Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Additional evidences of competence
Answer:
The standard does not prescribe what kind of evidence of competence the organization will provide, it can be training record, diplomas, certificates, CVs and any other record that demonstrates that the employee is competent to perform certain activity.
The only novelty in the new standard is that the organization will need to provide documented evidence of the trainer's competency to perform internal audit training, but other than that there are no changes in requirements for competency.
For more information, see: How to ensure competence of your employees according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/04/how-to-ensure-competence-of-your-employees-according-to-iatf-16949/ -
Training internal auditors
Answer:
The shorter answer is NO! Your internal audit team members do not have to be "trained/certified" by an external registrar for the 2015 edition, your organization can simply perform your own internal training program to communicate the changes with the new standard. Remember, it is your organization that have the authority to define what are the competence requirements to be internal auditor in your organization.
The following material will provide you information about internal auditor competence:
Check this article about ISO 14001 but applicable to ISO 9001 – What competences should an ISO 14001 internal auditor have? - https://advisera.com/14001academy/blog/ og/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
- free online training - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- free online training - ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Process modeling
Answer:
If you see my book “Discover ISO 9001:2015 Through Practical Examples” (see link below) and click on the left “Click to Look Inside” you can see how to model an organization using the process approach and then, how to map each process with simple techniques.
The following material will provide you information about the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Context and ISO 14001
Answer:
Independently of the economic sector I use as a basis the PESTEL framework. Having environment in mind defy your team to think if there are actual or foreseeable issues relevant about:
Politics;
Economic;
Social;
Technology;
Environmental;
Legislation.
For example; imagine the future impact of cars without drivers: cars will be less prone to accidents. Will car makers use less steal? Will car makers use plastic composites instead of metal? Less demand for steel? Less mining activity? Smaller steel manufacturing plants?
The following material will provide you information about context determination:
- ISO 14001 – Determining the context of the organization in ISO 14001 - https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Privacy Notices Under the EU GDPR
For the case you mentioned I would suggest to put the Privacy Notice on your website and to communicate them to the European Customer together with the first communication(email, telephone) you initiate with him. -
Applicability of GDPR on business secret data
Answer:
The EU GDPR protects the rights and freedoms of individuals as regards to their personal data. The EU GDPR defines personal data as being “any information relating to an identified or identifiable natural person” (art 4 – “Definitions” https://advisera.com/gdpr/definitions/
So unless your patent information or copyright information don’t fall under the EU GDPR unless they contain personal data of individuals which is highly unlikely. -
ISO 14001 and stakeholders
Answer:
Your organization can consider, for example:
* its neighborhood as a relevant environmental stakeholder. Then, your environmental management system, according to ISO 14001:2015, should consider their relevant expectations about the environment like environmental noise and work to reduce it;
* its customers as a relevant environmental stakeholder. Then, your environmental management system, according to ISO 14001:2015, should consider their relevant expectations about the environment like easy recyclability and work to improve it.
The following material will provide you information about environment and stakeholders:
- ISO 14001 – How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISMS implementation approaches
The company is a start-up company, yet to processes in place yet. This company get a long term project to deliver a system (IT infrastructure and Application System).
They will operate & maintain this system after the completion of delivering the project. In the contract; they are required to get certifications for 27001, 22301 and 20000 after it is in operation - at year 4 or 5.
Certifications for System in Operation & the operation and maintenance of the system. The company is just about to start to Design stage - there is no assets, process in place yet.
At the end of Design Stage, we are require to deliver Security Policy & System Security Plan and Risk Treatment Plan (a sign-off of Residual Risk)
Here the risk assessment is get the security requirements, beside from user requirements, technical requirements, business requirements and contractual & best practices. From here, we get a Security Design to be implemented for the System.
There are 2 school of taught:
1. Implementation of ISMS should only start a fter Design Stage is completed (this where all being firms - technology solutions (IT assets), Locations of DC and DR firm-up, Applications System Design completed, etc. Suggest to do ISMS Scoping, Detail Risk Assessments, all required steps of ISMS implementations. (ISMS implementation and certifications is a journey after design start)
2. ISMS Implementation start now, the scoping, risk assessment and all the ISMS implementation steps start now. Issue here - risks of project delivery, scoping is based on assumption, ISMS risk assessment within the context of the scope is quite difficult (IT assets (not firm-up), systems (not ready to risk assessment), system design is not firm-up yet.
Please advice on the best approach - because the ISMS certifications objective for Secure Operation of the System that the company operate and maintenance.
The Secure System Deliverable is done by implementing all the controls in 27001, NIST, CIS Guidelines, STIG Guidelines. The project can be delivered with implementing the ISMS from the start but only start after the design is completed and sign-off.
Answer: I understand that yo can adopt a mixed approach. The design stage is one of the most important steps of a system development (it can save you a lot of time, effort and money by avoiding development errors and rework), so applying ISMS practices at this stage should be considered, but you do not need to implement the ISMS in all your intended scope (the operation and maintenance processes), only for the project activities.
With this approach you can gather the benefits of information security management system practices for your project, while you gain experience to expand the ISMS to your intended scope. It is also important to note that you do not need to go for the certification at the beginning. You cn just implement the practices and do this later on.
These articles will provide you further explanation about ISO 27001 in projects:
- How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
These materials will also help you regarding ISO 27001 in projects:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 and other security frameworks
.07 Adequate data protection safeguard.Pursuant to §301.7216-3(b)(4), a tax return preparer located within the United States, including any territory or possession of the United States, may disclose a taxpayer’s SSN to a tax return preparer located outside of the United States or any territory or possession of the United States with the taxpayer’s consent only when both the tax return preparer located within the United States and the tax return preparer located outside of the United States maintain an adequate data protection safeguard at the time the taxpayer’s consent is obtained and when making the disclosure. An adequate data protection safeguard is a management-approved and implemented security program, policy, and practice that includes administrative, technical, and physical safeguards to protect tax return information from misuse, unauthorized access, or disclosure and that meets or conforms to one of the following privacy or data security frameworks:
(1) The United States Department of Commerce “safe harbor” framework for data protection (or a successor program); (2) A foreign law data protection safeguard that includes a security component (e.g., the European Commission’s Directive on Data Protection); (3) A framework that complies with the requirements of a financial or similar industry-specific standard that is generally accepted as best practices for technology and security related to that industry (e.g., the BITS, Financial Services Roundtable, Financial Institution Shared Assessment Program); (4) The requirements of the AICPA/CICA Privacy Framework; (5) The requirements of the most recent version of IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities; or
(6) Any other data security framework that provides the same level of privacy protection as
Answer: ISO 27001 is a general framework for managing information security, with a set of controls that can be applied accordingly to an organization context and requirements, while the frameworks you mentioned are specific to defined situations, so you can consider that these frameworks can be implemented operated, managed and improved with the help of ISO 27001, but 27001 is not an equivalent to any of these frameworks (it can only help manage them, but cannot replace them).
This article will provide you further explanation about ISO 27001:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
The EU GDPR toolkit structure
What I miss in the forms bundle perhaps are more marketing related: Coockie consent, policy samples with different data retention (it seems cloud services will offer different plans for retaining data, as example Google Analytics https://support.google.com/analytics/answer/7667196?hl=en ) and perhaps some samples for give aways or prize games. In short: marketing forms for web portals. Perhaps as additional charge.
E-news consent goes well to the genera consent form, but other services are more unpredictable, because they include a lot of different cloud services.
Answer:
Regarding the structure of the EU GDPR Implementation Toolkit the documents within are meant to be cross industry and are not tailor made for digital marketing companies any particular industry. However, regarding the cookie consent this is no different from regular consent (which you can find in folder 4 or our EU GDPR Documentation Toolkit) is just a matter of adapting the wording a little bit. As for the data retention, there is a Data retention Policy and a Retention Schedule in folder 2 of the EU DGDPR Documentation Toolkit.
If you want to receive dedicated privacy services you can contact directly one of our privacy consultants and schedule a meeting to discuss further with them your needs. You can schedule a meeting here: https://advisera.com/eugdpracademy/free-consultation/