Search results

Risk Assessment

All the products you mention are templates in MS Excel - therefore, you can adapt them (or merge them) as you see fit, and you can copy and paste the data from one document to another. 

On the landing page of each of those documents you can see a free preview and download a free demo of each document:

• Risk Assessment Table: https://advisera.com/27001academy/documentation/risk-assessment-table/ 
• Risk Treatment Table: https://advisera.com/27001academy/documentation/risk-treatment-table/ 

Backout procedure

Backout procedure is your plan in case change is not implemented sucessfully. It will help you return to initial state (before change is implemented) or some other remediation actions (e.g. in cae you can't go back to initial state - like, revisiting the change and actions performed to find an error, etc.).

Here are some more details:

Service Transition in ITIL https://advisera.com/20000academy/blog/2013/06/11/service-transition-itil/

What is the remediation procedure and back-out in the ITIL/ISO 20000 Change Management process? https://advisera.com/20000academy/blog/2017/06/13/what-is-the-remediation-procedure-and-back-out-in-the-itiliso-20000-change-management-process/

RAG rating

The RAG rating system is a standard system typically used for rating tasks in project management as Red/Amber/Green (much like a traffic light) as to whether they are on track, in trouble or no problems.

Keeping in mind that this is not a requirements of OHSAS 18001 or ISO 45001, you could use this as part of an assessment report by rating if a task was on time, or if a requirement was not met or partially met, or the status of a risk. How you use it would be up to you as it is your choice as to how you want to assess something and not a requirement of the standard.

If you are looking for a simple gap analysis tool you can check out our Free ISO 45001 Gap Analysis Tool, https://advisera.com/45001academy/iso-45001-gap-analysis-tool/

ISO 27001 and LGPD

If I understood well, you're asking why ISO 27001 was not mentioned in the LGPD (Brazilian personal data protection law).

Typically, laws and regulations do not require particular standards to be implemented because they do not want to prescribe how the implementation needs to look like. 

GDPR (European personal data protection regulation) is very similar to LGPD, and it also does not refer to ISO 27001 - we have analyzed GDPR and found ISO 27001 to be very useful for its implementation, you can find the white paper here: What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help 

OH&S opportunity assessment

As per ISO 45001 there is no defined mechanism in the standard for identifying and assessing the OH&S opportunities and other opportunities. It is up to the company to determine the process and assessment criteria it will use.

You can find out more in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

ISO 9001 audit

Yes, all clauses of the standard are to be included in the internal audit program. If your organization uses those processes to manage those topics, they should be audited.

For example, about the Corrective Action Process I would like to verify if you develop corrective actions, if your corrective actions act upon true root causes, if your corrective actions are implemented and effective, and if your corrective actions take too much time to take place.

The following material will provide you information about audits: 

- ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/

- free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/

- book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Appendix 3 – Internal Audit Checklist for ISO 27001

I'm sorry about this confusion - yes, you should go with the "Integrated" version, this one is optimized if you go only for ISO 27001 implementation. 

"Premium" is optimized if you go for both ISO 27001 and ISO 22301 standards, while "Cloud" is if you go for ISO 27001, ISO 27017 and ISO 27018 standards. 

Difference between legal and other requirements

In the ISO terminology, other requirements could be regulatory or contractual requirements. 

This article will help you: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ 

AS 9100 and referencing the revision level

As per the AS9100 requirements, the quality policy does not need to make reference to the AS9100 standard, so if you choose to include this you can choose not to include the revision level. As for business cards, this is also not detailed in the requirements of the standard.

You can find out more on the policy in the article: How to write the AS9100D Quality Policy, https://advisera.com/9100academy/blog/2018/07/09/how-to-write-the-as9100d-quality-policy/

EU GDPR questions

How can an authority in the EU fine a company in India or another country outside the EU?

Based on art 27 of the EU GDPR the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, is unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data. Although there is no best practice on this, most likely the fine will be issued to the representatives.

Do you have some materials to help me understand how to start a GDPR program?

I would suggest starting by going through our article  “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/) as well as this webinar “An overview of steps needed to comply with GDPR” (https://advisera.com/eugdpracademy/webinar/an-overview-of-steps-needed-to-comply-with-gdpr-free-webinar-on-demand/).

Do you have some materials that I could present to the management of the company to make them aware of the GDPR?

 Please check this Power Point presentation that you can download freely from our website “Why is privacy important for our company? - Awareness presentation” (https://info.advisera.com/eugdpracademy/free-download/why-is-privacy-important-for-our-company-awareness-presentation).

If we have access to data of EU users do we need to do anything special? We usually get data from EU companies and we do data cleaning removing duplicates.

 Based on the description provided you are acting as a processor and you act on the instructions of your clients. Usually, your clients would need to have you sign a Data Processing Agreement where you would commit yourself to process personal data based on the instructions of the data controller.

We also receive some personal data from our clients' employees when they enter tickets. Is there something specific to consider?

When collecting personal data you need to present to the data subjects a Privacy Notice explaining to them why you need their data and what you are using it for. If you want to find out more about Privacy Notices check out this free webinar “ Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

How much time do we need to keep the personal data?

Unless there is a specific legal obligation that sets up a specific retention period you can define a retention period yourself bearing in mind that the date should not be kept for longer than is necessary.

Are some specific security measures to be deployed?

The EU GDPR only specifies at art. 32 some examples of security measures that can be employed. However, these are mere examples and is up to the controller/processor to define adequate security measures. A good example and best practice are the security measures in the ISO27001 Standard.

Can you recommend a site to get GDPR updates?

I would suggest going first to the European Data Protection Board website (https://edpb.europa.eu/edpb_en) as well as the websites of the Supervisory Authorities in the EU such as the ICO (https://ico.org.uk/). You will also find useful information on our website as well at https://advisera.com/eugdpracademy/what-is-eugdpr/

Also, we received a request from a client to present out Records of Processing Activities. What are these?

If you act as a controller, you must keep a record of the following information:

·         your name and contact details and, where applicable, any joint controllers, representatives and data protection officers;

·         the purposes of the processing;

·          a description of the categories of data subjects and of the categories of personal data;

·         the categories of recipients, including recipients in third countries or international organizations;

·          details of transfers of personal data to third countries (where applicable);

·          retention periods for different categories of personal data (where possible); and

·         a general description of the security measures employed (where possible).

If you act as a data processor, you must keep the following records:

·         your name and contact details and, where applicable, representatives and data protection officers;

·         the name and contact details of each controller you act for including, where applicable, representatives and data protection officers;

·         the categories of processing carried out on behalf of each controller;

·         details of transfers of personal data to third countries (where applicable);

·          a general description of the security measures employed (where possible)

 Do we need to have them?

This document is mandatory if

·        (a) the company has more than 250 employees; or

·        (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning, a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal, convictions, and offenses.