Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Contexto de la organización en ISO 14001:2015
Respuesta:
Para determinar el contexto de la organización dentro de la ISO 14001:2015 puede llevar a cabo una tormenta de ideas con la gente relevante de su organización, por ejemplo, los gerentes, responsables de los diferentes departamentos etc. en el que detrminen tanto las cuestiones internas como internas de la organización. Un análisis DOFA (debilidades, oportunidades, fortalezas y amenazas) respecto al sistema de gestión ambiental también es de gran utilidad, y además puede emplearse para el análisis de riesgos y oportunidades.
Básicamente el contexto general de la organización puede clasificarse como :
- Contexto interno: cualquier acción, o producto o servicio que pueda afectar al desempeño ambiental como por ejemplo - cambios en las instalaciones de la institución; modificaciones en procedimientos operativos; cambios en el personal; etc.
- Contexto externo: requisitos legale s de la institución, circunstancias económicas, culturales, sociales o incluso políticas como por ejemplo cambios tecnológicos; modificaciones en las políticas de gestión del territorio; cambios en la legislación relativos a aspectos ambientales; condiciones ambientales (calidad del agua y del aire,recursos naturales disponibles) .
Para más información sobre el contexto de la organización en ISO 14001:2015 vea los siguientes materiales:
- Artículo - Determinar el contexto de la organización en ISO 14001: https://advisera.com/14001academy/es/knowledgebase/determinar-el-contexto-de-la-organizacion-en-iso-14001/
- Libro – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- Curso gratuito en línea – Fundamentos de la norma ISO 14001:2015 : https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ -
Privacy Notice, Privacy Policy and Data Protection Policy
Answer:
A Privacy Notice is a document telling individuals what you are doing with their personal data is a fundamental principle of data protection law. If individuals do not have this information, they cannot validly consent to its use, exercise their rights or, ultimately, decide whether or not to give you their personal data.
The Data Protection Policy is an internal company document which is meant to establish how a company generally deals with personal data.
Website Privacy Policy is similar to the privacy notice but it is tailored to cover the instances when data is collected via websites. -
Evaluación del cambio
Respuesta:
La no conformidad correspondería a la cláusula 6.3 - Planificación de los Cambios. La norma ISO 9001:2015 requiere que cuando exista una necesidad de cambios en la organización, dichos cambios se realicen de forma planificada.
Así mismo también la no conformidad estaría relacionada con la cláusula 4.4.1 g) - En este apartado la norma requiere implementar los cambios que sean necesarios en los procesos de la organización para lograr los resultados previstos.
Los cambios, aunque normalmente se llevan a cabo para mejorar los procesos en la organización, pueden generar nuevos riesgos y nuevas oportunidades. Por ello es necesario que la organización realice un análisis detallado sobre este punto, antes de implementar el cambio a ISO 9001:2015 y los pasos a seg uir.
Para más información sobre la gestión del cambio puede ver los siguientes materiales:
- Artículo - QMS change management in 7 steps: https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
GDPR and processing of personal data
Answer:
The GDPR applies regardless if the personal data is processed internally or shared with third parties outside the company.
2. Also, are we able to stored IP addresses for the purpose of mitigating DDoS attacks or must we anonymize or use GEO location
Answer:
You may be able to retain IPs based on "legitimate interest" for security purposes such as DDoS attacks. However, the users need to be informed about the processing of their personal data according to art. 13 an 14 of the EU GDPR.
If you need to find out more about the EU GDPR please check out this EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
ISMS in QMS?
Organizations with a quality management system may want to avoid problems. For example, with intellectual property theft, production and commercial disruption. You can find more information in this two articles: Using ISO 9001 for implementing ISO 27001 - https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ and How to integrate ISO 9001 and ISO 27001 - https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/ Check also this free webinar on demand ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/ -
CMMI and ISMS
Answer:
Unfortunately we do not have such material consolidated, but from these links you can build an understanding about their relation:
- Mapping from ISO 9001:2008 to CMMi v1.2: https://cmmiinstitute.zendesk.com/hc/en-us/articles/115004587567-Do-ISO-standards-and-CMMI-work-together-
- Mapping from ISO 9001:2008 to ISO 9001:2015 https://committee.iso.org/files/live/sites/tc176sc2/files/documents/ISO%209001%202015%20-%20Implementation%20guidance%20docs/ISO9001_2015_Correlation_Matrices.docx
- ISO 27001 vs. ISO 9001 matrix https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix -
ISO 27001 in designing projects
(I would like to better understand how ISO27001 can help me in designing projects for physical security - hardware - I am a manufacturer.)
Answer:
Como uma norma voltada para segurança da informação, a ISO 27001 pode auxiliar na elaboração de projetos para segurança física de hardware ao:
- prover uma sistemática para a identificação de requisitos e seleção de controles a serem implementados para proteger as informações que este hardware irá tratar. Por exemplo, se as informações que serão armazenadas ou transferidas através deste hardware requerem alto nível de proteção, um possível requisito de hardware seria a implementação de funcionalidades que permitissem a identificação de tentativas de violação do hardware (um bom exemplo são leitoras de cartão de crédito).
- ao prover controles específicos para a implementação de segurança física (controles da seção A.11), incluindo proteção específica para eq uipamentos (controles da seção A.11.2)
- auxiliar na identificação e implementação de controles para a proteção das informação do projeto (por exemplo, controle de acesso às especificações de tecnologias a serem implementadas no hardware, definição de responsabilidades, etc.).
(As an information security standard, ISO 27001 can assist in designing projects for physical hardware security by:
- provide a system for identifying requirements and selecting controls to be implemented to protect the information that this hardware will handle. For example, if the information that will be stored or transferred through this hardware requires a high level of protection, a possible hardware requirement would be the implementation of features that allow identification of attempts to breach the hardware (a good example is credit card readers. ).
- by providing specific controls for the implementation of physical security (section A.11 controls), including equipment-specific protection (section A.11.2 controls)
- assist in the identification and implementation of controls for the protection of project information (e.g., access control to technology specifications to be implemented in hardware, definition of responsibilities, etc.).)
Estes artigos podem prover informaçao adicional sobre a ISO 27001 em projetos:
(These articles can provide additional information about ISO 27001 in project: )
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/ -
New company logo and controlled documents
Answer
If your logo is part of the documents’ identification and if your logo was changed, your organization will have to update documentation. Since your next surveillance audit will take place in less than a month perhaps that update should be planned to take place not in a moment but along a period of time. So, easier documents to update can be updated right away, for other documents you can develop a plan start to implement it and show it during next surveillance audit. For example, auto companies sometimes make changes in their component drawings and allow suppliers to use previous versions until stock of those versions goes to zero.
The following material will provide you more information about ISO 9001 and document control:
New approach to document and reco rd control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
ISO 9001 and shipping companies
Answer
Just googling “shipping iso 9001” I found a set of ISO registered shipping companies. Perhaps the big ones are so well known that they do not need certification to improve their credibility.
The following material will provide you more information about ISO 9001 and shipping companies:
Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
How ISO 9001 improves shipping procedures - https://advisera.com/9001academy/blog/2019/07/09/how-iso-9001-improves-shipping-procedures/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Use of encryption and ISO 27001
Answer:
According to ISO 27001, you only have to implement any kind of encryption, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control (i.e., based on the risk assessment results)
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/