Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 9001 and procurement
are there powerpoint sample presentation to help communicate to teams on supplier evaluation with respect to ISO9001? -
Risk with a positive and negative impact
Answer:
ISO 9000:2015 defines Risk as the effect of uncertainty. Then, in a note adds that an effect is a deviation from the expected - positive or negative. So, ISO 9000:2015 accepts the use of the general word risk both for negative and positive impact. Although when one use the words risk and opportunity is much more easy to distinguish positive from negative effects – remember that many organizations use different methods to evaluate risks and opportunities. For example, many organizations use probability as a factor to evaluate risks and others use effort as factor to evaluate opportunities.
The f ollowing material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Boundary in ISO 9001 scope
Answer:
An organization does not need to apply its quality management system to all of its operations. For example, an organization can manufacture a line of products with its own brand and manufacture generic products to other brands as a subcontracted organization. The organization can decide to implement a QMS and only apply it to the part of the business where it works as subcontracted and not to the part where it manufactures under its brand. So the boundary would be, in that case, working as subcontracted by other organizations.
The following materials will provide you details about the scope of a management system:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 – https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Co urse – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Information security policy content
Answer: According ISO 27001, the Information Security Policy must include:
- the information security objectives, or how the objectives are proposed, how they are approved, and how they are reviewed
- a statement of top management about its commitment to fulfill the requirements of all interested parties, and to continually improve the ISMS
There is no need to include specific controls in the Information Security Policy. If you need to describe details about the application of one or more controls you should consider writing them in a specific policy (e.g., Access control policy, backup policy, etc.).
These articles will provide you further explanation about Information Security Policy:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advi sera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
These materials will also help you regarding Information Security Policy:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk management according to ISO 27001, ISO 27005 and ISO 31000
I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk management methodology. What steps are mandatory, and what is optional?
First is important to note that ISO 27005 is not a methodology, but a general framework for information security risk management.
It differs from ISO 27001 in the fact that ISO 27005 provides not only steps for the risk management process (e.g., risk assessment, risk evaluation, risk treatment, etc.), but options regarding on how to perform each step (e.g., qualitative or quantitative approach risk assessment). A specific set of options to perform the steps would be a methodology, so from ISO 27005, you can develop several different methodologies to perform the same steps.
Considering that, if by steps you talk about parts of the process, then all steps of ISO 27005 are required by ISO 27001. If by steps you refer on how to execute the process, you are free to choose between the approaches provided by ISO 27005 the options that better suits you, because ISO 27001 does not prescribe how to perform them.
Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?
Considering the previous answer, you can use asset impact instead of asset valuation when performing risk assessment for ISO 27001 using the ISO 27005 framework
-
Consent and Privacy notice
1. “as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual”: what does this mean exactly? A copy of the request by email for example, or of the completed subscription form?
2. Second database (stakeholders mapping): “No consent is needed, you just need to provide them with a Privacy Notice”: does this mean that as soon as we gather professional data from an individual, this person has to be aware of it?
3. Second database (stakeholders mapping): the processing doesn’t seem to respect the conditions you list at the very end, as there is no consent (and, if I understood correctly, no need for it). Can we understand “legitimate interests” as the necessary actions taken by an organisation to conduct its activities? If that is not the case, is it really possible to make a stakeholders mapping compliant with the GDPR?
Answers:
1. It can be the ones you mentioned, it could be the activity logs if the consent was given in the online environment. There are various types of records you can keep and these are closely linked with the channels you use to collect the consent from the data subjects.
2. If you are collecting the information directly from the data subject you need to provide the Privacy Notice when you collect the data. However, if you obtain the personal data from a third party ( EU GDPR art. 14 – “Information to be provided where personal data have not been obtained from the data subject” - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) you need to provide the Privacy Notice based on the following timeline:
- within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
- if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
- if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
You can find valuable information about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
2. If you want to rely on “legitimate interest” you would need to perform a Legitimate Interest Assessment which is a basic assessment of the processing activity against the rights and freedoms of the data subjects concerned.
Usually a Legitimate Interest Assessment is structures into three areas:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The Information Commissioner Office issued some guidance on legitimate interest - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ -
Study references
Answer: For study references about ISO 27001 I suggest you to take a look at the following material:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
AS9100 Counterfeit parts
Answer:
The implementation of the requirements for controlling counterfeit parts are greatly dependant on the company involved and the product it produces. In clause 8.1.4 the requirement is just to can a process in place to prevent the use of counterfeit parts. This process can include many things from only buying parts form original equipment manufacturers and approved distributors, to performing tests to validate that the product received is actually the product requested. This all come down to what is required for the product in question, and to some extent the risk of actually getting the wrong parts that can cause a problem in the end products.
For more information see this article on the special aerospace terms in AS9100: https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/ -
Personal data visibility
Yes, but I mean that a company probably needs a set of internal employees (probably executive) involved as "verifiers" that the processes in every area will be "aligned" with GDPR; suppose that we not have a DPO, the question is if exists some formal document (agreement, ecc.) for formally instruct , for example some head office for this specific job supporting the
"Data Protection Officer". Kind regards. Bruno -
GDPR in school
Question: Does this school fall under the same guidelines as schools physically located in the EU?
Which brings up the issue of any other private schools in the US that an EU citizen might send their student to. Are we responsible for their data as well? Or does this responsibility fall on the EU Citizen?
Answer:
If the school is based in the US then the US regulations apply. So the EU GDPR is not relevant in this case. The Regulation will only apply to personal data about individuals in the Union the nationality or habitual residence of those individuals is irrelevant.
All private schools in the US would need to comply with the US legislation in terms of privacy and you as well. As mentioned above the EU GDPR is only applicable if the processing activity is happening in the EU or if it targets individuals (n ot necessary citizens) that are in the EU.
To get a better understanding of the extra territorial reach of the EU GDPR check out our article “EU GDPR: What is it, how does it work and why use it?” - https://advisera.com/eugdpracademy/what-is-eugdpr/