Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risks and context


    Answer:

    Considering the strategic orientation of your organization, your top management team should determine internal and external issues that could affect the intended results of your QMS.

    You can document that list of internal and internal issues.

    Then, considering those issues, you should determine risks and opportunities. And you can list them. For example, if you determined as an external issue the possibility of competitors with new technology disrupt your market or determined the opportunity of opening a new geographical market your government negotiated for the opening of economic borders with other countries, those will be clearly good candidates for risks and opportunities determined considering clause 4.1.

    You can make explicit connections between issues and risks and opportunities or not. They can only be implicit and your top man agement team can show to auditors the connections.

    The following material will provide you information about the risk-based approach:

    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • GDPR principle


    Answer:

    The EU GDPR expressly mentions at article 25 (https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/) the concepts of data protection by design and by default as important data protection principles and imposes specific obligations on controller.

    In a nutshell, the data protection by design provision requires controllers to :
    - implement appropriate technical and organizational measures (such as pseudonymisation) which are designed to implement data protection principles (such as data minimization) in an effective way; and
    - integrate necessary safeguards into their processing activities in order to meet the requirements of the GDPR and protect the rights of data subjects.

    Under the data protection by default provision, controllers are required to implement appropriate technical and organizational measures for ensuring, by default, that only personal data which are necessary for each specific purpose of the p rocessing are processed.

    Our EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ considered these obligations on controllers and integrated them in the relevant documents.

  • Categoración de Incidentes


    Respuesta: Comunmente las compañías suelen utilizar 3-4 niveles/capas, por tanto, un ejemplo de 4 capas podrías ser:

    Hardware -Equipamiento -Placa base -Tarjeta de red

    o

    Software -Aplicación -Base de datos -Oracle

    Algunas compañías utilizan más de 3-4 capas, pero mi recomendación es hacerlo sencillo, es decir, 3-4 capas.

    Este artículo te puede resultar interesante : “All about Incident Classification” https://advisera.com/20000academy/knowledgebase/incident-classification/

  • EU GDPR in charities


    Answer:

    Charities are impacted by GDPR as any other organisation. There is no exception for charities. I would start by doing a personal data processing inventory. You can find a template for this in the Advisera EU GDPR toolkit https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/ afterwards if you have more questions, you can rely on Advisera to help you.

  • Risk Assessments and GDPR


    Answer:

    The GDPR makes it mandatory to perform risk assessments in the shape of a Data Protection Impact Assessment where it is deemed that there is a risk to rights and freedoms of the individuals, whose data is being processed.

  • Documentation templates and ITIL version


    Answer:
    Documentation toolkit (ITIL and Premium) are based on 2011 revision of ITIL . Once V3 was introduced (2007) - complete name was ITIL V3. From 2011 revision onward - it's only ITIL.

  • Personal Data and DPO

    2) Do we need a Data Protection Officer or is a Data processor enough?
    3) Regarding the 'Compliance Questionnaire' Do we need to send this all 3rd parties that hold data of ours or just our clients?

    Answers:

    1) According to EU GDPR article 5(e) (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/) personal data cannot be kept longer than is necessary for the purposes for which the personal data are processed. Assuming that the data received via you website comes from users registering there you can set up your own retention period. When establishing that you should consider a reasonable retention period that would be consistent both to the type of services you provide to the data subject and the categories of personal data processed. To give you an example, if you are not collecting special categories of data (https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/) you can set up r etention period anywhere between 1-3 years (most likely it will not be considered excessive) from the last time the user accessed his/hers account on your website.

    2) Appointing Data Protection Officer is required by the EU GDPR (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/) only is some specific cases:
    - you are required to do so by national law;
    - your core activities consist of regular and systematic monitoring of data subjects on a large scale;
    - your our core activities consist of processing sensitive personal data on a large scale (including processing
    information about criminal offences).

    So, if you find yourself in any of the above cases it is required to appoint a DPO which can be an employee or a third party (e.g. consultancy company). If not you don’t, then you are not required to appoint a DPO but you can designate some data protection specific tasks to someone within the organization.

    You might find this article interesting https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

    3) The Supplier Due Diligence Questionnaire is used to assess those suppliers that are processing personal data that belong to you as controller. So, those suppliers receiving or having access to personal data that you process as controller regardless if the data of your employees or your customers.

  • GDPR Compliant Media Release form


    Answer:

    Let me begin by pointing out the prerequisites for a valid consent as set out by EU GDPR article 7 (https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/) namely: freely given, specific, informed and unambiguous indication of the individual’s wishes.

    This means that among others, it is not only necessary to ask for consent but also to provide the relevant information to the data subjects. So whenever asking for consent the necessary information needs to be provided via a “Privacy Notice”.
    In our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ we provide templates for: “Data subject consent form” (https://advisera.com/eugdpracademy/documentation/data-subject-consent-form/) , “Data subject consent withdrawal form” (https://advisera.com/eugdpracademy/documentation/data-subject-consent-withdrawal-form/ ), “Parental Consent Form” (https://advisera.com/eugdpracademy/documentation/parental-consent-form/), “Parental Consent Withdrawal Form”( https://advisera.com/eugdpracademy/documentation/parental-consent-withdrawal-form/) as well as a template for a “Privacy Notice” (https://advisera.com/eugdpracademy/documentation/privacy-notice/).

  • Categories of disruptive impact


    Answer: The values presented in the template for the categories of disruptive impact can be changed to fit your organization's needs without problem. They are only examples based on our experience. There are not such things as a set standard, because each organization has unique characteristics that will influence these values.

    What determines the values for the categories of disruptive impact is what your organization perceives as relevant time frames for the business (e.g., minutes, hours, days, weeks, etc.).

    Although you can determine the values for the categories of disruptive impact, you should not change them with every BIA, because this way you cannot make comparisons between different BIAs. The better solution is to establish a set of values that will cover the majority of possible scenarios.

    These material will provide you further explanation about performing BIA:
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

  • Surveillance and main audits


    Answer: A surveillance audit is an audit performed by the certification body between the certification and recertification audits, to check if the system is maintained.

    2 - How is it different from the main audit?

    Answer: While a main audit (for certification or recertification) covers all the certification scope, a surveillance audit covers only part of the certification scope. After a certification, the surveillance audits are planned in such a way that all the certification scope is audited before the recertification audit is performed.

    This article will provide you further explanation about audits:
    - Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

    These materials will also help you regarding audits:
    - Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
Page 801-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +