Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Maintaining GDPR documentation


    Answer: You would need an Inventory of Processing Activities only if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal convictions and offenses.
    A DPIA is necessary only if the type of processing is likely to result in a high risk to the rig hts and freedoms of individuals. To assess whether something is ‘high risk’, the GDPR is clear that you need to consider both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than a remote chance of some harm. The DPIA Register in the EU GDPR Documentation Toolkit has the first questions set up as threshold questions. If your answer to any of those questions is "Yes", then you need a DPIA.

    2. Do we have to always perform both of these activities every time we use the customers' data? Does this only apply to customer's data that resides in EU?

    Answer: No, you just need to do it once as long as the processing stays the same. It should only be undertaken if the personal data processed is of data subjects in the Union.

  • GDPR processor question


    Answer:

    Your question is much too broad to be able to provide you with a spot on answer. What I can suggest is setting up a process for detecting and reporting data breaches to the data controllers, training your staff on how to manage personal data in a responsible manner, regulating any international data transfers if any, making sure you can respond to requests form data controllers asking you to delete, modify or transfer personal data. To find out more about the EU GDPR, check out our free EU GDPR Foundations Course(https://advisera.com/training/eu-gdpr-foundations-course//).

  • ISO 27001 and COBIT

    I mean can an organization using COBIT alone have an ISMS in place exactly just like if using 27001?

    Answer:

    Although COBIT and ISO 27001 have some requirements in common, some requirements are exclusive for each framework, so it is not possible to be compliant with ISO 27001 only by fulfilling COBIT requirements.

  • Templates for ISO / IES 27033 -2


    Answer:

    Some elements of our ISO 27001 Documentation Toolkit can help you gather information for ISO 27033:
    - Procedure for Identification of Requirements https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/
    - List of Legal, Regulatory, Contractual and Other Requirements https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
    It is important to note that these are two different standards, so these documents may not cover the complete ISO 27033 requirements.

  • Updating auditor competence

    I need to carry out an internal audit to ISO 14001:2015 version so if I had internal awareness training for the updates to the new standard ISO 14001:2015 would this be enough evidence for an External Auditors such as SGS.”

    Answer:
    Strictly by the book, internal auditor competence is defined and settled by the audit customer, for example, a management system audit program manager. So, as long as you can evidence the competence requirements of your organization there should be no problem. Having said that, I must confess that I already found some third-party auditors wanting beside the training for the update to the new standard, some kind of training on the risk-based thinking (RBT) for internal auditors. Perhaps because they were not satisfied with the RBT approach of the audited organization. Also, I can imagine that some e xternal auditors will start checking to see if internal auditors had any training on the update of ISO 19011:2018 version. But remember my first statement.

    By the way, an odd thing happened in ISO 9000:2015 and ISO 19011:2018 definition of auditor it no longer mentions the word competence.

    The following material will provide you information about internal auditors requirements:
    - ISO 14001 – What competences should an ISO 14001 internal auditor have? - https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Identification of field failures

    Answer:
    Identification of potential field failures represent potential points in the process where the process can fail, that means that the outcome of the process is not in line with the specifications. FMEA analysis, especially PFMEA analysis is one of the tools for such analysis. Failure of function, for example, can be the failure of the process of purchasing in quantity of purchased items (bought more than needed)

    To find out more about FMEA please see our article:
    https://advisera.com/16949academy/blog/2017/09/06/what-is-fmea-and-how-to-apply-it-in-iatf-16949/

    2. How can do that for 'identification?
    Answer:
    Identification of failures can be done by lookin g at the process itself and reporting of failures. An example can be in production, where the process is monitor and every failure of process that is out of specification is recorded.

  • Opportunities in ISO45001

    Opportunities are not necessarily related to the risks. OH&S opportunities are about reducing or eliminating the risks associated with hazards, so for these you can think of how to make the risk less as an OH&S opportunity, but other opportunities are not necessarily from risks. These are top level opportunities that you might identify as part of a SWOT analysis or other strategic planning process to identify uncertainties you can capitalize on.

     

    You can read a bit more on the SWOT analysis in the article: Benefits of SWOT analysis in ISO 45001, https://advisera.com/45001academy/blog/2019/05/27/iso-45001-swot-analysis-what-are-the-benefits/

  • ISO 9001 for a single person company


    Answer:

    Implementing ISO 9001:2015 in a single person Ltd company is possible and in fact, it should be quite straight forward because you won´t have to deal with certain issues such as communication problems that usually arise in larger organizations.

    Regarding your question about if it is relevant or not achieving certification for a single man company - like for anything else in bussiness you will need to evaluate costs vs benefits of implementing the standard. If you determine that you will gain some work that otherwise you wouldn´t be eligible for, then you should consider implementing ISO 9001.

    To learn more about achieving ISO 9001 in a small company you can see these materials:
    - Article - Checklist of ISO 9001 implementation and certification steps: https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
    - Article - Benefits of ISO 9001 implementation f or small businesses: https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/
    - Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - ISO 9001:2015 Foundations course: https://advisera.com/training/iso-9001-foundations-course/

  • EU GDPR and Supervisory Authority


    Answer: Where the extra-territorial provisions of the EU GDPR apply, the controller or processor must appoint a representative. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, where it is unlikely to be a risk to individuals and it does not involve large scale processing of sensitive personal data.

    2. The regulation appears rather vague on the data subjects, is it EU CITIZENS or EU residents?

    Answer: The regulation is crystal clear and it refers to data subjects “in the Union”. The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual resi dence of those individuals is irrelevant. If you want to find out more about the EU GDPR, check out our free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

  • Controls selection

    Another concern is CIS20 does not have (HR and physical security), whereas 27002 does. The proposed scope of XXXXXX ISMS will not include (HR and physical security), it would include only relevant CIS20 controls. (I understand I ca n add others, but due to scope do not want to add). So my question is … Can XXXXXX have a certified 27001 ISMS using CIS20 controls only?

    Answer:

    First it is important to note that all controls from ISO 27001 Annex (those controls are the same as the ones in ISO 27002) must be considered during an ISMS implementation complaint with ISO 27001. For all controls from Annex A you have to identify if they are applicable or not, and justify why they are applicable or not.

    Second thing is, most of CIS 20 controls can be related to ISO 27001 Annex A controls (e.g., CIS control “Inventory and Control of Hardware Assets” can be related to ISO 27001 controls “A.8.1.1 Inventory of assets” and “A.8.1.2 Ownership of assets”), so in a sense when you implement CIS 20 controls you are considering particular controls from Annex A as applicable.

    However you will need to list all the ISO 27001 controls that are not covered by CIS 20 and decide whether they are applicable or not.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

    This material will also help you regarding ISO 27001:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
Page 626-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +