Search results

Compliance checklist for ITIL

Our documentation toolkit, for both ITIL as well as for ISO 20000, contains list of documents. In that list you’ll find compliance of the documents related to the respective best practice i.e. ISO standard.

ITIL Documentation toolkit can be found here https://advisera.com/wp-content/uploads//sites/6/2015/07/List_of_documents_ITIL_Documentation_Toolkit_EN.pdf

Please note that ITIL doesn't have mandatory documents, compared to ISO 20000.

Section 4.3 ISO 9001:2015

Examples of external issues can be, for example, market factors such as competition, market leader trends, or supply chain relationships. Other examples can be statutory and regulatory factors. Operating in certain areas can require certification due to regulation or competition.

Examples of internal issues can be, for example, operational factors such as process or production and service provision capabilities. For example, an organization can decide to certify just part of the production facilities. 

The following material will provide you information about the scope:

- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Customer Special Characteristics

Customers usually specify very directly the requirements for special characteristics.

In IATF 16949 there is no requirement for visualization to identify “good” and “bad” examples, but it can be a very common special characteristic.

For more information on requirements when implementing IATF 16949 please read our article: 

How to satisfy customer-specific requirements when implementing IATF 16949 https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/

Delete the data after a request

The processor must return or delete personal data at the end of the agreement, save to the extent the processor must keep a copy of the personal data under EU or Member State law. Art. 28(3)(g).

Roles in ISMS

1. “Mail significant for the planning and operation of the ISMS/compliance with GDPR” should be recorded. This can be an exell on our Sharepoint or an actual paper/pen notebook at the office I assume. What would, in reality, be such mail? I can think e.g. someone who would send a letter executing his “right to be forgotten”.
I will have to explain to the others in the company which mail they will have to register and what will not be considered as “mail significant for the planning and operation of the ISMS/compliance with GDPR”, but I don’t really know the answer to that myself yet…

Yes, you could receive a letter related to the right to be forgotten, consents, data subject access requests, etc.; you could also receive official letters from data protection authorities, or from agencies that regulate information security. As you mentioned, you can record them in Excel, SharePoint, or in a simple note.

2. I want to make a list per function/role in the company of all the responsibilities and tasks as described trough the policies and procedures. Is there already a template for this? I don’t find it in the kit.

First is important to note that ISO 27001 does not require a central document for all responsibilities and tasks defined for the ISMS. The description of these on each template in the toolkit is sufficient to cover requirements for certification. Considering that, we do not recommend the creation of such a list, because it will only duplicate information (increasing the risks of having outdated information) and increase administrative effort.

3. Also, is there a list of all ISMS related type of roles? As CISO, Senior Management, Compliancy Officer, DPO…?

ISO 27001 does not prescribe roles to be created to implement an ISMS, so organizations to define them as they see fit. You can either create roles you understand are important, or you can designate responsibilities o already existing roles in your organization. I general the most common role created if the chief information security officer (CISO).

These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

Disaster recovery

1. Do you have any suggestions for me?

To see how a disaster recovery plan looks like, I suggest you to take a look at the free demo of our Disaster Recovery Plan at this link: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

This document will help you to define precisely how an organization will recover its IT infrastructure and IT services within set deadlines in the case of a disaster or other disruptive incident, also attending requirements of ISO 27001 and ISO 22301.

2. What other ISO standard is associated with the ISO/IEC 27001 and 27002?

Please note that ISO/IEC 27001 and 27002 are related to information security, which covers only a small part related to disaster recovery. The main ISO standard for business continuity and disaster recovery is ISO 22301, which can help you not only to develop a disaster recovery policy and plans.

This article will provide you further explanation about ISO 22301 and disaster recovery:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

This material will also help you regarding business continuity and disaster recovery:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Webinar questions

1. what is the best software for vizualyzing process framework, and process maps?

Answer:

I cannot point you to any particular brand. I am still using basic slide software with flowchart symbols to draw them. I know I would like to find a software where I could relate process step with activities and functions but never find one good enough.

2. how or to what level risks should be incorporated into the process framework and maps?

Answer: 

After drawing a process and defining its purpose and indicators I put them on a wall, and I invite people to a brainstorm about what can go wrong in the process. Later after evaluation of those risks, I invite people to develop changes in the process to minimize or avoid those risks. It is interesting that I find this exercise much more useful when organizations have less experience regarding quality. For example, this way they find in a bottom-up approach what they need to control, in the process or product/service.

3. how to define process frameworks and separate process goal? 

Answer:

I do not start with any particular process framework. I start with different groups of customers with needs and expectations, (I put each group in a steaky note in the left side of a wall), and I end with the same different groups of customers but now served (I put each group in a steaky note in the right side of the same wall). Then I invite people to use sticky notes with a different color to identify actions needed to go from left to right. One action, one steaky note. Then, as a group we organize sets of actions under a same “umbrella”. Each umbrella is a process. That way I believe people understand better what is a process. For each process I ask for the purpose, the reason for its existence. After writing the purpose it is easy to develop goals and indicators. For example, if I say that the purpose of the process “Develop new products” is to win new customers and improve competitiveness. I would like to measure how many new customers buy new products. I would like to measure average price or average margin.

4. Is BPMN good fit for process modelling and communication?

Answer:

Yes. I use a simplified version. I would recommend it without any hesitation.

The following material will provide you more information about processes:

- Article - ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/

ROBUST APPROACH FOR MANAGING RISKS

If you are looking to develop a robust risk managementprocess for your OHSMS, it is important to identify not only the risks that areassociated with your process hazards, but also to identify organizational risksthat can affect your ability to maintain the OH&S performance of your organization(such as reacting to a supplier notifying you that they are stopping productionon a chemical you use that is the safest known alternative; and replacing itwill mean greater hazards for your employees). Addressing all of these risks bytaking adequate steps to control the risks is the next robust step to manageand control your OH&S risks.

For more information on a robust risk management process,see the article: What to include in risk management methodology according toISO 45001:2018, https://advisera.com/45001academy/blog/2019/03/21/what-to-include-in-risk-management-methodology-according-to-iso-45001/

Implementing configuration management

Your process for avoiding counterfeit parts needs to be directly proportional to the risk presented by counterfeit parts for your products. For many organizations making the decision to only buy from original equipment manufacturers (OEMs) and approved distributors is all they need for this process. When it comes to configuration management, this again is going to depend on your specific internal product documentation (such as drawings, test plans, etc.) but in general will require that you have controls in place to make sure that people have the right documents at the right time,  control the approval of changes and ensure that changes are applied to the right hardware associated with the documents.

You can learn more about counterfeit parts control in the article: Practical guidance on preventing counterfeit parts by applying AS9100 Rev D, https://advisera.com/9100academy/blog/2018/10/25/practical-guidance-on-preventing-counterfeit-parts-by-applying-as9100-rev-d/ and more on configuration management int eh article: Understanding configuration management in AS9100 Rev D, https://advisera.com/9100academy/blog/2017/05/08/understanding-configuration-management-in-as9100-rev-d/

GDPR and local legilslation

Do state authorities have to comply with GDPR? Are there any restrictions?

Yes, the state authorities have to comply with the GDPR as well there is no distinction except for authorities operating  in the field of national security.

How does the GDPR compare to the national laws?

One restriction that applies to public authorities is the fact that they cannot use legitimate interest as a lawful ground for processing.

Which will prevail in a conflict between GDPR and national laws?

The EU GDPR is what is called in legal terms “lex generali” so is applicable to all Member States but if there is a conflict between a specialized local law such as  Tax Law, Criminal Code etc. the specialized law prevails.

Does an IP constitutes personal data?

The IP is personal data as it can be linked to a specific household or even a specific person. If you want to find out more about what constitutes personal data check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Can you please provide an example on what automated decision making means?

One classic example of automated decision making is the use of credit scoring software by banks. The software gives a scoring based on factors such as age, workplace, studies etc. without the need of human intervention.