Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Acciones preventivas vs. acciones para abordar riesgos y oportunidades
Respuesta:
Como mencionó, en la nueva versión de la norma, ya no existen requisitos de acciones preventivas, sino que debe definir los riesgos y las oportunidades. Su organización puede decidir que esas recomendaciones y observaciones sean riesgos / oportunidades potenciales, por lo que deberá determinar el nivel de esos riesgos / oportunidades y luego planificar las acciones para abordar esos riesgos y oportunidades, que pueden incluir mitigación, aceptación, transformación en oportunidades, etc. No necesita un formato específico para planificar las acciones; por ejemplo, puede descargar una vista previa gratuita de nuestro Procedimiento para abordar riesgos y oportunidades: https://advisera.com/9001academy/es/documentation/procedimiento-para-abordar-riesgos-y-oportunidades/
Para obtener más información sobre los riesgos y las oportunidades, puede ver estos artículos:
- El enfoque basado en riesgos reemplazando las acciones preventivas en la ISO 9001:2015: los beneficios: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/el-enfoque-basado-en-riesgos-reemplazando-las-acciones-preventivas-en-la-iso-90012015-los-beneficios/
- Cómo abordar los riesgos y oportunidades en ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Estos materiales también pueden ayudarle con los riesgos y las oportunidades en ISO 9001: 2015:
- Libro - Descubra ISO 9001: 2015 a través de ejemplos prácticos: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso de Fundamentos ISO 9001: 2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio - Herramienta de cumplimiento en línea: https://advisera.com/conformio/ -
GDPR tips
Now my question, whether this makes sense and whether this approach could be fatal to us. Unfortunately, it is not possible for us, e.g. 100% free for 1 month only for GDPR activities. Since you certainly have experience, also in terms of the scope, I am very curious about your tips and hints.
Answer:
First I would like to start by mentioning that a DPO is not necessary to be appointed unless (a) the processing is carried out by a public authority or b ody, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR. If you could link the implementation of ISMS together with GDPR it won’t constitute an issue.
To learn more about ISMS and GDPR check out our articel “Does ISO 27001 implementation satisfy EU GDPR requirements?” (https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/). -
Contracting and GDPR
2. We buy contacts data bases from Poland(EU) company for direct marketing purposes. Should we inform the addressee from these DBs about source of their contacts and is this business lawfully at all?
Answers:
1. To transfer personal data from EU to a third country certain safeguards need to be set up according to Chapter V of the EU GDPR “Transfers of personal data to third countries or international organizations” (https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/). One of the most used safeguards are the Standard Contr actual Clauses which were drafted by the EU Commission to regulate the transfer the data to third countries. To find out more about transfers of personal data check out webinar “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).
2. When obtaining personal data from a third party you would need to provide to the data subject an adequate Privacy Notice as required by article 14 of the EU GDPR “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/). To find out more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/). -
Software tools for BIA
Answer: Only some activities related to ISO 22301 can be semi-automated (e.g., control of documents, controls measurement, etc.). Being a management system, ISO 22301 still requires some human intervention to analyse and evaluate information, including performing BIA, so for small and mid-size business we do not recommend nothing more complex than a spreadsheet to help organize information needed for BIA.
This article will provide you further explanation about automated tool:
- When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/ -
Audit procedure and information logging
Answer: For an audit procedure, I suggest you to take a look at the free demo of our Internal Audit Procedure at this link: https://advisera.com/27001academy/documentation/internal-audit-procedure/
If I understood correctly, you want to know what should be logged by systems to be used as evidence in an audit. "Audit logging" is not a term used by the standard and may lead to misunderstandings.
Considering you are referring to what should be logged, you should look for legal and contractual requirements you must fulfil and the results of risk assessment (unacceptable risks ca provide you information about what should be logged). For IT systems, the most common logs are related to date, time, IP address (both from origin and destination), user (both common users and administrators), action performed (e.g., login attempts, modifications on configurati ons, etc.) and results (success or failure).
These materials will also help you regarding audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Subscription services
2. Consent :
We currently have 'Contact form' on our website. We need to take consent of a person to contact him / her to resolve their queries (for which they are contacting us) and send him / her periodic updates about our products and events etc. We may be sharing their data with third party marketing service provider in case they opt for receiving periodic updates. Our privacy notice talks about third parties. Is it okay to give reference of our privacy policy in the consent form ? Instead of having a long consent form can we just ask the user to refer to privacy policy for details such as data shared with third parties ?
3. Revoking the consent to send emails with periodic updates - We do not provide facility of creating user id etc on our Website. Based on data collected from contact form, we send newsletters and product updates. We have an 'Unsubscribe' option in periodic updates email that we send.s it necessary to provide 'Unsubscribe' option on website also - e.g. should we have a link -
Required documented information
Answer:
Please check clause 4.4.2, “To the extent necessary, the organization shall” and then “a) maintain documented information to support the operation of its processes”. ISO 9001:2015 has no requirement making procedures mandatory. So, according to the advice from 4.4.2 a) it is up to each organization to evaluate the value added of creating, or not, a documented procedure.
The f ollowing material will provide you information about documented procedures creation:
- ISO 9001 - List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
The life cycle perspective
Answer:
Your organization must make provisions for all environmental aspects during the whole lifecycle, including end of life. Identify all relevant steps after the product leave the plant or the service is provided, and for each step determine possible aspects and impacts. I always give the example of manufacturing AA batteries, imagine what a consumer can do after the battery becomes dead. That is why packaging tries to influence consumers to give a proper final disposition. A normal procedure for aspects and impacts determination can be used as long as the methodology applies to those steps after selling.
The following material will provide you information about implementing the life cycle perspective:
- ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- How does pro duct life cycle influence environmental aspects according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- ISO 14001 documentation Toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Scope definition
Can you please help?
Answer: According to ISO 27001, an ISMS scope must be defined in terms of information, locations or business units to be protected, considering the organization's objectives and context. For your scenario, beside which type of information (e.g., customer data, R&D information, etc.) you should consider which locations and sectors should be part of the ISMS
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to I mplementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Filling the risk assessment template
Answer: If you have existing measures you believe are related to the identified risk, you have to include them in the last column, even if the risk value falls as an acceptable risk. Probably these measures are the reason for the low value of the risk and your organization must be aware of them in the risk assessment and treatment process.
By the way, included in the toolkit you have access to a video tutorial that can help you fill the risk assessment template.