO 14001 - https://advisera.com/14001academy/blog/2016/11/07/7-steps-in-handling-waste-according-to-iso-14001/
• Using ISO 14001 to manage and reduce waste in the electronics industry - https://advisera.com/14001academy/blog/2017/02/13/using-iso-14001-to-manage-and-reduce-waste-in-the-electronics-industry/
• Is a gap analysis desirable for ISO 14001 implementation? - https://advisera.com/14001academy/blog/2016/11/14/is-a-gap-analysis-desirable-for-iso-14001-implementation/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
   

ISO 9001 IMPACT / RISK ASSESSMENT

Thank you very much . It was very helpful. Have a nice day. 

Right to request deletion of all personal data

Data controller located in the EU or processing personal data of individuals in the EU is subject to GDPR requirements. Therefore, the cryptocurrency platform and its partner bank must comply with GDPR.

You have the right to demand the erasure of your personal data stored in the platform or in the bank under Article 17 GDPR. Consider also that it may happen that some local law or regulation may require to bank or platform to keep in their registry some of your data.

According to Article 17 GDPR, the data controller must inform you of having complied with your request of erasure, and in case of rejection, it must specify the reasons for rejection. 

Here you can find more information:

• Article 17 – Right to erasure (‘right to be forgotten’): https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Normative reference and difference between clause 2 and 3

The purpose of a normative reference is to set the concepts and principles of ISO 9000:2015 as the basis for understanding and applying the information of ISO 9001:2015.

The purpose of Clause 3 is to set that definitions from ISO 9000:2015 are the ones to be used when working with ISO 9001:2015

• You can find more information below:
  Glossary of Quality Management Terms - https://advisera.com/9001academy/knowledgebase/glossary-of-quality-management-terms/
• Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
• Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/