Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Criminal background check


    Answer:

    If you or the company are in one of the EU Member States then the EU GDPR is applicable. This means that the company would need a legal ground to conduct the background check. Because, usually background checks reveal sensitive or criminal conviction data, the most common legal ground used in this type of situations is consent. So the hiring company should have asked for your consent before performing the background check. Moreover, they should have also explained to you via a privacy notice why the background check is needed, what data they would be processing about you, how long they would keep it as well as what are your rights as regards to your data. If the company hasn't done so, then they have indeed breached the provisions of the EU GDPR.
    If you wa nt to find out more about consent, check out this article: Four main questions for obtaining and managing data subjects’ consent under GDPR (https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/).

  • ISO 27001 and GDPR trainings


    Answer:

    For information security these are some security practices you should consider (without more information about your context it is not possible to suggest additional alternatives):
    - Authentication
    - Network connection
    - Access to device
    - Physical security
    - Data encryption
    - Backup
    - Software installation and patching
    - Basic security “hygiene”

    As for GDPR, we provide two free courses that can help you enhance the knowledge about the EU GDPR:
    - EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//) (which is a more general course)
    - EU GDPR Data Protection Officer Course (https://advisera.com/training/eu-gdpr-data-protection-officer-course/) (for more in depth knowledge ).

    This article will provide you further explanation about security practices:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

    This material will also help you with awareness and training:
    - Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  • Product safety characteristics


    Answer:
    Product safety is the new clause of IATF standard, but sure it was a requirement before just spread in other clauses.
    The requirement states that all preventive actions that are used as a control of product safety during manufacturing should be included in the documented safety process. So, Anti rust oil applied for the preservation of the part is safety characteristic because it is used to prevent risk.

    We suggest following articles for further explanation:
    -Ensuring product safety according to IATF 16949: https://advisera.com/16949academy/blog/2017/09/20/ensuring-product-safety-according-to-iatf-16949/#comment-4232137428
    -Product Safety Procedure: https://advisera.com/16949academy/documentation/product-safety-procedure/

  • Quality objectives and construction projects


    Answer:
    First, remember that good quality objectives should be consistent with the quality policy of your organization.
    Yes, a good quality objective can be a decrease of nonconformities during construction projects.

    2. “To conduct at least 3 internal audits per annum for the project. For every External NCR issued by the consultant, One internal NCR shall be issued. Can these be a Quality objective for a construction project?”

    Answer:
    These proposals can be considered as rules that your organization intends to follow. Not very demanding as quality objectives. What do clients want from your organization’s construction projects? What does your top management want from your organization’s construction projects? Satisfied clients? No delays? No defects? No overbudget? These ideas can be raw materials for your organization’s quality objectives.

    The following mater ial will provide you with more information about quality objectives:
    - ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    - Free webinar – Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ISO 27001 and SOC


    Answer:

    The main functions of a SOC are to monitor, detect, investigate, and respond to cyber threats. Considering that, the most probable ISO 2700 controls you have to consider for SOC are controls from sections A.12.4 Logging and monitoring, A.12.6 Technical vulnerability management, A.13.1 Network security management, and A.16.1 Management of information security incidents and improvements.

    Regarding possible questions, I suggest you to take a look at these sections in our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    These articles will provide you further explanation about controls from these sections:
    - Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
    - How to use penetration testing for ISO 27001 A.12.6.1 https:/ /advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
    - Using Intrusion Detection Systems and Honeypots to comply with ISO 27001 A.13.1.1 network controls https://advisera.com/27001academy/blog/2016/07/04/using-intrusion-detection-systems-and-honeypots-to-comply-with-iso-27001-a-13-1-1-network-controls/
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

  • Integrating management systems


    Answer:

    All ISO management systems published after 2012 have the same general structure, and this makes integrating them a lot easier. In the integration process you should consider two phases:
    1 – Integration of the common parts of ISO management systems, e.g., control of documents, internal audit, management review, etc. These have basically all the same requirements, requiring only minor adjustments to refer to all systems covered
    2 – Integration of the specific parts of each system (basically sections 6 and 8 of each standard). Regarding ISO 27001, this means including in the organizational process the activities related to information security risk assessment and treatment processes.

    Regarding the audit of integrated standards, you just need to plan the audit considering a single approach to common requirements and approaches specifics for the core of each one (e.g., a single checklist for common requirements and checklists specific for the main part of each standard).

    These article will provide you further explanation about integrating ISO management systems and defining audit checklists:
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    This material will also help you regarding audits:
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • ISO 27001 Annex A controls

    Though, we will be also implementing A.8.1.2 (assigning an owner to each asset identified).
    Also, in our SOA; we have set A.8.1.1 “inventory of assets” as “no”, reason being we already have an inventory of assets (as stated above we will be assigning asset owners) and during risk assessment none of the risks we found was related to asset inventory.
    With this scenario, I am inclined to think that we should have a risk item within risk assessment/treatment documents, directly related to this (inventory of assets). Then, once we have assigned an asset owner to each identified asset, we can close this risk item with A8.1.1 control. In turn, in our SOA; A8.1.1 will then be “yes”?

    Answer:

    Any control from ISO 27001 Annex must be applied only if one of the following occurs:
    - There are risks identified as unacceptable in the risk assessment that require the implementation of the control
    - There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the control
    - There is a top management decision requiring the implementation of the control

    If none of these occur there is no need to implement any control considering ISO 27001 requirements.

    So, considering your scenario, if you already have an inventory of assets implemented, in your SoA the control must be considered "Applicable", and for justification you should verify why the inventory was implemented (e.g., because of a negative situation that has occurred, because a risk was identified well before the ISMS implementation has started, because you had a legal requirement to fulfill, or because top management has considered the inventory a good practice to be implemented.). There is no obligation for a risk to be used as a justification for a control to be applicable. The same rationale applies to control A.8.1.2 as well.

    This article will provide you further explanation about selecting controls:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Alcance de un SIG


    Respuesta:

    Si ahora mismo su organización sólo quiere implementar una norma, en este caso ISO 9001:2015 sólo debe determinar el alcance para el Sistema de Gestión de Calidad. Si en un futuro decidiese integrar dicha norma con otras entonces debería definir el alcance para ese Sistema Integrado, y contar con un único alcance preferiblemente. También podría establecer alcances distintos para diferentes normas, pero no se lo recomiendo, ya que la integración sería muy compleja.

    Estos materiales pueden servirle de ayuda en la definición del alcance de un sistema de gestión:
    - Artículo - Cómo definir el alcance del SGC de acuerdo a la ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-definir-el-alcance-del-sgc-de-acuerdo-a-la-iso-90012015/
    - Libro - Discover ISO 9001:201 5 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - Curso Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Data processor's contractual obligations


    Answer:

    If you receive the data from the controller and you are acting as a processor, you need to only process the data based on the controller's instructions. So, if the controller does not instruct you to enter into contracts with the data subject you may be in breach of the Processing Agreement you have with the controller. Moreover, you may also have a non-competition clause in the commercial agreement with the controller forbidding you to “steal” the controller customers. Anyway is difficult to say unless I have all the details.
    To find out more about what processors are allowed to do, check out this article: EU GDPR controller vs. processor – What are the differences? ( https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ )

  • Training requirements about ISO 9001:2015

    Employees should be trained on the requirements of ISO 9001:2015 that apply to their job titles and duties.
    The following material will provide you with information about competency:
    - How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
    - Free course - ISO 9001 Foundations - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 636-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +