Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality and Information Security Manager
Hi Brian,
At small IT organizations (up to 20/30 employees), normally, the same person combines the two roles.
At larger organizations, particularly if the core is not software, like manufacturing, normally, each role is performed by different persons.
Please check this free webinar - Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/ -
EN 9100 vs ISO 9001
Answer:
EN 9100 includes ISO 9001 and then some more requirements like, for example, planning for product realization, design and development, purchasing and improvement.
Please check in this text “ISO 9001 vs. AS9100” - https://advisera.com/9001academy/blog/2014/09/09/iso-9001-vs-as9100/ a summary of the main differences between ISO 9001 and EN9100 (AS 9100 in the USA and EN 9100 in Europe).
The following material will provide you information about AS 9100:
- ISO 9001 – Five special aerospace terms in AS 9100 Rev D - https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Required consent
2. Similarly, xxx’s other clients which are case study participants- they share their personal data with xxx.
3. Do we require their consent?
4. GDPR implementation’s deadline was in MAY .What kind of an impact does that have ?
Answers:
1. Consent would be required if you are targeting individuals an not companies and usually when the email notification refers to advertisement. If the notifications are used to communicate based on an existing contract with a customer then the consent is not required as the legal grounds for processing would be “contractual obligation”. The EU GDPR does not require a specific process to obtain consent. You just need to ensure that consent is freely given, specific, informed and unambiguous indication of the individual’s wishes. As data controller you must keep records so you can demonstrate that consent has been given by the relevant individual.
2. Using an attorney at law is entirely up to you such thing is not regulated in the EU GDPR.
3. If the sharing and processing of personal data is based on a contract then consent is not required as the legal grounds for processing is “contract obligations”
4. Question is much to broad to be addressed as the impact is different based on the processing activities of each individual company. The impact is that all companies which are processing personal data and fall under the GDPR need to comply with specific requirements or they risk being fined with up to 4% of their turnover.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Data privacy policy and Data protection policy
Answer:
Both documents refer to the same thing, so only the title is different.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Need for DPO
Answer:
For the purpose of your question to define “large scale” the following factors need to be considered:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing could include:
- processing of patient data in the regular course of business by a hospital;
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a - processor specialized in providing these services;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioral advertising by a search engine;
- processing of data (content, traffic, location) by telephone or internet service providers
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Processor/Controller
Thank you! -
Filling a template
For example:
Asset name:
Laptop Nr 1
Laptop Nr 2
...
Laptop Nr 20
or
Asset name:
Laptops
Mobile phones
System software
Development software
Answer: You can group your assets in classes, using separated classes only when you have to consider different treatments to the same type of asset (e.g. you have development laptops and management laptops, or corporate phones and personnel phones, etc.).
By the way, included in your toolkit, you have access to video tutorials that can help you fill the risks assessment table. -
BCP sites
Answer: ISO 22301 does not require separated sites for each critical activities/departments when defining BCP plans, so this decision is up to each organization, considering its available resources and defined recovery objectives, but I should say that this is a very unusual situation, and most of time a single BCP site is enough to support a BCP plan.
This article will provide you further explanation about BCP site:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/
This material will also help you regarding BCP site:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Terminology of ISO 9001 - shall word
Answer:
Please check at the end of clause 0.1 of ISO 9001:2015 what is written about the “shall” word, shall is a requirement. How do I, as an auditor, audit clause 7.1.1 shall? I do not ask directly, I look for evidences. For example, looking into process performance indicators, complaints, devolutions and recalls I can get evidences that help me answer to questions like: Do the organization has enough resources? Do they have the right team? Are resources being well used? Is productivity OK? Are support structures OK?
More than direct questions an auditor might be look ing into evidences that support the answers to the checklist questions.
The following material will provide you information about terminology:
- Explanation of the basic terminology in ISO standards - https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Product safety and process validation
Answer:
The product safety requirements in clause 8.1.3 is asking for controls on product safety but is based on assessing the risks posed by the product through the life cycle. For instance, if your product includes a battery that could induce a shock on someone installing or using it, then what control processes do you need to plan and implement (such as safety caps to avoid shock, instructions in a user manual, safety processes in your production, etc.) If, however, you assess that there are no safety concerns for your product (such as a simple machining) then your assessment of the hazards would show not risks to be managed, and you can state this. This is why the requirement is stated, "as appropriate to the organization and the product".
In clause 8.5.1.3 on production process verification the requirement is simply stating that you need to perform any activities necessary to ensure that the processes you are using are able to give you products that meet customer and legal requirements. The note is just there to give you some ideas on how this can be done (notes are never requirements), such as the capability studies or capacity studies, but these are not required by AS9100 Rev D if they are not applicable to your processes or required by customers.
For more information see our whitepaper on https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d