Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Transition to ISO 14001:2015 (1)
Answer:
Below you can find links that will show you a more exhaustive comparison. On a shorter version I would say:
Look for section 4 – the context, the issues and the interested parties – that is new stuff.
Look for section 5 – new requirements for top management
Look for section 6 – risks associated with threats and opportunities, compliance obligations and more detail required about planning to meet environmental objectives
Look for section 7 – more detailed requirements about communication
Look for section 8 - more detailed requirements about operational control
Look for section 9 - more detailed requirements about compliance evaluation and more inputs to management review
The following material will provide you information about ISO 14001 transition:
- ISO 14001 – How to avoid nonconformities during the ISO 14001:2015 transition - https://advisera.com/14001academy/blog/2015/10/26/how-to-avoid-nonconformities-during-the-iso-140012015-transition/ void-nonconformities-during-the-iso-140012015-transition/
12 steps to make the transition from ISO 14001:2004 to 2015 revision - https://advisera.com/14001academy/blog/2015/09/28/12-steps-to-make-the-transition-from-iso-140012004-to-2015-revision/
- ISO 14001:2015 transition Checklist - https://info.advisera.com/14001academy/free-download/iso-140012015-transition-checklist
- Infographic: ISO 14001:2015 vs. 2004 revision – What has changed? - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/infographic-iso-140012015-vs-2004-revision-what-has-changed/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
3rd Party Contractors
Answer:
If the freelancers are using your company`s equipment and infrastructure and they are bound by the same privacy policies and procedures they should be treated just as a regular employee and not a third party. -
Childcare registers being GDPR compliant
Answer:
Your question is a quite broad and it is difficult to provide a detailed answer. In any organization employees access to personal data should be based on the need to know principle. Thus, the data on a person's health will be accessible only to the staff who needs this information to carry out their tasks.
Referring to the parents (or legal guardians) , they must have access only to the information they have provided about them and their children. Under no circumstances information about the health of other children should be provided to other parents through your organization.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course// ). -
ISMS scope for cloud environment
Answer: When an organization provides SaaS, it is important to identify which elements it has direct control over, because these are the elements that will be part of the ISMS scope.
For example, if your organization owns the datacenter that hosts your SaaS, then the physical environment, hardware, and software (e.g., virtual servers, operational systems and applications), must be included in the ISMS scope. On the other hand, if your SaaS is hosted on an outsourced datacenter provider, the most probable situation is that you have only to include the application you provide to your customers in the ISMS scope (the other elements will be handled by means of controls related to supplier relationship management). In case of use of outsourced datacenter provider, for a precise answer you must verify the service agreement established with the provider.
This article will provide you further explanation about defining a scope considering cloud models:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
Regarding the software development process performed by your organization, and assuming it is unrelated to the SaaS provided, it may be included normally as part of the scope. An example of text would be:
"The ISMS scope is defined by the information related to the organization's software development processes and the information related to the service XXX, provided as SaaS by the organization to its clients." -
Recovering an ISMS project
My company was certified ISO 27001. But because of a bad implementation of my predecessors (previous InfoSec team): an ISMS not in line with IT teams and other business departments. Top management has stopped the certification process. Now, I'm struggling to put InfoSec in a good position in the organization and I need to relaunch security awareness from scratch. I hope that one day I will be able to push again for an ISO 27001 certification.
I should write a post about it. Because definitely a bad ISO 27001 certification project, totally outsourced, with the sole objective of obtaining a marketing advantage, can be a real waste and be really counterproductive for infosec teams.
If you have any ideas for restarting an ISMS project from this kind of situation, I will be grateful.
Answer: To restart an ISMS project after such problems you should focus on solving problems the affected areas are currently undergoing (e.g., low performance on KPIs, unplanned downtime, rework, non compliance fines, missed deadlines, etc.), by means of quick implementation of controls based on solid risk assessments (and less focus on the other elements of the management system).
It may seem odd to start like this, but the point is to try to regain top management commitment and people's trust in information security (few but effective controls will help you with that), and only after achieving that you should try to demonstrate that in the long run the gains can only be maintained with the help of the other elements of the management system (e.g., in internal audit, management review).
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/ -
Operations' risks in the chemical industry
I have some experience of working in the chemical industry. I believe that there is a large spectrum of potential operations’ risks as a function of materials used, reactions involved and scale. I worked for a chemical company producing a commodity with a raw-material that was both explosive in contact with oxygen and carcinogenic.
If I had to remember the operations’s risks I would start by making a process flowchart: Raw materials must be stored, conveyed, reacted, products stored, byproducts treated.
Operations can be on:
Normal situation;
Startup situation;
Termination situation;
Abnormal situation;
Emergency situation.
Operations risk can be:
Power failure – loss of control of reaction
Power failure – loss of control of storage temperature
Power failure – loss of mixing of suspended solids stored
Loss of control of the chemical reaction
Pressure buildup
Pipping leaks
Corrosion
Heat exchanger fouling
Raw materials contaminated
Finished product contaminated due to wrong cleaning procedures both of reactor or pipping
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Privacy notice/ Privacy policy
2. If there are check boxes near Privacy notice and policy then will it be okay just to tick these boxes and no other actions are required?
3. I also have a question regarding contract and consent. Is it possible to provide all purposes (marketing etc) inside the contract to avoid additional consents?
4. do the contract and consent have to be present in written form or it is possible to have them online and clients can fulfill their personal info, tick the check box for example to send us?
Answers:
1. The Privacy Notice is a document that is meant to be provided to the data subjects either at the time of collecting the personal data if you collect the data directly from the data subject (art. 13 - Information to be provided where personal data are collected from the data subject - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) of at a later time when the data is collected indirectly from another source (art. 14 - Information to be provided where personal data have not been obtained from the data subject - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) .
The Privacy Policy is an internal document of the Company which states that the Company is going to do in order to comply with the EU GDPR.
To find out more about privacy notices check out our webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).
2. There should not be any thick boxes in a privacy notice.
3. According to the provisions of the EU GDPR the consent needs to be freely given, specific, informed and unambiguous indication of the individual’s wishes. This also means that ff the relevant processing has multiple purposes, consent must be given for all of them.
4. The consent does not necessarily need to be in written form you could also use the online environment. Just make sure that an affirmative action from the data subject is required and that you can prove who is the individual giving the consent. To learn more about consent check out our webinar “ How to handle consents under GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/) -
Supplier Data processing Agreement
2. Transborder data controller - before we send any data outside the EU, we should have a contract between the customer and us. Does the toolkit have some sample contacts for that issue?
Answers:
1. The document you are referring to can be found in section “7. Third party compliance” of our EU GDPR Documentation Toolkit under the name of “Supplier Data processing Agreement”.
2. The documents you are looking for can be found in section “5. Personal Data Transfers” of our EU GDPR Documentation Toolkit. -
Data Portability
Answer:
You need to provide the data subject a copy of the information you have about him basically copies of the documents where their personal data is mentioned.
Regarding ex-employees this needs to be assessed because the emails might me subject to copyright or contain copyright protected information as well as personal data of other individuals and in this case these date need to be removed.
If you want to get more guidance about data subjects rights check put our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
The treatment register
Answer:
If you are collecting/processing data on your website you would need a Privacy Notice to inform the users as required by EU GDPR art. 13 – “Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/). The information about cookies need to be provided as per the requirements of the ePrivacy Decision. As for the ”treatment register” I am not you sure what you mean by that.
To find out more about privacy notices check out our webinar “P rivacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).