Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Responsibilities assignment
Who can take this task ?
4.1. Objectives and measurement :
· [Job title] will measure the fulfillment of all the objectives.
· [Job title] is responsible for setting the method for measuring the achievement of the objectives.
4.5. Responsibilities
· [job title] will define which information related to information security will be communicated to which interested party (both internal and external), by whom and when.
· [job title] is responsible for adopting and implementing the Training and Awareness Plan, which applies to all persons who have a role in information security management
Answer: Regarding the responsibilities you mentioned related to section 4.1, and the first one on section 4.5, they are generally assigned to a role created specifically for that purpose (e.g., the CISO), bu t you also can assign them to an existing role in the organizational chart, provided that this person has the necessary skills to carry out the activities (a good choice would be the Management Representative or Quality Manager if you have this role).
For the second responsibility you mentioned in section 4.5, this one can be assigned either to HR Manager or to the roles above mentioned.
These articles will provide you further explanation about CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Changes from AS9100 Rev C to Rev D
Answer:
The main additions to AS9100 Rev D come under context of the organisation where the new standard asks that you consider the internal and external issues that affect your QMS as well as identifying the interested parties of your QMS and their requirements. Other additions include requirements around product safety and control of counterfeit products. One small change that can also have repercussions is the phrase "products and services" which is used throughout the standard and now requires you to consider all oft he products and services you provide to the customer as part of your business.
I recommend you see the following whitepaper for more information on transitioning to the new standard requirements, https://info.advisera.com/9100academy/free-download/as9100-twelve-step-transition-process-from-rev-c-to-rev-d, as well a s this infographic of the changes: https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/ -
Risks, opportunities and mandatory documentation
Answer:
ISO 9001:2015 does not mandate any documented information about risks and opportunities. Your organization can perform a meeting where a brainstorming session about risks and opportunities is held. Then, in the meeting minute you can record the risks and opportunities determined, their evaluation, and what was decided about the most important.
The following material will provide you information about mandatory documentation:
- ISO 9001 – List of Mandatory Documents for ISO 9001 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Quality plans and ISO 9001:2015
Answer:
Well, ISO 9001:2015 in its Bibliography page still continues to mention ISO 10005. So, I believe it is still relevant.
The following material will provide you information about quality plans:
- ISO 9001 – Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Assessment criteria
1= marginal, 2= acceptable, 3= high, 4= catastrophic
We were questioned about the difference between marginal and acceptable.
Answer: The term "marginal" refers to an event that is barely registered, with an impact so small that is considered not worthy to act upon, while the term "acceptable" refers to an event that has a perceivable impact, but which the organization has chosen to not act upon. -
Policies approval
Answer: In general the Company Director (or the highest position in the company) signs the high level policies (those policies that have overall impact through the organization, like the Quality Management Policy and the Information Security Policy), while other directors or managers sign the remaining policies (known as low level or second level policies), according to their scope (e.g., IT director signs the Password and Backup policies, and the Purchase manager sings the Supplier Management Policy).
This article will provide you further explanation about management responsibilities:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
This material will also help you regarding do cument management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Management review according to ISO 14001:2015
1. We have an Management review procedure in place, what are the important elements that we need to add or remove to align with the new requirements.?
In additions to management review inputs and outputs defined in the previous version of the standard, new version requires consideration of:
- context of the organization relevant to the environmental management system
- the needs and expectations of interested parties
- risks and opportunitties
For more information, see: The importance of management review in the ISO 14001:2015 process https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/the-importance-of-management-review-in-the-iso-140012015-process/
2. Do we need to remove the term MR (Management representative) or his or her roles and responsibilities in all of our revised documents?
No, it is not necessary. Although the standard no longer requires MR as a mandatory role, the companies can decide to keep this role as a part of the EMS. If your organization decides not to keep MR as a role within the EMS, MR's roles should be transferred to other people or other roles, in this case you will have to revise the documents and change them accordingly.
For more information, see: Is the management representative still the best option to coordinate EMS according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/02/08/is-the-management-representative-still-the-best-option-to-coordinate-ems-according-to-iso-140012015/
These materials will also help you regarding management review:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Storing backup and server image data
Answer:
If by providing the service you described your company might have access to personal data stored by the customer you would have to comply with the requirements that the EU GDPR sets for data processors. These requirements are set forth in the GDPR regarding the processor obligations:
- To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
- To ensure certain minimum provisions in contracts with controllers – art. 28(3) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Only to process personal data on t he instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 ( https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/) ;
- To keep a record of processing carried out on behalf of a controller – art.30 (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/)
- To co-operate with the supervisory authorities – art. 31 (https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/) ;
- To implement appropriate security measures – art. 32 (https://advisera.com/eugdpracademy/gdpr/security-of-processing/ );
- To notify the controller of any personal data breach without undue delay – art.33 (2) ( https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ) ;
- To comply with the rules on transfers of personal data outside of the Union – art. 44 ( https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/)
All of these requirements need to be put in your contracts with your customers, and are already included in the Supplier Data Processing Agreement that you can find in our EU GDPR implementation toolkit (https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/). -
Implementation of the EU GDPR
Answer:
One of the quick wins would obviously be having the comfort that if under investigation from a Supervisory Authority you would have the means to prove accountability as set forth in the EU GDPR. Also, compliance with the EU GDPR would also prove to your customer and business partners your commitment for doing your business in a compliant way, not to mention that if your business is actually to provide services to other companies and in that sense processing personal data on their behalf (you acting as a processor) you would be expected by the companies (acting as controllers) to be EU GDPR compliant.
The decision to use internal or external resources is entirely up to you, so you can go both ways. However, this matrix that we have developed https://advisera.com/eugdpracademy/comparison/ might help you take th e right decision.
The time frame highly depends on the complexity of your business and your processing activities. Usually for SMEs is anywhere between 3 to 6 months. Also please consider that once established the EU GDPR framework needs to be maintained, so it is not just a one time job. -
Cursos en México
Desde mi punto de vista, ambas entidades (BCI y DRII) tienen una buena reputación internacional, por lo que mi recomendación es que selecciones la entidad dependiendo de tus necesidades. Ejemplo: ¿Necesidad un curso online? BCI. ¿Necesitas una entidad que esté basada en USA porque estás pensando trabajar y vivir en USA? DRII