Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal auditor requirements


    Answer:
    The ISO 14001 Lead Implementer course has two parts: one with the foundations of the standard, and another about planning, implementing and controlling a management system implementation project.
    The ISO 14001 Lead Auditor course has two parts: one with the foundations of the standard, and another about auditing. If you want to be Lead Auditor in your company, you have to fulfill the internal requirements for internal auditors. Normally, those requirements consider knowledge about the standard and good audit practices. For being internal auditor, I recommend the Internal Auditor course. The Lead Auditor is more for those that foresee working as external auditors, even working for a certification body in the near future.

    The following material will provide you information about internal audits:
    - ISO 14001 – Internal Audits in the EMS: Five Ma in Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - free online training ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • EU GDPR and non-profit organizations


    1. I am running an charity NGO. Are there any specific GDPR rules I need to consider?
    2. The NGO is supporting people with disabilities and we have a data base of the persons that received help from us. Am I allowed to hold this data base?
    3. The data base contains also the disability and medical condition. Do I need consent to keep this data?
    4. We also have copies of medical prescriptions which we reimburse to some of our members. Is this ok?

    Answers:

    1. There are no specific requirements for NGOs or Charities the same GDPR requirements apply across the board.
    If you want to find out more about the EU GDPR requirements check out this EU GDPR Foundations Course ( https://advisera.com/training/eu-gdpr-foundations-course//).

    2. Health data falls under the special category data and you need to be extremely careful when processing it. There are specific requirements relating to the processing of special category data.

    3. First of all if you rel y on consent the "express" consent is necessary which is more strictly regulated by the GDPR. Basically you would needed a statement from the data subject that you can process health data.

    4. The same rule around express consent applies if you want to keep the prescriptions. However you should find ways not to keep the prescription or maybe anonymize the content to remove any medical information.

  • Questions about ISO 27001


    1. Realizar un manual práctico o paso a paso donde explique la norma ISO27001:2013
    2. Realizar un cuadro comparativo entre la iso27001:2013 y por lo menos diez (10) normas de seguridad de la información.
    3. Que relación o diferencia existe entre la NTC y la iso27001:2013?
    4. Que empresas son las encargadas de certificar en Colombia bajo la norma iso27001:2013

    I need your valuable collaboration: I am doing an investigative work and I need this information

    1. Make a practical or step by step manual explaining ISO27001: 2013

    Answer: For this purpose I suggest you the following material:
    - Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    2. Make a comparative table between the ISO27001: 2013 and at least ten (10) standar ds of information security.

    Answer: Unfortunately without more details about the other standards all we can offer you are articles comparing ISO 27001 with laws and regulations which can be related to information security:
    - How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
    - Does ISO 27001 help CCPA compliance? https://advisera.com/27001academy/blog/2018/10/16/does-iso-27001-help-ccpa-compliance/
    - How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

    3. What is the relationship or difference between the NTC and the iso27001: 2013?

    Answer: The NTC ISO 27001 is the Colombian version of the international ISO 27001. It has translated the English text of ISO 27001 to official Colombian language and included some local information regarding this country specifics, but these additions do not conflict with the international text.

    4. Which companies are in charge of certifying in Colombia under the standard ISO 27001: 2013

    Answer: Examples of certification bodies in Colombia are:
    https://www.abs-qe.com/
    https://www.dqsus.com/
    https://www.nsf-isr.org/
    https://www.schellmanco.com/
    https://www.us.sgs.com/systems_and_services_certifications_us

  • Audit requirements


    Answer:

    ISO 27001 does not have a requirement specifically demanding a site visit, but for some requirements (e.g., implementation of corrective actions and continual improvement) and controls (e.g., physical controls like those from Annex A.11) only through an on site observation the auditors can ensure that the ISMS is properly implemented according ISO 27001, so, regardless if it is an internal or external audit, the site visit will be a part of the audit process, specially for certification audits.

    In addition, standards that define requirements for certification audit require the certification auditor to perform part of the audit on-site.

    This article will provide you further explanation about Planning audits:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

    These materials will also help you regarding audits:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 45001 alignment with typical HSMS


    Answer:
    ISO 45001:2018 is the newly released standard requirements for an occupational health & safety management system (OHSMS). As it comes from the international organization for standardization (ISO) is it internationally recognized as the best practices for implementing the OHSMS. Previously, companies may have used many different requirements documents to define what is needed for the OHSMS, such as OHSAS 18001:1999, but these were not recognized internationally like the ISO standard is. In fact, companies using OHSAS 18001 will need to transition over the next 3 years as this standard will be made obsolete.

    The new standard has many of the same processes for an OHSMS that were previously present in other documents such as OHSAS 18001, such as the need to identify hazards, but also includes some new focuses. Some main focuses of the ISO 45001 standard are meeting compliance obligations, understanding the hazards in your organization, and encouraging worker participation and consultation along with the importance of leadership commitment.

    For a better understanding of the requirements of ISO 45001:2018, see the free whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

  • EU GDPR compliance and personal data


    1. Where do I report a company that does not respond to my request on personal data?
    2. Can a company report another company when not complying with GDPR?
    3. I have a contract with accounting company. How do I become compliant?
    4. I only have B2B customers do I need to be compliant with GDPR?

    Answers:

    1. You can report a company to the competent Data Protection Authority ( or Supervisory Authority) if you don`t get a response. However, consider that the company has one month to respond. If it has been more than one moth you can file a complaint. You can find a list of Supervisory Authorities at : https://edpb.europa.eu/about-edpb/board/members_en

    If you want to find out more about your rights according to the EU GDPR check out this free webinar Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/)

    2. Yes, it can however the complaint needs to refer to individuals data and not company data such as as registration number, VAT code etc. The same mechanism for filing a complaint applies as for question no.1.

    3. Usually accounting companies are acting as data processors so you would first need to check if any personal data is sent to the accounting company. If this happens you would need to have a Data Processing Agreement in place with the accounting company. This document needs to fulfill the requirements set up in art. 28 of the EU GDPR. You can find a readily available template for a Data Processing Agreement in this EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/)

    4. I would say yes because besides B2B data you would be processing data of the representatives of the legal entities which are individuals therefore their data is personal data. Also, if you have employees you will be processing their personal data as well thus their personal data needs to be processed based on the GDPR requirements.

    If you want to find out more about the applicability of the EU GDPR check out this EU GDPR Foundations Course ( https://advisera.com/training/eu-gdpr-foundations-course//).

  • Questions about ISO 22301


    Answer: Number of employees and number of departments are only two of set of relevant variables to help you define the ideal time of implementation (e.g., you also have to consider the experience of the implementation team, and organizations structure). To consider all these variables I suggest you to use our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

    2. What are the things that I need to lookout for if a business unit (BU) wants to be certified for ISO 22301, rather than the organization?

    Answer: The main issue is the definition of the implementation scope, i.e., the elements that are part of your Business Continuity Management System. With this information you will be able to focus on what is important and relevant to this business unit and how to handle the point where this BU interfaces with the rest of the organization. Other points are pretty much as if the whole organization is part of the scope:
    - Getting top management support
    - Elaborating documentation (the mandatory by the standard and those required by the business)
    - Implementing, testing and reviewing plans
    - Reviewing and Adjusting the BCMS

    These articles and materials will provide you further information (the articles about scope focus on ISO 27001, but the concept is also applicable to ISO 22301):
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    - 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
    - ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/
    - How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

    3. While in a BU, there will be different departments dealing with different services. So how and what involvement would there be for other BUs or organization departments, example, facilities, legal, etc?

    Answer: This answer is unique for each organization, because this depends on the organization's internal structure, culture, and other factors. To take this into account, ISO 22301 has a requirement demanding organizations to perform a Business Impact Analysis (BIA), which will help them identify exactly the factors that can influence and/or prevent the delivery of the services involved in the BCMS.

    For further information about (BIA), please read:
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
    - Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

    4. Are the different departments both BU and Organization level required to come out with its own BIA?

    Answer: If process and services to be included in the business continuity process are quite different, then a better approach would be for each department to perform its own BIA, because this would be a less complex approach. On the other hand, if the process are similar, then performing a single BIA will be quicker.

    The recommended material from the last answer will also be useful for this answer.

  • Information Security Officer position


    Answer:

    ISO 27001 does not prescribe which roles or positions should be created, only that responsibilities and authorities must be defined and assigned, so organizations are free to define the model that best suits them. For small organizations, up to 50 employees, a good approach is to assign responsibilities and authorities for information security to the CEO or someone from top management. For bigger organizations a better approach is to create a specific role to be responsible for information security, because of the number of tasks and time required.

    These articles will provide you further explanation about CISO (Chief Information Security Officer):
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    - Chief Information Security Officer (CIS O) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

  • Corrective actions and emergency preparedness


    Answer:
    ISO 14001:2015 does not include any requirement for the use of a formal corrective action process to handle any issues identified in an emergency preparedness drill. One thing is to recommend that practice as an improvement opportunity, another thing is to classify that finding as a non-conformity.


    The following material will provide you information about emergency preparedness:
    - ISO 14001 – 5 steps to set up an emergency plan according to ISO 14001 - https://advisera.com/14001academy/blog/2014/07/23/5-steps-set-emergency-plan-according-iso-14001/
    - ISO 14001 emergency preparedness and response - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/iso-14001-emergency-preparedness-and-response/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Control, maintain or retain document information


    Answer
    ISO 9001:2015 classifies documented information in two types: documents do maintain and documents to retain. Documents to maintain are, for example, manuals, procedures, work instructions and forms. These documents can become obsoletes, can be change to newer versions, can be updated. When we fill a form it becomes a record and a record, like a photo, documents an event and cannot or should not be changed, cannot become obsolete. Documented information, whatever the type, should be controlled and clause 7.5 describes the requirements. Saying that a document should be retained or maintained is just a way of distinguishing procedures from records, different types of documents.

    The following material will provide you information about documented information:
    - Article – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Page 557-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +