Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question on risk assessment

    Please note that the purpose of the Risk Treatment Plan is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc., so you do not need to present any risks in the Risk Treatment Plan

    For further information, see:

  • ISO 45001 Future Changes

    Although I am not on the technical committee, and cannot say for certain what will happen, I can predict a bit from what I know. In general, the Iso technical committees will look at the standards about every 5 years to see what changes are needed. If we look at the oldest management system standard (ISO 9001), this followed the cycle of a major release (1987), minor changes (1994), a major change (2000), minor changes (2008), and then a major change in 2015 to align with other management system standards. So, following this I would expect minor changes in the net revision of ISO 45001, but nothing major. This will also be delayed a bit due to the delayed transition from OHSAS 18001 for the pandemic, and future major changes will likely be harder to do where they affect the alignment with other ISO management system standards or to change how any management system utilizes the management principles (such as the process approach).

    In short, I don’t see any revolutionary changes to being ISO compliant in the next 5 years.

    For a bit more on the crucial management principle of the process approach, see the article:

    • Process approach application in ISO 45001 implementation of health & safety https://advisera.com/45001academy/blog/2017/03/15/process-approach-application-in-iso-45001-implementation-of-health-safety/

    • ISO 27002

      This will depend on the date you want to be certified. If you want to be certified before March 2023 - go with the 2013 revision, after March 2023 go with the 2022 revision.

      Please note that after the release of the new version of ISO 27001, any required changes will have a transition period to be implemented (this transition period will be of three years after the management system standard is released, which is plenty of time to do this transition for most controls).

      For further information, see

      • 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
      • Should you start implementing ISO 27001 2013 or 2022 revision? https://advisera.com/insight/chatbot-implement-iso-27001-2013-or-2022-revision/

      • Control 6.6 – Confidentiality or Non-Disclosure Agreements - NDA compliance

        Since this is a legal issue more than one related to information security risks, the better would be for the employees of Ycompany to sign the NDA of Xcompany, because as the acquirer company, the NDA of Xcompany will have broader coverage than the one from Ycompany.

      • Data privacy

        According to Article 4 GDPR – Definitions, a Data Controller means “the […] legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data” while the Data Processor means “a […] legal person […] which processes personal data on behalf of the controller”. The basic difference between the controller and the processor is that the controller has a large degree of autonomy in how it determines the processing operations and purposes for processing, while the processor has almost no autonomy – it processes the personal data according to the controller’s requests.

        If you want to be a Data Processor, you should ensure logical separation of customers’ environments, full customer control on their tenants, ability to download/ delete their data, etc. You could allow your customers to connect to other providers via your ecosystem, whether your providers are controllers or processors (for your customers) or subprocessors (for your customers, but subcontracted by you).

        If you want to perform telematics on customer data (such as recording performance data in order to improve your ecosystem), you might become a joint controller in the relationship with your customers.

        At Advisera we have an EU GDPR Documentation Toolkit that can help you on your journey to becoming GDPR-Compliant using a step-by-step approach. It contains 39 document templates – unlimited access to all documents required by GDPR, access to video tutorials, email support, expert review of a document, and one hour of live one-on-one online consultations with a GDPR expert. It contains templates for Supplier Data Processing Agreements that you can use with your suppliers or with your customers, an International Personal Data Transfer Procedure as well as guidelines on how to fill the Standard Contractual Clauses needed for personal data exports outside of the European Union.

        Please also consult these links:

      • GDPR - which mailing is allowed?

        Article 15 GDPR is about the right to access, and it allows a data subject to request confirmation that his/her personal data is processed, and if yes, to receive a copy of the personal data that is processed as well as information related to purposes categories of personal data concerned, and other key information. Regarding your question, you have 30 days to send to the data subject all the details required by Article 15. At Advisera we have an EU GDPR Documentation toolkit that you can purchase in order to help you answer the data subject access request using a dedicated procedure and specific templates. You can also purchase only the Data Subject Access Request Procedure and the data subject disclosure form, at the links below.

        I also recommend you to take our free GDPR courses, the GDPR Foundations Course and the GDPR DPO Course, at the links below:

      • ISO 9001 - Company's organization log

        Forms are a particular kind of document. Documents need to be controlled according to ISO 9001:2015 clause 7.5.It must be clear which documents are relevant to the system, who has the authority to approve them, which version is in force, be accessible to those who need them.

        If documents are paper-supported, you need a log to record this kind of information. A form needs an identification, a name, and a way of evidencing the revision number to be easy to check if it is the last version.

        If documents are digital-supported, you still need a log to record almost the same information. Normally, a digital form does not evidence a revision number, we expect that the version online is the approved and last version.

        So, I think you should develop that log.

        You can find more information about documentation below:

      • Backup Policy and the Cloud Storage

        Even though the backup is done automatically, in the Backup Policy you need to mention how this is done, together with backup frequency, and the way you will test backup restoration.

      • ISO 27001 Stage 1 & 2 Audits

        The standard ISO 17021, which defines requirements for bodies providing audit and certification of management systems, in its clause 9.3.1.2.4, requires certification bodies to determine an interval between performing stage 1 and stage 2 audits but does not prescribe any specific interval, so the interval is defined according to each accreditation body.

        Common practice is an interval between 30 and 90 days.
Page 59-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +