Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR in tourism
Answer:
It is impossible for me to provide you with a solution for being compliant with the requirements of your customers as regards to the EU GDPR since I am lacking information about the requirements and the whole setup.
My proposal is to start the EU GDPR implementation as soon as possible and our EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ will be a good starting point. You can find all the information about our Toolkit from our website - https://advise ra.com/eugdpracademy/product-tour/.
We can also schedule a free meeting so we can better understand your needs and provide some tips on how to proceed further. -
Data subject
Answer:
If the Indian citizens you refer to are working in the EU the EU GDPR applies regardless of their citizenship or tax residence. So in this case is the location where they work that matters.
To learn more about the applicability the EU GDPR check out our article “ What is it and how does it work?” https://advisera.com/eugdpracademy/what-is-eugdpr/ -
Scope change
However, since gaining this a few months ago we are now looking at expanding and opening up some additional rented office space in another location. I believe this may affect A.11 in the statement of applicability? I am wondering if I need to notify our certification body (if and when it happens) and we may have to update our SOA or if we can wait until our next scheduled surveillance audit in 9 months time?
Answer: This new office will indeed affect your ISMS, and maybe not only controls of section A.11, and the best way to understand its impacts, and what must be adjusted in your SOA, is by performing a risk assessment considering how this new office will be related to the ISMS scope (e.g., this new office will be included in the scope, or it will be considered an new interface). For more information, please see this article:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Regarding the certification body, you have to notify them as soon as possible about your intentions, so they can evaluate if changes should be performed in the surveillance audit schedule. -
Context and interested parties
Answer:
Clause 4.1 is about considering the organization as an entity embedded in a reality that is much more than environmental aspects. For example, consider a natural leather shoes manufacturing company. See Annex A.4.1 a) of ISO 14001:2015:
Environmental conditions – natural leather comes from large herds of intensive livestock farming with strong environmental consequences, including emissions relevant to global warming and biodiversity. Liquid waste generation during leather production, solid waste generation during shoes production, exponential rising of transport needs, end of life disposal of used shoes
See Annex A.4.1 b) of ISO 14001:2015:
External issues – the trend to use more and more materials other than leather, the trend for more and more restrictions to the use of chemicals in the leather tre atment, the exponential rising need for home delivery, more and more consumers following trends like veganism
See Annex A.4.1 c) of ISO 14001:2015:
Internal issues – the need to improve efficiency and reduce wastes, old equipment with high energy consumption, the difficulty in hiring new workers, the trend for smaller and smaller orders and fast deliveries
Instead of considering environmental aspects and impacts in a particular moment only, you can consider what will be the most likely evolution
About interested parties (clause 4.2), organizations live in a network of relationships: customers, neighbors, suppliers, workers, customer’s customers, regulators, … some with more or less power or influence over the organization can influence environmental priorities of the organization. For example, strategic target-consumers (customer’s customers) can increasingly appreciate customization and buy online, something that will reduce efficiency and increase transportation needs. Neighbors can be against the increase frequency of transporting vehicles.
The following material will provide you information about context and interested parties:
- ISO 14001 – Determining the context of the organization in ISO 14001 - https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
- How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
ISO 27001 personal certification
My background: I am a engineer with a work experience (software development and training) for 18 years. My key areas
1. Software QA
2. Performance testing
3. Performance tuning
4. Risk assessment
5. Scripting languages
6. Agile SCRUM
Kindly guide me the preparation process for the certification
Answer: Considering your background, I'd suggest you to go for the ISO 27001 Lead Auditor certification. This certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and qualifies them to start the process to become a certification auditor.
The first step for ISO 27001 Lead Auditor certification is to attend the ISO 27001 Lead Auditor course, which will present you the general concepts of the ISO 27001 standard and the audit methodologies and techniques of ISO 19011 standard. It is a 5 days course, after which you will take the exam.
For more information, please see these materials:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
ISO 31000 study material
Trust you're doing great. Your study material on advisera is very helpful thank you.
However would like to request if there are any modules on ISO 31000 Risk management..or if you could help me with one thing whether Is it mandatory that we have vast experience in job say for some one in mid or entry level can't go for the ISO 31000 Course?
Answer: For information regarding ISO 31000, I suggest you to take a look a these material:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
Regarding ISO 31000 courses, generally they do not require previous job experience (you should verify the course content of your selected training provid er to confirm that), but any level of previous experience will help you to take better advantage of the course. -
RACI Matrix
Answer: As roles to include in your RACI matrix you should consider at least:
- Top management / Project Sponsor as Accountable for project decisions
- Project Manager as Responsible for the project overall execution
- Team member as Responsible for tasks / activities execution
- Units Heads / Processes Owners / Interested Parties as Consulted about risks identification and controls to be implemented
- Employees / Users / as Informed about project milestones
Steps to be included, you should consider:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementat ion (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
ISO 27001 Gap Analysis
1 - But my starting point for now is to check what they have according the iso 27001. Sort of gap analysis? Current situation. I am kind of in the not knowing how to start this.. I mean do you make a list of all these clauses + annex A and check if they have it documented etc? Or is it more then that?
Answer: For a Gap Analysis you do not only evaluate if they have the requirements documented, but also if the processes and controls are also generating the proper records. To help you with a gap analysis, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
2 - What about the maturity? Do I have to measure also the maturity? And how do you do that?
I hope you can give me some advice on how to start this because it is not quite clear to me.
Answer: ISO 27001 does not require performing maturity measurements, but it requires performance measurements, which can be used as parameters to evaluate maturity.
This article will provide you further explanation about ISO 27001 and performance measurement:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Audit activities
We have an internal audit procedure, which defines the auditor requirements, I.e. qualified, scope, criteria, plan, etc.
They said we need to audit them and document an audit report of the auditors, and we can even give them minor/major NCs.
Am I crazy?
Answer: ISO 27001 clause 9.2 (Internal audit) requires that an organization selects auditors and conducts audits that ensure objectivity and the impartiality of the audit process, and in the situation you mention it means the auditors cannot audit their own work. When you have more than one auditor, they can audit each others work. In cases were you only have one auditor, the organization must consider hiring an external auditor to audit specifically the clause 9.2.
This article will provide you further explanation about internal audit:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Impacts of not implementing a standard
Answer: There is no standard set of consequences if an ISO standard is not implemented in an organization, because these will depend on the applicable laws, contracts, regulations and business objectives, which will vary from organization to organization.
To help organizations understand this, ISO management standards require that organizations determine external and internal issues relevant to its purpose and that can affect its management system, including needs and expectations of interested parties (clauses 4.1 and 4.2 of ISO management standards).
On the other hand, when talking about benefits of adopting ISO standards, they can be related to:
- Enhanced competitive edge
- Reduction on losses due to incidents and non conformities
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
These articles will provide you further explanation about context, requirements and benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding context, requirements and benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/