Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Consent, transferring and encrypting data
Answer:
Transferring personal data to third-party service providers acting as data processors is not forbidden by the EU GDPR. However, you need to ensure that the processors have on place adequate technical and organizational measures to protect the data.
2. Do I need to get consent if I want to transfer the data?
Answer:
No, you don't need to have consent to use and to transfer personal data to third party processors. However, you need to ensure that the data subjects are informed of the use of such processors via a Privacy Notice.
For more information on privacy notices check out this webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).
3. Do I need to encrypt the data before sending or what measures I need to take?
Answer:
Although not mandatory under the EU GDPR, I would strongly advise you to use encryption while sending personal data and also ask the processor to have encryption at rest. This is due to the fact that data concerning health is transferred.
You can find more information about the EU GDPR requirements on security in this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Common documents to different offices
My question is: The QMS documents of my head office can be used for UAE office or need separate QMS Documentations. If can or can`t please give your advice as to the reason why?
Note: The UAE office certification is done with a simple QMS manual without any procedures and RACI of procedures, Forms, and template, etc.
Answer
ISO 9001:2015 do not require the use of a QMS manual. So, your UAE office can decide the content of its QMS manual. What is important is that what is applicable to the Kuwait office is also applicable to U.A.E office. Same quality policy? Same process map?
If U.A.E office uses the QMS manual from Kuwait office I, as a lead auditor would like to see if your office belongs to the distribution list of the Kuwait office to ensure that updated versions are sent to your office.
The following material will provide you more information about document control:
- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Empezar la implementación de ISO 9001
Respuesta:
Depende de lo que tengan tal vez pueda ser de utilidad para la implementación de la nueva versión de la norma ISO 9001:2015, por ejemplo algunos de los procedimientos empleados. Le recomiendo que lleven a cabo primeramente un análisis de brecha o GAP para saber con qué requisitos ya está cumpliendo su organización. Aquí puede hacer el análisis de manera gratuita - Herramienta de análisis de brecha ISO 9001: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/
Aquí puede descargar de forma gratuita un documento que explica la transición de ISO 9001:2008 a ISO 9001:2015 en 12 pasos (en inglés) - Twelve step transition process from ISO 9001:2008 to the 2015 revision: https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
En este artículo puede encontrar la documentación obligatoria en ISO 9001:2015 y la más comúnmente uti lizada - Lista de documentos obligatorios requeridos por la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
En este enlace puede también descargar un diagrama (en inglés) con los pasos durante la implementación (en inglés) - ISO 9001 implementation diagram: https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
Para más información sobre el proceso de transición a ISO 9001:2015 vea los siguientes materiales:
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Aspect determination
Answer:
I have no previous experience in working with Soya Product industry. What I can advise you is to look into your organization as a black box (in a first approach you should not care about what is happening inside). The purpose of developing an Environmental Management System is to improve an organization’s interactions with the environment.
How does your organization interact with the environment, with what is outside the black box?
For example, your organization during production consumes energy, generates waste, generates noise, can generate air emissions and/or wastewater discharges. Buys soya from producers that may have a bigger or lesser impact in the soil, water and natural ecosystems.
After determining how your organization interacts with the environment you can open the black box and look for the origin of those interactions (activities, products and services).
The following material will provide you more informa tion about aspects and impacts:
Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
General Question about EU GDPR
So I wanted to know if I can automatically add businesses to the online directory in that way, without initially phoning/contacting them to get approval to do that?
Answer:
The problem is not gathering the information from public sources, especially if it is B2 B information. However, if you want to start contacting them you need to have a lawful ground for the processing which, in your case, can be either legitimate interest and consent.
If you want to find out more about the lawful grounds for processing check out this article Is consent needed? S ix legal bases to process data according to GDPR (https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/) -
Certification audit questions
1. Is it a requirement for policy & procedure for the SOA to be approved?
Answer:
It is not a requirement, but a best practice to avoid rework, to approve policies and procedures only after the SoA has been approved, because any changes in the applicability status of controls in the SoA can impact the development, or review of policies and procedures.
These article will provide you further explanation about steps for implementation and SoA:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - Another question is it requirement to have 3 month ISMS evidence/records before ISMS external audit?
Answer:
It is not mandatory by the standard to have 3 month ISMS evidence/records before ISMS external audit, however, some certification bodies, as part of their own processes, require the management system to be 3 months in operation before going for the certification (you should verify this situation with your own certification body).
This article will provide you further explanation about certification process:
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
These materials will also help you regarding certification process:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
CISA and ISO 27001 Lead Auditor
I have passed CISM, CRISC and preparing for CISSP. My goal is to do CISSP and either ISO 27001 Lead Auditor or CISA. For now, I am in Europe, so thinking the switch to an Infosec company or environment to be in Europe or Middle East (Dubai). I understand different geographic areas have bias for either CISA or ISO 27001.
What is your take on these two courses (CISA, ISO27001), one that will fit well with my career prospects and the most marketable?
Answer:
The decision about which certification to choose will depend on the type and depth of the activities you desire to perform (both are world-wide recognized certifications for auditing). If you want to focus on auditing information security management, you should consider ISO 27 001 Lead Auditor. If you want to go beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how audit the way information interacts with business.
Considering your background, and the certifications you already have taken exam, ISO 27001 Lead Auditor would add more value to your profile (CISA will add auditing skills to CISM knowledge, but the knowledge added by ISO 27001 Lead Auditor can be used as well, and ISO 27001 brand could be more attractive in Europe and the Middle East).
These articles will provide you further explanation about personal certifications:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/training/iso-27001-lead-auditor-course/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
To see more about the course, please access: https://advisera.com/training/iso-27001-lead-auditor-course/ -
ISO 27001 applicability
(I have a question the ISO 27000 and its annexes can be integrated in a computer equipment optimization procedure or is only integrated for data security?)?
Answer:
ISO 27001 controls from Annex A cover a wide range of controls to protect information, and some of them can be used in a procedure for computer equipment optimization (e.g., A.6.2.1 Mobile device policy, A.11.2.9 Clear desk and clear screen policy, and A.12.5.1 Installation of software on operational systems).
These articles will provide you further explanation about ISO 27001 controls for computer equipment:
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ s-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
DPO and Data breach
Answer:
Appointing a DPO is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.
If you want to find out more about the role of the DPO check out this free webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).
2. Can the Security Officer be also the DPO?
Answer:
In theory, yes. However, I would advise against such an approach as the roles would be conflicting in certain areas. The role of the Security Officer is to protect the company information assets using whatever means necessary but the DPO needs to ensure that the means of processing personal data are lawful, transparent and proportionate.
3. In a case of a data breach now do I know if I notify the data protection authority?
Answer:
You first need to assess the severity of the data breach taking into account how that breach can affect the rights and freedoms of the data subjects involves. There are three scenarios:
a) If the breach does not affect the rights and freedoms of the data subjects the breach does not need to be reported;
b) If the breach poses a risk to the rights and freedoms of the data subjects the breach needs to be reported to the Supervisory Authority;
c) If there is a high risk then ten both the data subject and the Supervisory Authority needs to be notified.
If you want to learn more about data breaches check out this webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/).
4. Does the data breach need to happen in the EU or it can be outside EU as well?
Answer:
Yes, it does. If the data subjects affected by the data breach are in the EU the breach needs to be notified as described in question 3. This is one of the instances where the extraterritorial reach of the GDPR kicks in. -
Document control in ISO 9001:2015
Answer
Yes, document control is required in ISO 9001:2015. Document and record control are now in clause 7.5 as Documented Information. ISO 9001:2008 had eight different clauses, the 2015 version consist of ten clauses. Now, ISO 9001, ISO 27001; ISO 45001; ISO 14001 have all a common core structure. This structure is called a High-Level Structure. The intent is to make the integration of management systems a lot easier.
The following material will provide you more information about documented information:
New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover IS O 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/