Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data Processing Agreement
Answer:
For the most part, the content of a Data Processing Agreement can be the same as all such documents are based on the requirements of EU GDPR Article 28 – Processors. However, there are the scope, purpose, duration as well as the types and categories of personal data being processed which vary depending on the service.
You can find a suitable template at https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/ The main body of the agreement should be applicable across the board to all services and Annex 1 should be filled in with the details related to the scope, purpose, categories of data and duration of the processing. -
GDPR Supervisory Authority in Africa
Answer:
Based on your description, it doesn't seem that the EU GDPR is applicable to you as you don't process personal data of data subjects in the EU. If you want to find out more about the EU GDPR, check out our free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Filling SoA
Answer:
To perform the identification of applicable controls for the Statement of Applicability you need to consider:
- The results of risk assessment (risks identified as unacceptable will require the implementation of controls)
- Contracts, laws, regulations and other legal requirements that demands the implementation of controls (e.g., performance levels on Service Level Agreements, data protection on GDPR, etc.)
- Top management decisions about controls to be implemented not related to the previous reasons (e.g., because the top management considers them good market practices.
These articles will provide you further explanation about SoA and risk management process:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk management process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Fundamentos básicos de la evaluación y tratamiento de riesgos según ISO 27001 [webinar gratis] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar/ -
ISO 45001 Gap Analysis Tool
Answer:
We do not have an excel checklist for gap analysis, but we do have an online tool to help with this assessment. As you have stated it is designed to ask in a simple manner what parts of the ISO 45001:2018 requirements are already in place so that you can assess how much there is left to do.
To find this online ISO 45001 Gap Analysis Tool go to, https://advisera.com/45001academy/iso-45001-gap-analysis-tool/ -
Difference between clauses 4.4 and 8.1
Have consulted 'clause by clause' and 'what to do' publications too and yet find it difficult to comply for the documentation and record keeping of our QMS.
Answer:
The main difference is that clause 4.4 is much broader, covering planning for the entire Quality Management System, meanwhile clause 8.1 covers planning for all of operations aspects of the QMS, i.e. design, customer requirements, , purchasing, etc.
You can see these materials to help you understanding clauses 4.4 and 8.1:
- Book – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free on-line training – ISO 9001:2015 Foundations: https://advisera.com/training/iso-9001-foundations-course/ -
AS9100 Rev D Document Review
Answers:
The AS9100 Rev D standard does not talk specifically about this issue, and only states in clause 7.5.2c (creating and updating) that documented information is reviewed and approved for suitability and adequacy, and leaves the decision on how to do this appropriately to the organization. In fact, with a small organization you may have only one expert in a certain process so that there is not an adequate review person available (AS9100 is written for all types of organizations). That being said it is difficult to see how one person could review their own work, and a second person review can be very helpful to highlight potential issues in a document.
It is important to remember that this clause only talks about QMS documented information, and not the information covered by clause 8.1.2 for configuration management which deal with control of physical and function attributes of the products or services which often include drawing, specifications, etc. In the end it also comes down to what customer and legal requirements are imposed on you for approval of certain documentation, so make sure you consult these requirements also.
For more information on understanding the AS9100 documented information clause, see this article: A new approach to document and record control in AS9100, https://advisera.com/9100academy/knowledgebase/new-approach-to-document-and-record-control-in-as9100/ -
What does ISO 45001 add to SAMTRAC
2. Do I need to do it or is Samtrac and Safety management enough?
Answers:
1. The ISO 45001:2018 standard is an internationally recognized standard that includes all of the processes which are agreed to be necessary for a comprehensive system to manage and improve OH&S performance in the workplace. The standard goes beyond simply meeting legal requirements and managing risk, but also includes the need to improve the processes and OH&S performance over time. This improvement focus, along with the need to integrate OH&S processes into the business processes, is an addition to the ISO 45001 standard which goes beyond just managing safety and OH&S risk. This being said, ISO 45001:2018 is a document which contains the requirements for an organization to implement, and is not something that an individual is certified to. An individual can only understand how to implement the standard, and be trained to implement and audit the requirements.
2. This depends on what you wish to do. SAMTRAC deals with occupational risk management, and fits in very well with the overall safety management processes. Using the ISO 45001:2018 standard to understand all of the requirements of a world-recognized OH&S management system can help you to understand how safety and risk management integrate into the processes of the company, which could be very useful for anyone you are going to consult.
For more information on understanding the ISO 45001 clauses, see this whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
ISO 45001 Risk and opportunity process
Answer:
The ISO 45001:2018 standard does not require any specific method for identifying and assessing risks and opportunities. Many companies will do this by brainstorming the risks and opportunities that they know exist for the OHSMS, and then determining if they need to do something, and if so what those actions will be. For most companies this will be the easiest and most effective process to start with, and they may adapt their risk and opportunity assessment as they find improvements.
For more information on the risk & opportunity requirements, see this article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ -
Academe's suppliers
Answer:
Yes, criteria for evaluation and selection of suppliers (clause 8.4.1) is a mandatory document. If you consider graduated students as your school products, we can see your system as
We can ask what products or services the school use as inputs to perform its services. Once I helped a school at implementing its quality management system and I remember that they considered as suppliers:
* Transportation services;
* Canteen services;
* Cleaning services;
* Accommodation services;
* Maintenance services;
…
Perhaps you can find these examples as an inspiration to your case.
The following material will provide you more information:
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Should unive rsities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
- ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Application of control A.17.2.1
Answer:
Reference to Recovery strategy for IT infrastructure in the Statement of Applicability is needed only for companies that want to be compliant with ISO 22301 together with ISO 27001. If you are going for ISO 27001 only, we do not recommend you to do the Recovery strategy for IT infrastructure because it will complicate the whole process - instead, for the control A.17.2.1 we recommend that you refer to Disaster Recovery Plan - you can find it in your toolkit in the folder 08 Annex A - A.17 Business continuity..
If you decide to go for Recovery strategy for IT infrastructure, you can find the template here: https://advisera.com/27001academy/documentation/business-continuity-strategy/