Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Management review


    However, what is the purpose of conducting a management review and internal audit as part of the initial project when in theory there is nothing yet to review or audit?

    Answer: A BCMS project implementation involves running at least one complete cycle of the management system, which includes the internal audit and management review activities. Without these activities the project cannot ensure the BCMS is properly implemented, operated and improved.

    Regarding issues to be audited, these are some examples:
    - Results of Business Continuity Plans tests
    - Records of operation of implemented controls
    - Level of awareness and competency of personnel

    As for inputs for management review, besides the results of internal audits, other example is the feedback of interested parties.

    These article will provide you further explanation about ISO 22301:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  • Evidencing revision

    I believe you are not making a revolution in the quality management system documentation, you are making an evolution. So, it is important to underline that you have made the transition and reviewed the documentation. Changing the revision date and level is very appropriate. Please check clause 7.5.3.2 c).
    The following material will provide you information about the documented information:
    - ISO 9001 – New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Auditor profile


    Answer: ISO 9001 and ISO 27001 have a lot of requirements in common, so you can either change your profile from ISO 27001 auditor to ISO 9001 auditor or accumulate both profiles.

    To acquire the competencies for ISO 9001 auditor you should attend an auditor course, to learn about ISO 9001 requirements and how these requirements must be covered by audit techniques and methodologies. After that you should seek for opportunities to be a part of an ISO 9001 audit process to practice.

    These materials will also help you regarding becoming an ISO 9001 auditor:
    - ISO 9001 internal auditor training: Is it for me? https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
    - ISO 9001:2015 Internal Auditor Course https://advisera.com/training/iso-9001-internal-auditor-course/

  • ISMS internal and external parties


    Answer: Internal parties are those under responsibility of the organization to which the ISMS belongs to. Examples are employees and contractors working on behalf of the organization.

    External parties are those outside the control of the organization but interact with it (e.g., customers, stakeholders, providers, etc.) or that can affect the ISMS (e.g., government, regulators, etc.)

    This article will provide you further explanation about interested parties:
    - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

    These materials will also help you regarding interested parties:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Audit template content


    Answer: Clauses 4.2.1 and 4.2.2 are from ISO 22301, and the two questions identified for clause 4.2 on the ISO 22301 audit checklist cover the points that must be fulfilled to be complaint with this section, to mention:
    - identification of interested parties relevant to the BCMS
    - documentation of interested parties relevant to the BCMS and their requirements

    So the way these questions are formulated do not affect the standard's implementation.

    2- Also, later in the table, there are parts which are named the letter A in the beginning (for example A.5.1.1) - can you please explain to me what's this about?

    Answer: The questions identified by the letter A in the beginning refer to the controls from ISO 27001 Annex A, and they are applicable only if you im plemented ISO 27001.

    For better understanding of our templates I recommend you to read the comments included on them, because they can provide guidance on issues like this.

  • Managing EAIA


    Answer:

    First you have to make an environmental assessment to determine the environmental aspects of your organization. I use flowcharts, visit facilities, speak with workers, and request figures to the purchasing and account departments in order to get a list of how an organization interacts with the environment. Then, I determine the environmental impacts. To determine which are significative or not, I look for environmental legislation and whenever an organization does not comply, we have a significative environmental aspect and impact. For all aspects, independently of legislation, I perform an evaluation very similar to your “Quantity, Occurrence, Impact, Detection and Control”. I designed a scale of measurement for each topic. For example:

    Occurrence

    1 point – Can occur but never occurred before

    2 points – Occurs less than one time per year

    3 point s – Occurs more than one time per year

    4 points – Occurs every month

    5 points – Occurs whenever the activity is performed

    For each parameter I determine the measure to apply. Then I calculate a general level of significance (GLS) like:

    GLS = Quantity x Occurrence x Impact x Detection x Control

    And I set a number above which all GLS are considered significative. If an aspect is legislated and there is no compliance, there is no need of calculations, it is automatically significative.

    The following material will provide you information about assessment of environmental interactions:

    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - Environmental aspects in the manufacturing sector - https://advisera.com/14001academy/blog/2015/06/22/environmental-aspects-in-the-manufacturing-sector/
    - ISO 14001:2015 – How to set criteria for environmental aspects evaluation - https://advisera.com/14001academy/blog/2016/10/31/iso-140012015-how-to-set-criteria-for-environmental-aspects-evaluation/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free preview - Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Programs and environmental objectives

    My understanding is that , we are arriving the objectives and targets and then we are making a pgm for that.
    The question is pgm arrived should have the same subject of objectives?
    that means pgm is an extension of objectives and target with the detail plan. is it right?
    OR pgm can be different from objectives selected?”

    Answer:

    First of all, ISO 14001:2015 no longer mentions the word program associated with objectives and targets. That does not mean that an organization is prevented from using it.

    1. An organization establishes its environmental objectives and targets (clause 6.2.1 of ISO 14001:2015);

    2. An organization establishes one or more projects for each objective in order to meet the target at due date and within budget of resources (clause 6.2.2 of ISO 14001:2015);

    3. Program is no longer mentioned in ISO 14001:2015 but still can be used as a set of projects coordinated with each other and that aim at common objective.

    For example:

    Objective 1 - Reduce water consumption

    Target 1 – by 8% until the end of 2018

    Project 1.1 – Reduce water consumption in the manufacturing process

    Project 1.2 - Reduce water consumption in the gardening

    Project 1.3 – Reduce water consumption at the canteen

    Managing Program means coordinating Projects 1.1; 1.2 and 1.3 in order to meet the target.

    The following material will provide you information about objectives, targets and programs:

    - ISO 14001 – How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Procedure/form for the return of data to a controller


    Answer:

    No there is not. Controllers and processors need to commonly establish a formal way of doing that depending of the types and categories of data that are being returned.

    To learn ore about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR law


    Answer:

    The mere accessibility of your website by individuals in the Union or use of the languages of one of the Member States in the Union (if the same as the language of your home state) should not by itself make you subject to the EU GDPR. However, the following factors are a strong indication that you are offering goods or services to individuals in the Union and so are subject to the EU GDPR:
    - Language - You are using the language of a Member State and that language is not relevant to customers in your home state (e.g. the use of Hungarian by a US website).
    - Currency - You are using the currency of a Member State, and that currency is not generally used in your home state (e.g. showing prices in Euros).
    - Domain name - Your website has a top level domain name of a Member State (e.g. use of the .de top le vel domain).
    - Delivery to the Union - You will deliver your physical goods to a Member State (e.g. sending products to a postal address in Spain).
    - Reference to citizens - You use references to individuals in a Member State to promote your goods and services (e.g. if your website talks about Swedish customers who use your products).
    - Customer base - You have a large proportion of customers based in the Union.
    - Targeted advertising - You are targeting advertising at individuals in a Member State (e.g. paying for adverts in a newspaper)

  • Supervisory Authorities

    - Reported Data Breach
    - Assistance when DPIA outcome flags a high risk
    Basically, how can ICO (in UK) help in case of data breach (e.g. ransomware), or what is ICOs approach to assisting in DPIAs that have been flagged as high risk.

    Answer:

    In case of a data reach is highly unlikely that the SA will help you with anything since is not their job to do so. Most likely they will asses if your security measures were appropriate and if not they may decide to issue a fine.

    As regards to the DPIAs if carried out by a controller indicates that an envisaged processing would result in a high risk in the absence of risk-mitigating measures taken by the controller, the controller shall consult the SA prior to the processing. Recital 94 seems to slightly soften this requirement by providing that a consultation might not be required if the controller is of the opinion that the identified risk can be mitigated by reaso nable means in terms of available technologies and costs of implementation. If the SA considers that the processing in question would infringe the GDPR, the SA should respond to such requests within eight weeks. However, the eight week period may be extended by six weeks in complex matters and may also be indefinitely suspended until the SA has obtained all information requested for the purposes of a consultation. Consequently, the consultation process may take considerably longer than the projected eight week period. Further, Recital 94 clarifies that a lack of response from an SA within the defined period will not preclude an SA from exercising its powers, such as the power to prohibit processing operations. Hence, a lack of response to a consultation request does not confirm that an envisaged processing is GDPR-compliant nor does it mean that SAs will not take action against such processing. This might lead to considerable uncertainties in practice.

    To learn more about Supervisory Authorities check out our webinar “What to expect from Data Protection Authorities under GDPR” https://advisera.com/eugdpracademy/webinar/what-to-expect-from-data-protection-authorities-under-gdpr-free-webinar-on-demand/
Page 729-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +