Search results

Development Risk Assessment and Treatment Methodology

Nome do cargo e cargo referem-se às funções na organização que têm a responsabilidade de executar alguma atividade no documento. Por exemplo, na frase "[nome do cargo] é responsável por coordenar as atividades de avaliação de risco", você deve definir qual papel em sua organização coordenará essa atividade. Esse pode ser o responsável pela segurança, se essa função existir em sua organização, ou você pode definir uma função existente para acumular essa atividade (por exemplo, gerente de TI).

Para mais informações sobre funções e responsabilidades, leia:
- Como documentar papéis e responsabilidades de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/06/22/como-documentar-papeis-e-responsabilidades-de-acordo-com-a-iso-27001/

(Job title and position refers to the roles in the organization who has the responsibility to perform some activity in the document. For example in the phrase "[Jobtitle] is responsible to coordinate risk assessment activities", you have to define which role in your organization will coordinate this activity. This one can be the security officer if such a role exists in your organization, or you can define an existing role to accumulate this activity (e.g., IT manager).

For more information about roles and responsibilities, please read:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/)

CCPA and ISO 27001 Lead Auditor

The California Consumer Privacy Act (CCPA), has requirements related to the processing of personal data, and ISO 27001 has requirements for protection of information security, so the ISO 270001 Lead Auditor certification can provide you a good foundation for auditing CCPA requirements.

To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/

This article will provide you further explanation about CCPA and ISO 27001:
- Does ISO 27001 help CCPA compliance? https://advisera.com/27001academy/blog/2018/10/16/does-iso-27001-help-ccpa-compliance/

These materials will also help you regarding becoming ISO 270001 Lead Auditor :
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001:2013 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/

ISO 27001 certification

 In fact, this is a critical issue you have to take into account when selecting a toolkit. Good toolkits not only cover the requirements to ensure your ISMS is compliant with the standard, but also leave plenty of space for you to include your own information and excellent toolkits also include examples on how to include your own data and provide support to help you when you're stuck. This second approach is used by Advisera on its toolkits, which are sold on more than 100 countries around the world.

To see how our ISO 27001 documentation toolkit looks like, please access this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

For more information about implementation approaches, please read:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

Annual Program for Internal Audits

First of all, sorry for this situation.

The original text in English for this column is "Audit implementation record", and the audit report is one way to evidence the audit was performed.

If by "Protocol to execute the audit" you are referring to a system of rules about the correct way to act in audits, then it refers to the internal audit procedure. If your organization has one, it should be listed in the "Auditing Method" column.

ISMS interfaces and dependencies

The consideration of interfaces and dependencies can be evidenced through the ISMS scope, which can be a totally separate document or a part of an Integrated Management System Manual. (Please note that ISO 27001 does not require an IMS manual to be written, nor that interfaces and dependencies are documented). 

These articles will provide you further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will provide you further explanation about ISMS scope:
-How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

ISO 22301 and Disaster Recovery Plan

As a management system standard, ISO 22301:2019 does not prescribe how to achieve business continuity, only what needs to be achieved.

Considering that, clause 8.4.5 (recovery) requires documented processes to restore and return business activities to regular operation after a disruption. Implementation of these requirements in most cases is achieved through IT Disaster recovery program and DRP site, but this is not mandatory, because organizations may decide for a different approach (e.g., some small percentage of low-tech companies might be able to recover without using computers).

This article will provide you further explanation about Disaster Recovery Plan:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

Questions regarding EU GDPR

1. If I have multiple subsidiaries in more than one EU country, do I need to appoint a Lead Supervisory Authority?

Appointing a Lead Supervisory Authority is something that is provided for your convenience and is not mandatory. So, you can decide to appoint just one or you can choose to deal independently with all the Supervisory Authorities where your subsidiaries are located.

2. Do I need to register in all EU countries where the subsidiaries are located?

Registration is something that the GDPR left to the local Supervisory Authorities to decide. My advice is to check the website of the Supervisory Authorities and check if you need to register. Some EU countries do not require registration such as France and Romania but others do, such as the UK.

3. Can I appoint just one DPO for all of the subsidiaries or I would need one in each country?

Not necessarily, depending on your activities you can decide to appoint just one DPO to handle multiple jurisdictions. However, you need to be aware that the DPO may need to interact with the data subjects and the Supervisory Authorities in those jurisdictions which may require knowledge on the local language as well as legislation.
If you want to learn more about the tasks of a DPO check out this free webinar “ Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

4. Based on your experience how much time and resources are needed to become compliant whit the GDPR?

Time and resources to become compliant with the EU GDOR is closely linked with your activities as well as your staff. We have developed this “EU GDPR Compliance Duration Calculator” (https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/).

Root cause analysis

Let us suppose that an organization is not satisfied with the level of non-conformities on product X. So, the first step is to focus the effort of improvement, by performing a symptom diagnosis using, for example, a Pareto chart.

After this initial screening the organization needs:
a) to determine probable causes;
b) make some tests or investigations to find root-cause(s);
c) develop alternative solutions;
d) select the best one;
e) implement the solution;
f) check the effectiveness of that solution

The five whys technique is used on step a). Normally, root causes are deeply hidden in the way an organization works and decides how to act. So, when looking into the cause of a problem an organization someone asks:

- Why is this problem happening?

A answer can be:

- That happens because people have no training

That is a first why, a first cause for a problem. After that someone might ask:

- And why do people have no training?

- Because they are new employees and they did not receive any initial training

- And why did they not receive any initial training?

- Because the training department was not informed of their arrival

- And why was the training department not informed of their arrival?

- Because we did not plan their integration in the company, and they had to be integrated in a hurry to close the gap in people needed to work in the Summer season

- And why did we not plan their integration, the summer season requirements is well known in advance?

- So, if we improve our preparation of the Summer season, we can prepare new employees integration, give them training and avoid future problems.

Asking why five times can lead us to a deep systemic cause with impact on the problem and manageable by those that want to improve the organization.

The following material will provide you with information about root cause analysis:
- Aerticle - ISO 9001 – How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

List of Legal Regulatory Contractual and Other Requirements

Unfortunately, we do not have example documents we can disclose due to confidentiality agreements with our customers.

Regarding requirements for employees, an example would be to keep the confidentiality of their personal records kept by the organization.

Requirement for shareholders would be the integrity of financial and performance reports.

About clients' requirements, you should consider clauses in service agreements you have with them.

This article will provide you further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Establishing the context of an organization

When thinking about context, consider both internal and external topics. As internal topics think about weaknesses and strengths of your organization, things like experience, difficulties, successes.

As external topics think about opportunities or threats in the market, things like economic trends, technological evolution, legislation trends, social evolution. Check particularly the first link below.

The following material will provide you more information about context and interested parties:

- Article - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
- Article - How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/