Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Transfers between EEA and Canada
Answer:
Transfers to Canada do not require any specific safeguards since Canada ha been issued an adequacy decision by the European Commission. -
Signing a consent
Answer:
If you are marketing to individuals you need their consent which needs to be freely given, specific, informed and unambiguous indication of the individual’s wishes. This means among other you need “opt in” consent.
To find out more about consent check out our webinar “ How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Revisión ambiental inicial
Una revisión ambiental inicial (IER) es una revisión preliminar de los programas y sistemas ambientales existentes en su empresa no obligatoria. Esta revisión puede realizarse mediante entrevistas con las personas relevantes de su organización, como gerentes y otro personal que tenga conocimiento directo de la mayor cantidad posible de funciones relevantes dentro de la empresa.
En la revisión ambiental inicial se debería de incluir, al menos:
- Requisitos reglamentarios y legales ambientales
- Artículos / áreas reconocidas con impacto ambiental
- Criterios de desempeño ambiental
- Comentarios de experiencias anteriores
- Oportunidades de mejora, no sol o internas sino externas (por ejemplo, contratistas)
Al crear su lista de verificación, es posible que desee utilizar algunas fuentes de información relevantes, como organizaciones ambientales ecológicas, grupos comunitarios, proveedores y proveedores, agencias gubernamentales, bases de datos, etc. Además, en la revisión ambiental inicial puede considerar comparar sus prácticas o desempeño con otros organizaciones.
Estos materiales pueden ayudarle a saber más sobre la implementación de ISO 14001 :
- Libro - El compañero ISO 14001: 2015: https://advisera.com/books/the-iso-14001-2015-companion/
- Curso Fundamentos ISO 9001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/ -
Responsabilidades en el SGSI de una pequeña empresa
Respuesta: Sí, realmente todas las responsabilidades podrían recaer en una única persona, que puede ser el responsable de seguridad (o CISO en inglés). El único rol que no debería cubrir esta persona es el del auditor interno.
Este artículo te puede resultar interesante "What is the job of Chief Information Security Officer (CISO) in ISO 27001?” : https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Y también este otro “How to document roles and responsibilities according to ISO 27001” https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/ -
Filling the GDPR templates
2) In the field written by and approved by, can it be the same person?
3) The field [function] can be my company or person in my company or another person of another company?
4) Law or national rules concerning the implementation of the GDPR, other locals laws and regulations and IT Security policies (What should I enter?)
Answers:
1. This is entirely up to you, there is no such mention in the EU GDPR. However, consider that some documents in the toolkit are meant to be made publicly available such as the privacy notices.
2. Not really, usually based on the segregation of duties documents should not be approved by the same person that drafted the document in the firs place. But this again is not something that you will find in the EU GDPR.
3. [function] refers to the position which is in charge within your own company.
4. This is something that you should figure out by yourself and consult with a local lawyer or legal adviser since this refers to local law and this is diffe rent from one jurisdiction to another.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
What is needed to prepare certification audit
Answer:
When you wrote “Already we had ISO 9001:2008” do you mean your college is certified according to ISO 9001:2008? If the answer is yes, my advice is to contact your Certification Body and ask this question. If the answer is no, your college will have to contact several certification bodies and request proposals, at the same time you can ask this question.
Normally, certification bodies ask for number of employees, working schedules, number of locations, certification scope and request a quality manual or any set of documents that describe the quality policy, the process map, quality objectives and relevant docu ments.
The following material will provide you information about the certification process:
- ISO 9001 – How do you prove to the certification auditor that QMS processes are carried out as planned? - https://advisera.com/9001academy/blog/2016/12/13/how-do-you-prove-to-the-certification-auditor-that-qms-processes-are-carried-out-as-planned/
- How should you pick an ISO 9001 certification body? - https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Privacy policy of the website owner
My scenario is the following: Clients of the web give their data to the owner of the web -I do the maintenance and the total management of the server where the web is (therefore I could have access to the data of the clients of the owner of the web) -I rent servers to a hosting company (this could access the data of those customers too).
Answer:
Form your description it looks like you are acting as a data processor on behalf of the website owner which is the data controller. This means that the date controller would need to mention in its website Privacy Notice that personal data of the visitor may be transferred to third parties (is not necessary to mention by name which are those third parties) .
To learn more about privacy notices check out or webinar “Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) -
Project implementation report
Answer:
There is no specific template for a project implementation report this is something that depends on the way that a company decides to proceed with the implementation. In a nutshell this report should be presented to the management as proof that the project is either ongoing or it has come to an end providing as well some details of the measures that were taken as well as responsible.
As for the date I would advise against backdating any documents this may be considered as an offence in some countries.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
GDPR Compliance
Answer:
Based on your description you are acting as a data processor and you may be processing personal data on behalf of controllers in the EU. You should be acting upon the instructions of the controllers so my suggestion is to ensure that you can comply with the instructions provided by controllers which are established in the EU.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
Toolkit templates
1. Business Continuity Plan with Roles and Responsibility of BCP manager.
2. Software Change Management policy and process { including Change Advisory Body (CAB) management process}
3. Suppler Performance Evaluation process and Evaluation form
It will be highly appreciated if you kindly provide me template.
Answer: Just to note that to be complaint with ISO 27001 requirements the Business Continuity Plan, Software Change Management process and the Supplier Performance Evaluation process and Evaluation form are not mandatory, however if you decide to write those documents, they are already included in your toolkit:
- to cover all ISO 27001 requirements for business continuity you can use the Disaster Recovery Plan, located on folder 08 Annex A A.17 Business Continuity
- to cover the Software Change Management policy, you can use as template the Change Management policy, located in folder 08 Annex A A.12 Operations security.
- to c over the evaluation process you can use the Supplier Security Policy, located on folder 08 Annex A A.15 Supplier relationships
If you need them for other reasons (e.g., to comply with a legal requirement), I suggest you to schedule a meeting with one of our experts so he can guide you through this elaboration process. To schedule a meeting , please access this link: https://advisera.com/27001academy/consultation/