Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Template content - information classification policy

    Please note that in section 2 of the Information Classification Policy there is reference to a Inventory of Assets, so there is no need to included reference to control a.8.1.1 (this inventory of assets is the Implementation of this control).

  • Awareness and training for secure software development

    Hi, Christin. Please note that considering your scenario, an example of filling out the risk treatment plan columns you mentioned would be:

    • Description of activities: Development of specification of safety requirements
    • Training and awareness programs: Course about risk assessment, system Functional Specification, controls for Software security (these are the competencies required to fill in the specification of safety requirements)
    • Method for evaluation of results: number of changes on specification of safety requirements considering failures on validation and acceptance testing (i.e., the less security failures in validation testes, and the less refusal of customers on delivered systems, the better are the specifications).

  • Identifying the risks and opportunities related to the environmental aspects

    What a great question! When I first started to work with ISO 14001:2015 I had the same question and expected a unique answer, but after some investigation and reflection, I concluded that there is more than one way to handle the challenge. Each organization should pick the option that best suits its particular situation.

    1. There are organizations that determine their environmental aspects and use a risk and opportunities assessment to determine their significant environmental aspects. (Please see the end of the second paragraph of Annex A.6.1.1 of ISO 14001:2015)

    2. There are organizations that determine their environmental aspects evaluate them and determine the significant ones and use a risk and opportunities assessment to determine which ones need an action plan, and which ones need only to be monitored.

    3. There are organizations that only apply the risk-based approach to the context part. In a certain way, they are following the same approach as 1 without explicitly mentioning it.

    Currently I’m having two ISO 14001 implementation projects in an industrial context and I use approach number 2. My second rating system is very simple and based on:

    • Do we not comply with legislation?
    • Improving will be aligned with our strategy?
    • Improving will have a good return?

    A Yes to any of the questions determines that an action plan is needed.

    The following material will provide you with more information about aspects and impacts:

    • Article - 4 steps in identification and evaluation of environmental aspects https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    • Environmental aspect identification and classification https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    • Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

    • Personal data processing and Privacy statement

      1. I have a question about the example they have describe as ABC company and XYZ company- When the XYZ company is going to process my personal data for billing purpose- what rights i have against XYZ company and how can i prevent from using personal data. I feel if it is part of contract then my consent is not required. If they have not mentioned about XYZ company then how can i limit the ABC from Processing my personal data?

      If a company issues an invoice to you of course they need to mention some information on the invoice such as your name. Usually is the tax code of each country that provides you with the minimum information that needs to be included in the invoice. The processing  of personal data for invoicing purposes is based on legal obligation.

      2. Does privacy statement on the website can carry sufficient and common information to all of its customers?

      The Privacy Statement/ Notice on the website should clearly mention the purposes and lawful basis for which each set of personal data is being processed.

      If you want to find out more about Privacy Notices check out this free webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar/).

    • GDPR topics

      1. Is the GDPR applicable for individuals as well as companies?

      The GDPR applies primarily to businesses established in the EU or inextricably linked
      to such a business. However, it also applies to businesses outside the EU that: offer goods or services; or monitor the behavior of individuals in the EU.

      It also applies to individuals if the activities exceed normal household activities.

      2. If I am an individual booking safari trips for European customers is the GDPR applicable?

      It would be applicable if you are intentionally targeting individuals in the EU. However, if you are collecting the personal data while the individuals are not in the EU then the GDPR would not be applicable.

      3. Is social security number or similar considered personal data?

      Yes it is. Moreover, there are some EU jurisdiction where the social security number or similar identification number are considered sensitive personal data.

      If you want to find out more about what constitutes personal data under he EU GDPR check out this free EU GDPR Foundations Course ( https://advisera.com/training/eu-gdpr-foundations-course//)

      4. Is it legal to require copies of passports to the tourists?

      Keeping such copies is legal only if you have a specific legal requirement that allows to do so. Unless this is applicable keeping copies of ID documents is contrary to the principle of data minimization.

    • SPC, linearity distribution and PV value

      SPC monitoring is necessary for customer-specific requirements and products/processes at a high-risk level. You monitor SPC based on customer requirements for the given product/process.

      If you are referring to the Normal distribution and the relation between the distribution and the P-value, please note that when P-value is lower than 0.05 distribution is Normal.

      On the other hand, if you are referring to linearity, linearity is a relation between X and Y which can be, for example, positive or negative.

      The relation between a normal distribution and SPC can be explained as follows:

      When Y has a normal distribution, it means that it follows a central tendency. It also means, based on the theory of central tendency, that it has a variation that we can use to predict the values of our Y.

      A normal process has special causes that are easy to spot on the SPC chart when they occur. We cannot predict with certainty a Y that does not have a normal distribution.

      That is why we always strive to identify and eliminate special causes and to identify and reduce the impact of common causes so that our process would be as normal (pointy) as possible.


      For more information please read our article: „How to establish QMS Statistical process control according to IATF 16949“ https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/

    • Implementation of policies

      To implement policies you must consider:

      • Study the requirements you must fulfill (e.g, contracts, laws, regulations, etc.)
      • Take into account the results of your risk assessment, to determine which issues you have to address in your document, and detail level
      • Optimize and align your document(s) (i.e., define the total number of documents)
      • Structure your document (observe your corporate rules for formatting the document)
      • Write your document (basically, the smaller the organization and the smaller the risks, the less complex your document will be)
      • Get your document approved
      • Training and awareness of your employees

      These articles will provide you further explanation about polices development and implementation:

      - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

      - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
      - Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
      - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

      To see how policies and procedures for ISO 27001 look like, I suggest to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    • ISO 27001 toolkit - which standard is it compliant with?

      Advisera's ISO 27001 toolkits are compliant with ISO 27001:2013 - this standard was reviewed in 2019 by ISO and was confirmed as the current standard, which means that no changes have been made to the initial 2013 revision. For more information, please see the official ISO 27001 page: https://www.iso.org/standard/54534.html

      Please be aware that standardization bodies of some countries have re-published ISO 27001 in a different year (e.g. ISO 27001:2016, ISO 27001:2017, etc.), however, the text of the standard has remained identical in all those standards. See more here: European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

    • ISO/IEC 27701 Privacy information management standard

      ISO 27701 is not mandatory, and it doesn't change nor influence the implementation of ISO 27001 and GDPR . Therefore, by using our toolkits you will be fully compliant with ISO 27001 and/or EU GDPR. 

      As with any new standard, it remains to be seen if ISO 27701 will become popular, i.e. useful. Of course, we're considering it, and will most probably publish some articles and free webinars on this topic. 

    • Action plan for non-conformity

      To prepare a corrective action to treat a non-conformity you need to:

      • Define the problem
      • Define the scope
      • Containment Actions
      • Find the Root Cause
      • Plan a Corrective Action (steps needed to eliminate the root cause of the problem)
      • Implement the Corrective Action
      • Follow up to make sure the Plan worked

      This article will provide you further explanation about corrective actions:
      - Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/ (although this article is about ISO 9001, the same concept applies to ISO 27001)
       
      This material will also help you regarding corrective actions:
      - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
Page 493-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +