Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
List of documents - ISO 20000
Answer:
List of documents in ISO 20000 Documentation toolkit contains column with reference to particular clause in the standard. In such way you can easily identify which document relates to particular standards' clause (or vice-versa). This is useful while implementing ISO 20000 as well as during the certification audit.
List of document can be downloaded here https://advisera.com/wp-content/uploads//sites/6/2015/07/List_of_documents_ISO_20000_Documentation_Toolkit_EN.pdf -
GDPR - processor to controller
Answer:
EU GDPR article 28 – “Processor” https://advisera.com/eugdpracademy/gdpr/processor/ requires controllers to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Thus, is the controller that needs to be sure that it uses processors that are complying with the EU GDPR requirements not the other way around.
In the EU GDPR Documentation Toolkit you can find in folder 7 a “Processor GDPR Compliance Questionnaire” which can be used as a benchmark in assessing a processor’s compliance with the EU GDPR. This document can be used also to further build up a methodology for auditing your most important processors. -
Retention Policy
Answer:
The retention policy in the toolkit is meant to refer only to records containing personal data and is consistent with the requirements of EU GDPR article 5.1.(e) – “Principles relating to processing of personal data” https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ namely personal data cannot be kept for longer than is necessary for the purposes for which the personal data are processed.
The retention periods in the Inventory of processing activities is consistent with the requirements of EU GDPR article 30 – “Records of processing activities” https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/ My suggestion is to have the i nformation about retention periods in your Data Retention Policy ( Annex - Data Retention Schedule) since this policy will most likely be available to all employees as opposed to the Inventory of processing activity which is usually handled by the DPO or data protection responsible. -
Data Breach Register
Answer:
EU GDPR requires controllers to report personal data breaches “ without undue delay and, where feasible, not later than 72 hours after having become aware of it” to the Supervisory Authority if the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33 - Notification of a personal data breach to the supervisory authority https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/
However if a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Article 34 - Communication of a personal data breach to the data subject https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/
Controllers are not required to notify the data breach if the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.
So, is the controller that needs to assess the severity of the data breach and decide which action to take.
To find out more about how to asses the severity of personal data breaches you can consult our whitepaper “Assessing the severity of personal data breaches according to GDPR” https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr -
DPO Module 5: Basic Rules for DSAR
Answer:
The provisions of Article 12 of the GDPR offers the answer to your question. According to paragraph 3 “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.” https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/
You can find out more about the DSARs form our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Cláusula 7.4 de comunicación
La organización debe determinar las comunicaciones internas y externas pertinentes al sistema de gestión de la calidad, que incluyan:
a) qué comunicar: información relevante para el SGC;
b) cuándo comunicar: la Información debe ser comunicada de manera oportuna;
c) a quién comunicar: a quién sea necesario para generar un resultado;
d) cómo comunicar: qué medio de transmisión es el adecuado;
e) quién comunica: quién tiene la responsabilidad de transmitir la información.
La información que es pertinente para el SGC y debe comunicarse es la siguiente :
- Información relevante para la conformidad de los requisitos.
- Información relacionada con el cliente y sus requisitos.
- Información sobre cambios de los requisitos.
- Información para la toma de decisiones.
- Información para el cumplimiento de objetivos.
- Información sobre riesgos y oportunidades.
Así mismo, hay que tener en cuenta que la comunicación puede ser tanto interna o externa (por ej. con los proveedores), formal o informal, o pueden ser comunicaciones obligatorias o meramente informativas.
Para más información, estos materiales pueden ser de utilidad:
- Artículo "Requisitos de comunicación según ISO 9001:2015": https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
- Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo":https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/ -
Conocimientos de la organización
El término conocimiento de la organización se refiere al conocimiento necesario que el personal dentro de la organización posee para el funcionamiento de sus procesos y para lograr la conformidad de sus productos y/o servicios, no es el conocimiento que tengan de la organización en sí. Aunque la norma no requiere documentarlo, sin embargo, se recomienda que se establezca cómo mantener actualizado el conocimiento y cuál es el alcance del mismo.
Estos materiales pueden ser de utilidad:
- Artículo "Cómo gestionar el conocimiento de la organización según la ISO 9001" (disponible en inglés): https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- Libro "Preparación para la auditoria de certificación: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso Fundamentos de la ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Service Desk - RACI matrix
Answer:
Service Desk's activities are (mainly) related ti Incident Management process. Incident Management has many activities in scope, so for all of the activities you can define RACI. Additionally, Service Desk in involved in Request Fulfillment process which is also full of activities that can be defined from RACI point of view.
Article "ITIL / ISO 20000 RACI matrix – How to use it to clarify responsibilities" https://advisera.com/20000academy/blog/2016/01/12/itil-iso-20000-raci-matrix-how-to-use-it-to-clarify-responsibilities/ can help you with RACI. Some other articles can help you to learn about Incident Management and Request Fulfillment activities:
"ITIL Incident Management" https://advisera.com/20000academy/knowledgebase/itil/-incident-management/
"ITIL Request Fulfillment: a quick win for customer satisfaction" https://advisera.com/20000academy/blog/2013/08/28/itil-request-fulfillment-quick-win-customer-satisfaction/ -
Auditing the audit function
Answer:
Yes, the internal audit function must be audited prior to certification. For example, does the organization keep records of the implementation of the audit program and its results? Does the organization keep records of the selection of auditors that show their ability to conduct audits in an objective and impartial manner?
Does records of audits carried out show treatment of nonconformities and timely development of effective corrective actions?
The following material will provide you information about internal audits:
- ISO 14001 – Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
- Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Procedure for A.18 Complaince
Answer: Our toolkits covers the section A.18, with the following documents:
- Procedure for Identification of Requirements (covers ISO/IEC 27001 clause 4.2 and control A.18.1.1)
- List of Legal, Regulatory, Contractual and Other Requirements (covers ISO/IEC 27001 clause 4.2 and control A.18.1.1)
- Acceptable Use Policy (covers control A.18.1.2,)
- Policy on the Use of Cryptographic Controls (cover control A.18.1.5)
You can find more information about which control is covered by each template in the list of documents file that is included in the toolkit. You can find a copy of this file in this link: https://advisera.com/wp-content/uploads//sites/5/2015/06/List_of_documents_ISO_27001_Documentation_Toolkit_EN.pdf
In this link you can have access to demos of these templates:
- https://advisera.com/27001academy/iso-27001-documentation-toolkit/