Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Writing an EMS Manual
Answer:
ISO 14001:2015 does not require an EMS manual. So, this is great news, you are free to design the content of your EMS manual. I like to consider an EMS Manual as a kind of ID card: Who are we? What do we do? How do we interact with the environment? What are our environmental priorities? How do we work in our EMS? What is the scope of our EMS?
The following material will provide you information about an EMS Manual:
- ISO 14001 – What is an environmental management system manual? - https://advisera.com/14001academy/knowledgebase/what-is-an-environmental-management-system-manual/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:201 5 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
GDPR compliance
Answer:
The EU GDPR is the most complex piece of regulation up to date and one of the few that have extra territorial reach. The requirements for both controllers and processors go beyond other pieces of legislation across the world. Also the fines that can go up to 4% of a company turnover are one of the heftiest out there.
2. Others you are familiar with that are tough?
Answer:
The only one that I can think of because is similar to the GDPR is the California Consumer Privacy Act (CCPA) – a first-of-its-kind US law – passed in California in 2018 and takes effect January 1, 2020.
3. Any multi-country comparison doc or docs on the web you have come across?
Answer:
We have run a comparison between the GDPR and the German Bundesdatenschutzgesetz https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-vs-german-bundesdatenschutzgesetz-similarities-and-differences/
You can find all sort of interesting articles in our Knowledgebase (https://advisera.com/eugdpracademy/knowledgebase/). -
IT Decommissioning policy
Answer:
The EU GDPR does not refer to decommissioning of IT systems or assets, it refers to what is called data retention, meaning that personal data should not be kept for longer than necessary to fulfill the purpose for which it was collected regardless of how and where the data is stored.
What you should be considering is a Data Retention Policy and a Data Retention Schedule which you can find at: https://advisera.com/eugdpracademy/documentation/data-retention-policy/ and https://advisera.com/eugdpracademy/documentation/data-retention-schedule/ -
Evidencias liderazgo
Respuesta:
Las evidencias objetivas para demostrar el liderazgo pueden ser recogidas mediante entrevistas, observaciones, e información documentada.
Por ejemplo:
- Apartado a) durante la realización de las entrevistas con la dirección debe existir coherencia entre la información que facilita la dirección y otras evidencias, con las prácticas y actuación real de la empresa, y la información documentada.
- Apartado h) participando la dirección en la comunicación relacionado con el sistema de gestión así como eventos de concienciación que se realicen; asegurando que el SGC está integrado en el sistema de gestión de la empresa; asegurando que se toman las acciones necesarias cuando existe una diferencia entre el desempeño deseado y el real.
- Apartado i) asegurando que la dirección proporciona suficientes recursos para la mejora continua del SGC así como para su funcionamiento de los procesos
Los siguientes materiales le ayudarán a comprender como evidenciar el liderazgo:
- Artículo - Cómo cumplir con los nuevos requerimientos de liderazgo en la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-cumplir-con-los-nuevos-requerimientos-de-liderazgo-en-la-iso-90012015/
- Libro - Discover ISO 9001:2015 Through Practical Examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso gratuito en línea - Fundamentos de ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Certification requirements and benefits
Answer:
Normally, ISO certification is a requirement from clients, it can also be a requirement in certain regulated economic activities. For example, presently I’m working with a company that has to be certified in order to be able to enter in a more attractive part of the electrical construction market.
Potential benefits from implanting an ISO 9001 QMS can be:
Improvement of your credibility and image.
Cutting business maintenance costs.
Improvement of customer satisfaction.
Better process integration.
Improve your evidence for decision making.
Create a continual improvement culture
Engagement of employees.
The following material will provide you information about implementation benefits:
- ISO 9001 – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- Free course – ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Questions about risk assessment
Answer: I'm assuming you are referring to European 2017 Revision of ISO/IEC 27001. Considering that, this is an European version of ISO 27001, with minor adjustments that do not affect an ISMS based on ISO 27001:2013, so there are no corrections needed on documents from the toolkits.
For further information see:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/
2. Also regarding the risk assessment and treatment should not be signed from risk owner and others? Please advise or any recommendation whom shall sign?
Answer: The residual risks, final result of risk assessment and treatment proc ess, must be accepted and signed either by risk owners or by top management on their behalf. What normally happens is that top management formally accepts residual risks and only consult risk owners on situations where residual risk is not clear enough and requires clarification (e.g., when a residual risk has high value and the treatment option chose was accept the risk).
For further information see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
3. And also in case of the organization has ERM section or department how it will be handled shall information security department ignore ERM and follow this methodology? Keep in mind the organization are adopting ISO 31000 and framework are defined is it better to refer to them?
Answer: First it is important to note that ISO 27001 does not prescribe a risk assessment and treatment methodology, so an organization can adopt the methodology that best suits its needs. Additionally, the standard provides a note informing that its requirements aligns with the principles and generic guidelines provided in ISO 31000, so you can adopt the methodology used by the ERM section, only considering minor adjustments for it to consider relevant aspects for information security.
These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
These materials will also help you regarding risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Defining critical activities for BIA
Answer:
If this activity is considered critical to the business, and its disruption for an amount of time can make business unrecoverable, then you must include it in the BC. The difference from this activity to the others is that while for others activities you may have to consider recovery on a daily time frame (i.e., in the next day the activity will be required), for this specific activity you have to consider a weekly time frame for recovery (if not recovered on Monday/Tuesday, the activity will be required only on the next week). On both cases you have to consider worst-case scenario, i.e. that the disruption occurs at the worst possible moment.
This article will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
These materials will also help you regarding performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Exclusion of clauses for ISO 13485 for small business
Oseyuhono Oooxanfah bpf.xnzr.community.advisera.com.sbk.sr https://sl********** -
Several questions about documents
Answer: ISO 27001 does not prescribe any record to be in both; electronic form and paper form, so the only justification for keeping a record in both formats is if you have business or legal requirements demanding this specific situation. If such requirements do not exist, then you can keep a record only in electronic form.
For further information see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
2. Is it allowed to have all records in electronic form?
Answer: Considering answer 1, if you do not have business or legal requirements demanding records in paper form, you can keep all records in electronic form.
3. Security Procedures for IT Department, Erasure and destruction records; commission for the destruction of data: Is it okay to write "Records of erasure/destruction must be kep t for all data that is stored on the server" (as an example) if I'm not implementing the Information Classification Policy?
Answer: In theory this is acceptable, but without information classification levels to decrease the need for such erasure and destruction records you may end up with an effort greater to keep such records than the effort to administrate classification levels and adopting an Information Classification Policy.
4. Are there any specific requirements we must fulfill in order to have an adequate Training and Awareness Plan? Since the datacenter is the only location in the scope and it has adequate protection and security, I don't see a specific subject which the employees could gain knowledge about. All of them know the basic security principles, aside of that they have a good understanding of how to assign and revoke access rights and such. A presentation concerning Security Awareness Training could be attended, but this would also include specific elements which are not relevant in the context of the scope.
Answer: Training and Awareness Plan objective is to help ensure persons are competent on the basis of appropriate education and training, by mapping gaps to be eliminated, so if your organization identifies that employees in the ISMS scope already have an acceptable level of competence, you can minimize the content of the plan (e.g., consider only awareness communication and recycling training).
For further information see:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
5. Training and Awareness Plan: "the following awareness-raising methods must be applied: information day, intranet articles, newsletter, joint meetings, e-learning, internal e-mail messages, video recordings.". Is it possible to adjust this list? We don't 'need' all of these in order to ensure that everyone has the adequate knowledge and skills.
Answer: The list provided in the template is only a suggestion, so you can adjust it according to your needs, including or excluding activities.
6. Confidentiality Statement: Is it mandatory to implement this document? We do have our own NDA, but this does not cover labeling.
Answer: The confidentiality statement template included in the toolkit is not required if your organization already makes use of an NDA document, but if control A.8.2.2 Labeling of information is applicable, then you may have to adjust it so it is clear in the NDA how people can identify information classification levels, and thus handle information properly.
7. If the unacceptable risks for a particular control are being transferred to a third party, what do we write for this control in the Statement of Applicability? Technically there are unacceptable risks for the control (so I don't think we can state that there are no unacceptable risks), but they are being transferred.
Answer: In the scenario you stated, you must write that the control is applicable because there are unacceptable risks demanding its implementation, and in the implementation method column you can write that the defined treatment for related risks is "risk transfer" and that this control is being implemented by a third-party. -
Gathering information from suppliers
What are the mandatory resources need to collect for review/risk assessment purposes from application supplier/vendor?
Answer:
In a general manner you have these options to consider:
- Propose to sign a Non Disclosure Agreement to have access to their policies
- Ask for a general view only of these policies to see if they can fulfill your needs
- Ask them about how they handle your specific risks related to this critical application
If none of these alternatives are possible, you should consider if the risk of taking over the application without these information is acceptable, or if you should consider another supplier for this application.
Regarding mandatory resources to collect, ISO 27001 is not prescriptive. The information you will need will depend on the results of risk assessment and legal requirements your organization has to fulfill.
Based on risk assessment and legal requirements you can sign a service agreement with this supplier including security clauses that specify if the access to documentation is needed or not.
These article will provide you further explanation about managing suppliers:
- 6-step process for handling supplier security according to ISO 27001https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/