Search results

Delete the data after a request

The processor must return or delete personal data at the end of the agreement, save to the extent the processor must keep a copy of the personal data under EU or Member State law. Art. 28(3)(g).

Roles in ISMS

1. “Mail significant for the planning and operation of the ISMS/compliance with GDPR” should be recorded. This can be an exell on our Sharepoint or an actual paper/pen notebook at the office I assume. What would, in reality, be such mail? I can think e.g. someone who would send a letter executing his “right to be forgotten”.
I will have to explain to the others in the company which mail they will have to register and what will not be considered as “mail significant for the planning and operation of the ISMS/compliance with GDPR”, but I don’t really know the answer to that myself yet…

Yes, you could receive a letter related to the right to be forgotten, consents, data subject access requests, etc.; you could also receive official letters from data protection authorities, or from agencies that regulate information security. As you mentioned, you can record them in Excel, SharePoint, or in a simple note.

2. I want to make a list per function/role in the company of all the responsibilities and tasks as described trough the policies and procedures. Is there already a template for this? I don’t find it in the kit.

First is important to note that ISO 27001 does not require a central document for all responsibilities and tasks defined for the ISMS. The description of these on each template in the toolkit is sufficient to cover requirements for certification. Considering that, we do not recommend the creation of such a list, because it will only duplicate information (increasing the risks of having outdated information) and increase administrative effort.

3. Also, is there a list of all ISMS related type of roles? As CISO, Senior Management, Compliancy Officer, DPO…?

ISO 27001 does not prescribe roles to be created to implement an ISMS, so organizations to define them as they see fit. You can either create roles you understand are important, or you can designate responsibilities o already existing roles in your organization. I general the most common role created if the chief information security officer (CISO).

These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

Disaster recovery

1. Do you have any suggestions for me?

To see how a disaster recovery plan looks like, I suggest you to take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

This document will help you to define precisely how an organization will recover its IT infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident, also attending requirements of ISO 27001 and ISO 22301.

2. What other ISO standard is associated with the ISO/IEC 27001 and 27002?

Please note that ISO/IEC 27001 and 27002 are related to information security, which covers only a small part related to disaster recovery. The main ISO standard for business continuity and disaster recovery is ISO 22301, which can help you not only to develop a disaster recovery policy and plans.

This article will provide you further explanation about ISO 22301 and disaster recovery:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

This material will also help you regarding business continuity and disaster recovery:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Webinar questions

1. what is the best software for vizualyzing process framework, and process maps?

Answer:

I cannot point you to any particular brand. I am still using basic slide software with flowchart symbols to draw them. I know I would like to find a software where I could relate process step with activities and functions but never find one good enough.

2. how or to what level risks should be incorporated into the process framework and maps?

Answer: 

After drawing a process and defining its purpose and indicators I put them on a wall, and I invite people to a brainstorm about what can go wrong in the process. Later after evaluation of those risks, I invite people to develop changes in the process to minimize or avoid those risks. It is interesting that I find this exercise much more useful when organizations have less experience regarding quality. For example, this way they find in a bottom-up approach what they need to control, in the process or product/service.

3. how to define process frameworks and separate process goal? 

Answer:

I do not start with any particular process framework. I start with different groups of customers with needs and expectations, (I put each group in a steaky note in the left side of a wall), and I end with the same different groups of customers but now served (I put each group in a steaky note in the right side of the same wall). Then I invite people to use sticky notes with a different color to identify actions needed to go from left to right. One action, one steaky note. Then, as a group we organize sets of actions under a same “umbrella”. Each umbrella is a process. That way I believe people understand better what is a process. For each process I ask for the purpose, the reason for its existence. After writing the purpose it is easy to develop goals and indicators. For example, if I say that the purpose of the process “Develop new products” is to win new customers and improve competitiveness. I would like to measure how many new customers buy new products. I would like to measure average price or average margin.

4. Is BPMN good fit for process modelling and communication?

Answer:

Yes. I use a simplified version. I would recommend it without any hesitation.

The following material will provide you more information about processes:

- Article - ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/

ROBUST APPROACH FOR MANAGING RISKS

If you are looking to develop a robust risk managementprocess for your OHSMS, it is important to identify not only the risks that areassociated with your process hazards, but also to identify organizational risksthat can affect your ability to maintain the OH&S performance of your organization(such as reacting to a supplier notifying you that they are stopping productionon a chemical you use that is the safest known alternative; and replacing itwill mean greater hazards for your employees). Addressing all of these risks bytaking adequate steps to control the risks is the next robust step to manageand control your OH&S risks.

For more information on a robust risk management process,see the article: What to include in risk management methodology according toISO 45001:2018, https://advisera.com/45001academy/blog/2019/03/21/what-to-include-in-risk-management-methodology-according-to-iso-45001/

Implementing configuration management

Your process for avoiding counterfeit parts needs to be directly proportional to the risk presented by counterfeit parts for your products. For many organizations making the decision to only buy from original equipment manufacturers (OEMs) and approved distributors is all they need for this process. When it comes to configuration management, this again is going to depend on your specific internal product documentation (such as drawings, test plans, etc.) but in general will require that you have controls in place to make sure that people have the right documents at the right time,  control the approval of changes and ensure that changes are applied to the right hardware associated with the documents.

You can learn more about counterfeit parts control in the article: Practical guidance on preventing counterfeit parts by applying AS9100 Rev D, https://advisera.com/9100academy/blog/2018/10/25/practical-guidance-on-preventing-counterfeit-parts-by-applying-as9100-rev-d/ and more on configuration management int eh article: Understanding configuration management in AS9100 Rev D, https://advisera.com/9100academy/blog/2017/05/08/understanding-configuration-management-in-as9100-rev-d/

GDPR and local legilslation

Do state authorities have to comply with GDPR? Are there any restrictions?

Yes, the state authorities have to comply with the GDPR as well there is no distinction except for authorities operating  in the field of national security.

How does the GDPR compare to the national laws?

One restriction that applies to public authorities is the fact that they cannot use legitimate interest as a lawful ground for processing.

Which will prevail in a conflict between GDPR and national laws?

The EU GDPR is what is called in legal terms “lex generali” so is applicable to all Member States but if there is a conflict between a specialized local law such as  Tax Law, Criminal Code etc. the specialized law prevails.

Does an IP constitutes personal data?

The IP is personal data as it can be linked to a specific household or even a specific person. If you want to find out more about what constitutes personal data check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Can you please provide an example on what automated decision making means?

One classic example of automated decision making is the use of credit scoring software by banks. The software gives a scoring based on factors such as age, workplace, studies etc. without the need of human intervention.

Servicios limpieza y control medioambiente

Lo primero es contar con el compromiso de la alta dirección de la empresa, esto es fundamental y va a ser uno de los requisitos de la ISO 14001; pero es que además es imprescindible para contar con los recursos necesarios, tanto financieros como de personal para llevar a cabo la implementación de la norma. Aquí podemos encontrar información sobre los beneficios de ISO 14001 - 6 Beneficios clave de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/6-beneficios-clave-de-la-iso-14001/

Una vez que contamos con el apoyo de la alta dirección, podemos llevar a cabo un análisis de brecha o GAP, que nos va a indicar aquellas áreas en las que necesitamos cumplir con los requisitos de la norma ISO 14001 en nuestra organización. En este enlace puede realizar de forma gratuita un análisis de brecha - Herramienta de análisis de brecha en ISO 14001: https://advisera.com/14001academy/es/herramienta-gap-analysis-iso-140012015/

Posteriormente puede escribir un Plan de proyecto, en el que defina cuáles van a ser los hitos durante la implementación, realice un calendario de actividades y defina cada una de las responsabilidades. Puede descargar de forma gratuita este plan de proyecto y adaptarlo a su organización - Project plan for ISO 14001 implementation: https://info.advisera.com/14001academy/free-download/project-plan-for-iso-14001-implementation-ms-word

Luego ya podría empezar a definir el alcance del sistema de gestión ambiental, el contexto de la organización, definir las partes interesadas, etc. hasta llegar a la auditoría interna y la revisión por la dirección En este artículo puede encontrar más información sobre cada uno de los pasos - Lista de pasos para la implementación de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/

Para más información sobre los pasos para la implementación de ISO 14001:2015 vea los siguientes materiales:
- White paper - Clause by clause explanation of ISO 14001:2015: https://info.advisera.com/14001academy/free-download/clause-by-clause-explanation-of-iso-140012015
- Libro – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Curso gratuito en línea – Fundamentos de la norma ISO 14001:2015 : https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

EI REQUISITO 8 DE LA ISO:9001

Los requisitos mínimos con los que debe cumplir su organización con respecto a la cláusula 8 se pueden resumir en los siguientes puntos:

Cláusula 8.1 – Planificación y control operacional

En este punto la organización debe de determinar:

-        Cuáles son los objetivos de calidad así cómo los requisitos mínimos para poder proporcionar el servicio.

-        Cuáles son los procesos, recursos así como documentación necesaria para proporcionar el servicio.

-        Las actividades que sean necesarias para llevar a cabo la verificación, validación y seguimiento del servicio. 

-        Contar con los registros que puedan evidenciar que los procesos y el servicio cumplen con los requisitos que han sido establecidos. 

Este artículo puede ayudarle a entender los requisitos para los productos – Product requirements wok in ISO 9001: https://advisera.com/9001academy/blog/2014/04/08/product-requirements-work-iso-9001/

Cláusula 8.2.3 – Revisar los requisitos para los productos y servicios

Esta revisión debe de realizarse antes de que la organización llegue a proporcionar el servicio al consumidor o cliente. De esta forma es posible saber si puede llevarlo a cabo. Para esto la institución debe de garantizar que los requisitos están perfectamente definidos y que tiene capacidad de cumplir con los mismos. Es necesario mantener registros de esta revisión.

Cláusula 8.3.5 – Elementos de salida de diseño y desarrollo

Los resultados del diseño y desarrollo de servicio deben de posibilitar la verificación de los elementos de entrada y salida, ya que son los que determinan dichos procesos. 

Por otro lado, es necesario establecer la información necesaria para poder llevar a cabo la adquisición de productos y/o servicios, la prestación del servicio, y determinar los requisitos en materia de subcontrataciones, etc. 

Sería necesario en este caso guardar los registros de cada uno de estos procesos. 

Cláusula 8.4.1. – Productos y servicios externalizados

La organización debe de establecer una serie de criterios para sus proveedores, con el fin de poder realizar una evaluación de los servicios que proporcionan. De esta forma la institución garantiza que el servicio o producto que compra cumple con los requisitos especificados.

Los registros resultantes de la evaluación, del seguimiento del desempeño y de la evaluación de los proveedores externos deben de ser guardados.

En este artículo puede encontrar más información sobre la evaluación de proveedores externos – How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/

Cláusula 8.5.2 – Identificación y trazabilidad

Este punto podría no ser aplicable a su institución, ya que versa sobre la identificación del producto/servicio y todo el proceso de realización. 

Cláusula 8.6 – Liberación de productos y servicios

Todos los servicios prestados (y en caso de que proporcionen productos también aplica) deben de estar sometidos a los procesos de seguimiento y medición, es decir, que se debe de evidenciar que han alcanzado los criterios de aceptación definidos. Estos requisitos podrían estar establecidos de forma legal.

Cláusula 8.7 – Control de salidas no conformes. 

La organización debe de guardar aquellos registros sobre las medidas tomadas en relación a las salidas no conformes, tanto de los procesos, servicios o productos que proporcione

Estos materiales pueden serle de ayuda para entender mejor la cláusula 8 en ISO 9001:2015:

- Artículo – Clause by clause explanation of ISO 9001:2015 https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

- Inscríbase gratis en este curso -  Curso de Fundamentos de la nroma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

Internal Audit Preparation

How can I maintain objectivity in an internal EMS audit while I am the EMS implementor?

Answer:

Objectivity is sticking to the facts, being guided by the evidence and considering an event will be closer to the truth the more supporting evidence it has. So, focus on the audit objective. Study the audit criteria and develop a checklist requesting clear evidences of conformity. Be aware of the sampling to be representative. For me this is the most important to ensure objectivity.

Think about the risks – Where will you have more possibilities of losing objectivity? What measures can you take to minimize those risks? 

Having failed my auditor exam, how do I know where i failed and what to improve on?

Answer:

There is no universal methodology that training organizations follow. In Advisera courses people are informed of the area or part of the exam failed, and only answer to those parts in a new exam.

The following material will provide you more information about internal audits:

- Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- Free webinar - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
- Enroll for free in this course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ 
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/