Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Safety and ISO 9001:2015
Answer:
ISO 9001:2015 per se has no safety requirements incorporated. Please check clause 0.4 of ISO 9001:2015 where you can read “This International Standard does not include requirements specific to other management systems, such as those for environmental management, occupational health and safety management, or financial management.”
The following material will provide you information about ISO 9001:2015:
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
External and internal context and interested parties
Answer:
I assume that your organization’s purpose is to sell lubricant’s quality control results.
Internal issues:
Any issues about Lab. overall performance (capacity OK? Non conformities? Delivery dates?) Or infrastructure (do you need new equipment? Or to many equipment breakdowns? Any needs for new competences? – Things that keep coming in conversations about the Lab performance or day to day (remember weaknesses and strengths of your organization)
External issues:
Any issues about opportunities and threats in the context of your organization. Things like: how are your customers going? How is the economy going? Are there any regulatory news that affect customer’s life and requirements? Are there any technological trends that will affect the Lab business?
Your organization sells quality control results to customers, t hey are an interested party. Why do they choose your Lab? Because it is the cheapest? Because it is the fastest? Because it is the most reliable? Because it is recommended by the customers’ customers? Are regulators an interested party? Are customer’s customers an interested party? Why will they recommend your lab to their suppliers (your customers)? Are there any critical suppliers that you can consider as an interested party? What do you want from them and what do they expect from you? Are there knowledge centers that are interest parties? Universities, Petroleum and Lubricants institutes? What do they want from your Lab and what do your Lab want from them? And workers, are they an interested party? What do you want from them and what do they require from your Lab?
The following material will provide you information about internal and external context, and interested parties:
- How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- Understanding needs & expectations of interested parties in ISO 9001:2015 - https://advisera.com/9001academy/blog/2017/10/24/understanding-needs-expectations-of-interested-parties-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cross reference between 27001 and GDPR
Answer:
No I am afraid not, there is no such document in the EU GDPR Toolkit or the EU GDPR & ISO 27001 Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/
However, you can find some interesting comparison between ISO 27001 and EU GDPR in our article “Does ISO 27001 implementation satisfy EU GDPR” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Legitimate Interest Assessments template
Answer:
There is no such document in the toolkit and this is because entities can use different ways to assess their legitimate interests against the rights and freedoms of the data subjects.
The legitimate interest is provided as a lawful ground for processing by EU GDPR Article 6(1)(f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/ and starting form this description an assessment would most likely be divided into three parts:
1. Purpose test: are you pursuing a legitimate interest and what is that legitimate interest?
2. Necessity test: is the processing necessary for that purpose, is legitimate interest the most suitable basis for pro cessing ?
3. Balancing test: do the individual’s interests override the legitimate interest?
To learn more about legitimate interests see this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Implementation options
Answer: ISO 27001 requires the establishment of responsibilities relevant to information security, but the organizations are free to divide them, or not, according to their necessities and perceived risks. So, it is possible to implement ISO 27001 without a division of responsibility in the business, provided that identified unacceptable risks related to not dividing responsibilities are properly treated.
These articles will provide you further explanation about responsibilities in ISO 27001:
- How to document roles and responsibilities according to ISO 27001 https: //advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding responsibilities in ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2 - What route to certification do you recommend? How can you help?
Answer: Regarding ISO 27001 implementation, you have three options:
- Implementing with your own employees
- Hiring a consultant
- Implementing by yourself with external support
Each one of them have their advantages and disadvantages, related to time, resources and knowledge. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
Advisera is specialized in the third approach. We offer toolkits with templates and expert support, and also free material in form of articles, papers and webinars, to help you with your implementation project. Please see these materials for more information:
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/ -
The Data Processing Agreement
Answer:
Your understanding is correct. The Data Processing Agreement is meant to be send to your processors, meaning your suppliers that process data on your behalf such as payroll providers, external call centers or marketing companies sending SMS or emails on your behalf.
You can find more about controllers and processors by checking out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
B2B company
Answer:
Being a B2B company does not automatically mean that EU GDPR does not apply to you. You could be providing services( as a processor) to another company ( as controller) but while doing that you might be processing data of individuals. For example, a marketing company “A” performing an SMS campaign on behalf on company “B”. Company “B” would be processing data of individuals even if the individuals themselves are not customers of company “B”.
So, “directly” processing data as a controller in not the only prerequisite for the EU GDPR to be applicable to you.
Also, if you are established in the EU that would make you a controller in terms of processing data of your employees so the EU GDPR would be again applicable.
To find out more about controllers and processor you can go through our article “EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ as well as our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR data
Answer:
The personal data itself belong to the individuals (data subjects) and this is why the EU GDPR grants individuals extended rights as regard to their personal data.
The controllers only process the personal data for specific purposes using one of the six legal grounds for processing: consent, contract obligation, legal obligation, vital interests, public interest, and legitimate interest.
You can find out more about more about the individuals rights and legal basis for processing from our articles: “8 data subject rights according to GDPR “ https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr// and “Is consent needed? Six legal bases to process data according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ -
Privacy Shield
Answer:
In addition to the controversial Privacy Shield deal with the US, the EU has adequacy agreements that allow companies to share data with Switzerland, Andorra, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay.
All of these agreements will be reevaluated in the near future to ensure that they up to par with the EU GDPR requirements. -
User data from 3rd party integrations
Answer:
If is reasonably possible yes. But I think is quite unlikely considering your business model.
However if the users, decide to send their data to Google Drive, Dropbox etc. then they should have the means to delete their data on their own. You may be able to facilitate that.