Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BCM template content
1. MSS being a critical service chosen for BCP. However MSS will have multiple inter dependency process like infra, service mgmt, endpoint.
a. So do we have to conduct BIA individually for every inter dependent process too or BIA will be done only for MSS but it takes inputs from inter dependent process”.?
Answer: In fact both approaches are acceptable (a BIA for each supporting process or a single BIA for MSS), and both have their own advantages and disadvantages, and you have to consider them to chose the best approach to your organization:
- Performing a BIA for each supporting process is less complex and will require less people involved in each process (only the people directly involved in the process), but you have to evaluate the results of each BIA all together later, to have a picture for the MSS, and the independent BIAs may hide issues that only can be identified when analyzed together, and you may have to perfor m some BIAs again.
- Performing a single BIA for MSS will provide you a systemic picture of all situations that may cause disruption of MSS (e.g., failures on independent process that together can disrupt MSS), and probably will need to be performed only once, but it is a more complex process and you may have a problem to schedule meetings with all people involved.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you perform BIA, including examples with real data.
For further information, please see: How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
2. Regarding “Business_Impact_Analysis_Methodology_EN”,
a. how do we complete the section 4 “Managing records kept on the basis of this document”?
i. Is the record linked to the specific document? E.g. business impact questionnaire analysis is the record for Business_Impact_Analysis_Methodology_EN”,
Answer: You assumption is correct. The business impact questionnaire analysis is a record for Business Impact Analysis Methodology, and you only have to define who is responsible for this record, where it is stored, controls used to protect this record and for how long you have to keep this record. Detailed information and examples can be found in comments included in the Business Impact Analysis Methodology template.
For further information please read: Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
b. For 3.8 Maximum data loss (RPO), are we able to customize the timing or it is not advisable to do so?
Answer:The template is fully customizable, so you can change the values related to RPO to values that best fit your organization.
For further information please read: What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/ -
GDPR serving citizens abroad
Answer:
Based on the description provided it seems that you will be acting as a processor for the entities using the software.
Your company would need to sign a Data Processing Agreement with the entities using the software.
Because you are in Canada and Canada received adequate status from the EU Commission there is no issue with the data transfer.
You can find readily available Data Processing Agreements in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/) -
GDPR and consent
1. Must the processor take the consent off all participating athletes in every game they give?
2. Must the processor take the consent of their parents in every game their kids are participating in the game?
3. Does the processor has any legal basis for recording this actions?
Answers:
Just to clarify, the academy will be acting as a data controller and not a data processor. Regarding the CCTV system, if the system was set up for security reasons then it is quite unlikely that it can be used to record the games because of the different positioning of the cameras. However, if there is another CCTV system meant to record the games then everyone that is going to be filmed should be made aware about the presence of the CCTV and the purposes for which it is installed and this is usually done via a Privacy Notice.
I will start answering your question with the last one as it is the most relevant.
3. You can rely on Legitimate Interest for the CCTV system but in this case, you would need to perform a Legitimate Interest Assessment;
1. If you decide to rely on legitimate interest then consent is not needed. However, you need to make sure that everyone knows about the CCTV and its purpose;
2. The same applies to minors although in this case, you need to ensure that the parents are aware of the CCTV;
If you want to learn more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) -
QMR requirements
Answer
ISO 9001:2015 no longer requires a Quality Management Representative (QMR). Nevertheless, many organizations decide to keep that position because they recognize its value.
Once ISO 9001:2015 no longer mandates a Quality Management Representative, organizations have more freedom to define authorities and responsibilities for such a function. It was not required that the QMR knew all about the organizations’ programs.
The following material will provide you information about the QMR function:
- Article – What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
- Choosing the best person for the job of quality management representative - https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
- What will be the destiny of the management representative in the new I SO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information classification policy
Answer:
ISO 27001 does not prescribe which categories to implement, so organizations are free to define the ones that best suit their needs, and these can either be based on legal requirements the organization must comply with (e.g., laws or regulations which define or recommend lists of categories), based on a framework developed by the organization itself, or based on market best practices. Examples of classification levels are:
- Secret and Top secret
- Unclassified
- Non sensitive
For further information about information classification, see: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
To see how an Information Classification Policy looks like, I suggest you to take a look at the free demos of our Information C lassification Policy at this link: https://advisera.com/27001academy/documentation/information-classification-policy/ -
Pre-certification audit
Many thanks Rhand.
Kind Rgds. -
Agrobusiness certification
Answer
I saw some Canadian studies about the impact of ISO 9001 in agrobusiness. Their conclusions are that ISO 9001 offers supply chain management benefits.
Even non-certified organizations reported using the standard to formalize their monitoring procedures and improve planning, sourcing, manufacturing, and delivery efficiency. Those that gave the extra step of certification reported improvement in their customer/supplier relationships and offered tools to monitor internal processes. Both certified and non-certified reported increased customer satisfaction, market share and inventory turnover, and reduced lead times, rework, waste, and customer complaints.
The following material will provide you information about ISO 9001 implementation:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- free course ISO 9001:2015 Lead Implementer Course – https://advisera.com/training/iso-9001-lead-implementer-course/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Certification of an extra hotel facilities
Answer
Currently I’m working as a consultant with a hotel in implementing a quality management system according to ISO 9001:2015 in order to get its certification. The hotel quality manager previous experience was with the certification of an extra hotel facility. ISO 9001:2015 is applicable to any organization.
The following material will provide you information about ISO 9001 applicability:
- Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementation sequence
Answer
I would start the implementation of a management system by:
Assembling a project team;
Developing a project plan with a timetable;
Basic training on ISO 9001 for project team members;
Define the scope of the management system;
Perform a Gap Analysis;
Determine internal and external context;
Determine interested parties;
Map your processes;
Define quality policy, objectives and plans to meet them;
Determine risks and opportunities and define action plans to act upon the most important;
Document your processes;
Start measuring performance;
Perform internal audits;
Do a management review and decide if you are ready for certification.
The following material will provide you information about implementing a management system:
- Article – Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Defining controls
Answer:
According to ISO 27001, you only have to implement physical isolation, as well as other types of controls, in the following situations:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with, that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/