Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Platforms and documents managements
Answer:
I already worked with several SME that used Google Documents to manage documents and records. I consider it adequate for the task. Perhaps, with bigger organizations and more demanding requirements of security Google Documents is no longer adequate.
The following material will provide you information about managing documents:
- ISO 9001 – What kind of Document Management System (DMS) do you need for handling ISO documents? - https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Remote location certificate
Answer:
Since a remote site is a location that supports the main site and at which non-production processes occur, the documented information required will depend on the processes that are carried out at that location and will be audited accordingly to the activities performed in that small site. Actually your ISO 9001:2015 certificate might list your site as a remote site to the main one, so the certificate of the small unit would list a limited scope, for instance "Human resources, purchasing and management".
To learn more about documentation for remote locations in ISO 9001:2015 , you can see these materials:
- Article - List of mandatory documents required by ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Article - How to define the scope of the QMS according to ISO 9001:2015: https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Article - Certifying different legal entities under one certification scope: https://advisera.com/9001academy/blog/2018/03/27/certifying-different-legal-entities-under-one-certification-scope-in-iso-9001/
- Book - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/ -
Parent's right
Answer:
In the situation described by you the psychologist would act as a processor and would process the personal data you've mentioned on your behalf in order to provide the assessment. There are two things to be considered in this situation:
1. There needs to be a legally binding document between the school acting as a data controller and the psychologist acting as a data processor. These documents must comply with the requirements of EU GDPR art 28 – Processor (https://advisera.com/eugdpracademy/gdpr/processor/). You can find such template in your EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/).
2. The second thing is that you need to ment ion in your Privacy Notice(s) that personal data would be processed by third parties. You can find such template in your EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/documentation/privacy-notice/) -
Data Subject access request procedure
Answer:
There is no bullet proof method. The first step is assessing the identity of the data subject to ensure you provide the response to the right individual. Once you do that it is irrelevant if you use email or sent a hardcopy by post. Another thing you need to factor in is the amount of data you need to communicate to the data subject, just imagine what it would be like if Google sent only hardcopies, there would probably be thousands of pages.
So my advice is to use your best judgment, as long as you are sending the data to the right data subject using a commonly used method of communications you should be ok.
To learn more about data subject rights check our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Opportunities assessment
Answer:
First, what is an opportunity? An opportunity is something that can help an organization meet desired results or avoid undesirable results.
Second, look into your list of interested parties and cross it with your internal and external issues, considering your strategic orientation and quality objectives.
1. For example, considering your target customers, you can identify a social trend that can help your sales, or increase your brand strength. Or you can identify a technological trend that can open a niche segment.
2. For example, conside ring your internal issues can you identify strengths upon which your organization can seize opportunities? With SME, normally, I ask them if they can seize opportunities based on things like: authenticity; speed to market; responsiveness; flexibility; ...
The following material will provide you information about opportunities assessment:
- ISO 9001 – How to address risks and opportunities in ISO 9001 – https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Incident and Service request priority
Answer:
Although it sounds logical, it's not necessary that incidents (or service requests) with high impact must have high urgency. For example, there is an incident or service request affecting reporting module in your ERP, part that deals with financial year reports. Although complete business of the company is in danger (like, reports submitted to the governance can't be made, or can't be made correctly), there is still plenty of time to resolve this.
Or, there is a service request, or bug, affecting some parts of the intranet (e.g. a part of intranet that affects all employees but does not a ffect business operation).
You can learn more in the article "All about Incident Classification" https://advisera.com/20000academy/knowledgebase/incident-classification/ -
Documenting disciplinary process
ISO 27001 does not require you to document control A.7.2.3 (Disciplinary process) as a separate document, neither does it require you to create a process flow chart.
As you mentioned, we included a section on how to handle disciplinary process in the "Incident management procedure" (folder 08 - A.16 in the toolkit), and this quite enough for a small company.
These materials will also help you regarding disciplinary process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Difference between ISO 27001 and locally published ISO 27001
Answer: I'm not familiar with the Colombian standards, but in most cases the local standards have the same (English) text as the original standard published by ISO, or they are directly translated into local language.
The point is - local ISO standards should not be different from the original ISO standard. -
ISO 27001 phases and corresponding outputs
Answer:
You can use the "List of documents" from our ISO 27001 toolkit which will show you the steps you need to take, and which documents we suggest filling out for each step: https://advisera.com/wp-content/uploads//sites/5/2015/06/List_of_documents_ISO_27001_Documentation_Toolkit_EN.pdf
Also, these materials might help you:
- ISO 27001 Project plan https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
- Diagram of ISO 27001:2013 Implementation (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process -
Documenting controls from section A.14
I assume your first line refers to A.14.1.1 Information security requirements analysis and specification - we have a template called Specification of information system requirements https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/
Regarding controls from A.14.2 we have this Security development policy https://advisera.com/27001academy/documentation/secure-development-policy/
By the way, ISO 27001 requires you to document only the control A.14.2.5 Secure system engineering principles.
Here are a couple of articles that will help you:
- How to set security requirements and test systems acc ording to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
- What are secure engineering principles in ISO 27001:2013 control A.14.2.5? https://advisera.com/27001academy/blog/2015/08/31/what-are-secure-engineering-principles-in-iso-270012013-control-a-14-2-5/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/