Search results

Health Inspector qualification

ISO 14001:2015 has no particular requirements concerning those that will implement an environmental management system or be responsible for its operation, maintenance and improvement.
Each organization is free to define competence requirements for that role.
Being a Health Inspector may give you some experience with regulations and with the task of working with others to follow rules. Besides that qualification I recommend learning about ISO 14001:2015 requirements, learning about good internal audit practices, and learning about good implementation practices.
 
The following material will provide you more information about training:
Free webinar - Free webinar - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Enroll for free in this course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
Enroll for free in this course - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 27001 and scrum

ISO 27001 does not prescribe methods for secure software development, so organizations are free to adopt the approach that better fills their needs, and provided the adopted approach fulfills standards requirements, auditors will be ok with them. Unfortunately, we do not have details about the use of SCRUM in software development on ISO certified organizations, but regarding ISO 27001 implementation, it is an approach as useful and effective as any other project management framework.

These articles will provide you a further explanation about scrum and information security and ISO 27001 and controls do software development life cycle:
- How to use Scrum for the ISO 27001 implementation project https://advisera.com/27001academy/blog/2017/03/27/how-to-use-scrum-for-the-iso-27001-implementation-project/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

Standard contractual clause and Data processing agreement difference

The Standard Contractual Clauses are documents issued by the EU Commission and are meant to be used only when transferring personal data outside the EU. The Data Processing Agreement is to be used when both controller and processor are in the EU.

Infosec policies

If this simplified security policy covers all requirements from the standard, properly address the results of risk assessment and the legal requirements your organization must fulfill and is understood and easily handled by your employees, then it is acceptable by ISO 27001 requirements and certification auditors.

Regarding our toolkit, we haven’t found a proper policy format that would meet all those criteria, so this is why we recommend the usage of the documents from the toolkit.

These articles will provide you a further explanation about developing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

Risk management manual

First is important to note that usually a methodology is written, not a manual.

To develop a risk assessment and treatment methodology compliant with ISO 27001 you must consider:
1) Define how to identify the risks that could cause the loss of confidentiality, integrity and/or availability of your information
2) Define how to identify the risk owners
3) Define criteria for assessing consequences and assessing the likelihood of the risk
4) Define how the risk will be calculated
5) Define criteria for accepting risks

To see how a Risk assessment and treatment methodology, I suggest you to take a look at the free demo of our Risk Assessment and Risk Treatment Methodology at this link: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

This article will provide you a further explanation about Risk assessment and treatment methodology:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

Scope definition and certification costs

1. In the institution, we have a core business system, which interacts and it is projected to link with other systems, so I am analyzing whether it is feasible to obtain the ISO 27001: 2013 certification only for said system and the entire infrastructure, processes, resources, and assets surrounding this management information system. Is this feasible? No implementation is required for the entire organization.

The main point when considering this approach is the effort required to keep the ISMS scope separated from the rest of the organization's elements (for small and mid-sized organizations many times the effort is not worthy, and it is better to include all the organization in the ISMS scope)

These articles will provide you a further explanation about the scope definition:- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 

2. The certificate logo can be used on the homepage of the management system (for an institutional presence issue).

3. I understand that you sell the documentary package, but I would like to know the approximate cost of the audit to obtain the certification.

These articles can provide you more information:- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

Audit stages

First, it is important to note that stages 1 and 2 refers only to certification audits. Internal audits do not need to follow this approach (all activities described below are performed in a single "stage").
Considering that, ISO 27001 Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Regarding stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records, observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

This article will provide you a further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

EU GDPR applicability

1. Is the GDPR applicable only to companies or private persons as well?

The EU GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system so you can see that there is no exclusion of private individuals. However, there are certain Supervisory Authorities ( e.g Romanian Supervisory Authority) that mentioned that GDPR only applies to companies.

2. Where do I need to publish my privacy policy?

It depends about the processing activities you want to describe. You can have a generic Privacy Policy covering the bulk of your processing activities but for very specific ones such as processing data you collect through your website or the data of your employees you need specific Policy/Notice.

3. Do I need to have an inventory of activities that I do?

Companies or institutions with fewer than 250 employees are exempt from keeping a record, if the processing is not likely to pose a risk to the rights and freedoms of the data subject, if no special categories of data are processed or if the processing is done only occasionally, as is indicated in Art. 30(5) GDPR. In practice, this exemption is rarely applicable.

4. Can I use GPS to monitor my sales agents?

You could use GPS but not to track your agents but rather the vehicles they are using. However you need let then know that this is happening via a Privacy Notice. You can find out more about Privacy Notices I from our free webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

5. Do I need the consent from my sales agents?

This depends on the jurisdiction where you are registered. You should check the Supervisory Authority website in if the country were you are registered. However, most EU countries do not require registration after the GDPR entered into force last year.

Identifying the scope of QMS

First, remember that determining the scope of a QMS is not a technical decision, is a management decision. The scope sets the boundaries of your QMS. 

Consider a company that both manufactures products for its own brand and as subcontractor for brands from other companies. That organization may decide that they will only certify its QMS for the subcontracting operations.

Imagine a hotel with restaurant, pool, spa, and other services. Top management may decide to certify only the room part of the business.

Normally, organizations describe its QMS scope in a management review meeting record or include it in the QMS manual.

The following material will provide you with more information about scope, context and implementation:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/

- I believe this Case study for ISO 9001:2015 transition in a construction company will be helpful for someone starting in the field - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company

- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- Enroll for free course – ISO 9001:2915 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/

- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Analisis de contexto

En Advisera no contamos con contenido específico para determinar el contexto de una central hidroeléctrica o completar un análisis DOFA para este tipo de organizaciones. No obstante, voy a guiarle para poder completar el análisis de manera satisfactoria.

Respecto al contexto interno debe de tener en cuenta cuestiones internas como la cultura organizacional; las capacidades de la empresa entendidas en términos de recursos y conocimientos (personas, capital, tiempo, etc.); las relaciones contractuales de la organización; guías, directrices y normas adoptadas por la organización, etc. Todo esto puede tener consecuencias negativas en la planificación, construcción y mantenimiento de una central hidroeléctrica.

En cuanto a las cuestiones externas debe tener en cuenta las condiciones medioambientales en las que se encuentra la hidroeléctrica, ya que pueden influir en los riesgos como inundaciones, sequías, etc.; las cuestiones que tienen que ver con los usuarios, proveedores, y competidores; y por último, las condiciones existentes tanto económicas, políticas, legales, sociales en las que se encuentra la central hidroeléctrica. 

Para más información puede ver los siguientes materiales:

- Artículo – Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/