Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Business email address & telephone number

    Except for generic email addresses such as office@companyname.com, if the email addresses can be used to identify or single out an individual, they must be considered and treated as personal data. The same goes for telephone numbers, especially if they are mobile numbers.

    If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

  • Employees versus self-employed subcontractors

    We have received an additional question:

    > Thank You for reply, to make it clearer, having around 100 self-employed subcontractors for service performance, according to clause 8.4 ISO 9001:2015 - do we need to evaluate, select and monitor performance for every single of them?

    Answer:

    ISO 9001:2015 does not require that all suppliers or subcontractors be included in the quality management system (QMS).
    First, you can remove those that work outside of the scope of the QMS.
    Second, you can remove those that perform activities considered not critical for your product/service.
    Third, you can establish a limit above which suppliers or subcontractors are evaluated (a limit based on annual amount of money, or number of works, or number of days, or …)
    Do not forget that today, almost sure, someone in your organization is already evaluating and monitoring subcontractor performance. Why not use that criteria? ISO 9001 is not about complexity.

  • KPIs for ISO 27001


    Answer:

    ISO 27001 does not prescribe which performance indicators should be adopted by organizations, so they are free to define them according to their needs and objectives. Some common issues an organizations should take into account when defining KPIs are:
    - Business relevant: indicator aligned to clear business objectives or legal requirements.
    - Process integrated: a KPI should add the least amount of work possible into business processes.
    - Assertive: the indicator should be capable of pinpointing relevant issues that need attention.

    These articles will provide you further explanation about performance indicators and security objectives:
    - Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
    - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Website and data storage


    Answer:

    Yes there are. You would need at least the following three documents Website Terms and Conditions, Website Privacy Notice and Cookie Policy. You can find readily available templates for these three documents in EU GDPR Mini Toolkit for Websites (https://advisera.com/eugdpracademy/pricing/).

    2. How much time I need to keep the collected contact data?

    Answer:

    The EU GDPR does not specify a certain timeframe but you need to keep in mind that the data cannot be processed for more time that is needed to fulfil the purpose for which it is collected in the first place. In your case you may keep the data for as long as it is needed to provide the services to the client and maybe add some more time such as a statute of limitation period. If you want to find out more about retention periods check out this EU GDPR Foundations Course (https://training.adv isera.com/course/eu-gdpr-foundations-course/)

    3. Do I need to register to the data protection authority?

    Answer:

    This depends on the jurisdiction where you are operating. Some Supervisory Authority like the ICO in the UK still require registration while others such as the one in Romania do not require registration. I suggest you check your local supervisory authority website for this information. You can find a list of the Supervisory Authorities in the EU at https://edpb.europa.eu/about-edpb/about-edpb/members_en

    4. Can I use a different company for storing the data ?

    Answer:

    You certainly can. The company you will use for storage services will be acting as you processor if you will be using it to store personal data. When using a processor you need to be compliant with the provisions of art. 28 of the GDPR. If you want to find out more about processors and controllers check out this article EU GDPR controller vs. processor – What are the differences? (https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/)

  • Implementing and documenting ISO 14001


    Answer:
    The first step in the implementation of ISO 14001:2015 is to conduct a GAP analysis to determine to what extent the organization already meets the requirements of the standard. The next step is to develop project plan with defined activities and documents to be created in order to achieve full compliance with the standard. Then you need to create documents and update your processes, so they align with the standard.
    After the implementation, you need to conduct internal audit and management review to ensure that your EMS (Environmental Management System) is compliant with the standard and finally you can hire a certification body to conduct a certification audit and issue your company the certificate.

    The following material will provide you more information about implementing an environmental management system:
    5 elements of a successful ISO 14001 project - https://advisera.com/14001academy/blog/2015/03/23/5-elements-of-a-successful-iso-14001-project/
    6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
    - ISO 14001:2015 Documentation Toolkit - https://advisera.com/14001academy/iso-14001-documentation-toolkit/
    ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
    - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    Enroll for free in this course – ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/
    Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

  • Overview of ISO 9001 implementation


    Answer:

    I recommend that a project team and project leader be determined. Perhaps our ISO 9001:2015 Lead Implementer Course could be of help because it has two parts (the first one is about ISO 9001:2015 foundations training – the project leader and some other team members must have some knowledge about the quality management standard – the second one is about good implementation practices).
    After training, your team can perform a gap analysis to evaluate what is missing in your organization’s present practice. Then your project team should use the process approach and develop a model of how your organization work, and can be seen, as a set of processes. With that information, you can develop a project plan for the implementation (what is to be done, by whom, until when). ISO 9001:2015 no longer mandates the use of procedures but almost all organiza tions develop some kind of procedures in order to standardize practices.
    Documenting procedures is taking pictures of how the organization work today. But your organization’s top management look into the future and want a better organization. For that purpose they develop a quality policy, quality objectives and action plans to transform today’s organization in the future’s organization.
    After procedures’ development and implementation perform an internal audit and then a management review.
    The following materials will provide you more information about implementing and documenting a quality management system:
    - Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
    - Tool - ISO 9001:2015 Gap Analysis Tool https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
    - Free diagram - ISO 9001:2015 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-90012015-implementation-diagram
    - Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
    - Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Enroll for free in the course – ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
    - If you need help or want to develop documentation faster, check - ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
    - Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Supplier security


    Answer:

    A service provided without SLA and contract normally is a significant risk, because there is no legal means by which you can enforce your requirements to this provider, neither in terms of service performance nor protection of information. A proper approach would be to identify business and security requirements this provider must fulfill and include them in some kind of legal agreement.

    These articles will provide you further explanation about security of suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security cl auses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • ISO 27001 / ISO 22301 Implementation Project Plan

    Can you please explain more on the certification process after using your toolkit?

    Answer:

    This project plan is a guidance to make your challenge easier, but this document itself does not guarantee certification. You have to count with top management commitment, resources, and a competent and compromised project team to follow what is planned.
    Regarding the certification process, certification audits are conducted according these stages:
    - Documentation review: at this stage the auditor checks if all mandatory policies, procedures, plans and records are in place.
    - Main audit: at this stage the auditor, by means of techniques such as observation, interviews and log review, checks if processes and personnel are performing according what is documented. It is at the end of this stage that any identified non compliance is raised.
    - Surveillance visits: once you get certified, you have to keep the system working during the three-years certification p eriod. To ensure that, an auditor will come periodically to check if the system is in place and ask for adjustments when needed.

    This materials will provide you further explanation about certification process:
    - ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
    - Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

  • Implementation support

    Also controls for ISO 27018 A.1.1, A.2.2, A.4.1, A.5.1, A.5.2, A.7.1, A.9.1, A.9.2, A.9.3, A.10.2, A.10.3, A.10.4, A.10.5, A.10.6, A.10.7, A.10.8, A.10.9, A.10.10, A.10.11, A.10.12, A.10.13, A.11.1, A.11.2.
    It would be great if you provide templates or dashboard. Looking forward to hearing from you.

    Answer:

    First it is important to note that for each template you have there is a specific version to be used with cloud environments (the version has the word "cloud" in the file name). The controls you want to implement are covered by the following templates you have:

    ISO 27017
    - CLD.6.3.1: Cloud Security Policy and Security Clauses for Clients, Suppliers and Partners
    - CLD.8.1.5: Supplier Security Policy and Security Clauses for Clients, Suppliers and Partners-
    - CLD.9.5.1: Cloud Security Policy
    - CLD.9.5.2: Cloud Security Policy
    - CLD.12.4.5: Cloud Security Polic y
    - CLD.13.1.4: Cloud Security Policy

    ISO 27018
    - A.1.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.2.2: Policy for Data Privacy in the Cloud
    - A.4.1: Specification of Information System Requirements
    - A.5.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.5.2: Policy for Data Privacy in the Cloud
    - A.7.1: Policy for Data Privacy in the Cloud
    - A.9.1: Policy for Data Privacy in the Cloud and Security Clauses for Clients, Suppliers and Partners
    - A.9.2: Procedure for Identification of Requirements, Information Security Policy, Cloud Security Policy, Policy for Data Privacy in the Cloud, Bring Your Own Device (BYOD) Policy, Security Procedures for IT Department, Change Management Policy, Secure Development Policy, and Supplier Security Policy
    - A.9.3: For this one you need the Information Transfer Policy template (https://advisera.com/27001academy/documentation/information-transfer-policy/)
    - A.10.2: Policy for Data Privacy in the Cloud
    - A.10.3: Security Clauses for Clients, Suppliers and Partners
    - A.10.4: Security Clauses for Clients, Suppliers and Partners, Information Transfer Policy template, and Security Procedures for IT Department
    - A.10.5: Security Clauses for Clients, Suppliers and Partners, Information Transfer Policy template, and Security Procedures for IT Department
    - A.10.6: Security Clauses for Clients, Suppliers and Partners, and Security Procedures for IT Department
    - A.10.7: For this one you need the Disposal and Destruction Policy template (https://advisera.com/27001academy/documentation/disposal-and-destruction-policy/)
    - A.10.8: For this one you need the Access Control Policy template (https://advisera.com/27001academy/documentation/access-control-policy/)
    - A.10.9: Access Control Policy
    - A.10.10: Access Control Policy
    - A.10.11: Security Clauses for Clients, Suppliers and Partners
    - A.10.12: Security Clauses for Clients, Suppliers and Partners
    - A.10.13: Disposal and Destruction Policy
    - A.11.1: Security Clauses for Clients, Suppliers and Partners, and Procedure for Identification of Requirements
    - A.11.2: Security Procedures for IT Department

    Additionally, included in the templates you bought there are several comments included that can help you customize you documents. When customizing the documents if you have any specific doubt regarding how to make the customization please contact us.

    Regarding the order on which to implement the documents, you can follow the order presented in the List of documents file for ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit (which can be found at this link: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/). The order of documents in this file was designed to provide the easiest way to implement the documents.

    For further information about the implementation process, please see:
    - ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/

  • Documents referenced in the Quality Manual


    Answer:
    ISO 9001:2015 does not require a Quality Manual. So, organizations that decide to develop and maintain a Quality Manual have a lot of freedom to include whatever they want. For example, many organizations use the Quality Manual just for presenting the organization at a higher level. So, it is quite possible that a document not referenced in the Quality Manual is still a usable, valid and even important document.
    The following materials will provide you more information about documenting a quality management system:
    - The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
    - Enroll for free in the course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - Book - Dis cover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 533-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +