Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policies approval
Answer: In general the Company Director (or the highest position in the company) signs the high level policies (those policies that have overall impact through the organization, like the Quality Management Policy and the Information Security Policy), while other directors or managers sign the remaining policies (known as low level or second level policies), according to their scope (e.g., IT director signs the Password and Backup policies, and the Purchase manager sings the Supplier Management Policy).
This article will provide you further explanation about management responsibilities:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
This material will also help you regarding do cument management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Management review according to ISO 14001:2015
1. We have an Management review procedure in place, what are the important elements that we need to add or remove to align with the new requirements.?
In additions to management review inputs and outputs defined in the previous version of the standard, new version requires consideration of:
- context of the organization relevant to the environmental management system
- the needs and expectations of interested parties
- risks and opportunitties
For more information, see: The importance of management review in the ISO 14001:2015 process https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/the-importance-of-management-review-in-the-iso-140012015-process/
2. Do we need to remove the term MR (Management representative) or his or her roles and responsibilities in all of our revised documents?
No, it is not necessary. Although the standard no longer requires MR as a mandatory role, the companies can decide to keep this role as a part of the EMS. If your organization decides not to keep MR as a role within the EMS, MR's roles should be transferred to other people or other roles, in this case you will have to revise the documents and change them accordingly.
For more information, see: Is the management representative still the best option to coordinate EMS according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/02/08/is-the-management-representative-still-the-best-option-to-coordinate-ems-according-to-iso-140012015/
These materials will also help you regarding management review:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Storing backup and server image data
Answer:
If by providing the service you described your company might have access to personal data stored by the customer you would have to comply with the requirements that the EU GDPR sets for data processors. These requirements are set forth in the GDPR regarding the processor obligations:
- To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
- To ensure certain minimum provisions in contracts with controllers – art. 28(3) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) (https://advisera.com/eugdpracademy/gdpr/processor/ );
- Only to process personal data on t he instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 ( https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/) ;
- To keep a record of processing carried out on behalf of a controller – art.30 (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/)
- To co-operate with the supervisory authorities – art. 31 (https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/) ;
- To implement appropriate security measures – art. 32 (https://advisera.com/eugdpracademy/gdpr/security-of-processing/ );
- To notify the controller of any personal data breach without undue delay – art.33 (2) ( https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ) ;
- To comply with the rules on transfers of personal data outside of the Union – art. 44 ( https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/)
All of these requirements need to be put in your contracts with your customers, and are already included in the Supplier Data Processing Agreement that you can find in our EU GDPR implementation toolkit (https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/). -
Implementation of the EU GDPR
Answer:
One of the quick wins would obviously be having the comfort that if under investigation from a Supervisory Authority you would have the means to prove accountability as set forth in the EU GDPR. Also, compliance with the EU GDPR would also prove to your customer and business partners your commitment for doing your business in a compliant way, not to mention that if your business is actually to provide services to other companies and in that sense processing personal data on their behalf (you acting as a processor) you would be expected by the companies (acting as controllers) to be EU GDPR compliant.
The decision to use internal or external resources is entirely up to you, so you can go both ways. However, this matrix that we have developed https://advisera.com/eugdpracademy/comparison/ might help you take th e right decision.
The time frame highly depends on the complexity of your business and your processing activities. Usually for SMEs is anywhere between 3 to 6 months. Also please consider that once established the EU GDPR framework needs to be maintained, so it is not just a one time job. -
Cursos en México
Desde mi punto de vista, ambas entidades (BCI y DRII) tienen una buena reputación internacional, por lo que mi recomendación es que selecciones la entidad dependiendo de tus necesidades. Ejemplo: ¿Necesidad un curso online? BCI. ¿Necesitas una entidad que esté basada en USA porque estás pensando trabajar y vivir en USA? DRII -
Scope and exclusions
Answer:
About the application of clause 8.3 to “Sourcing and placing suitable candidates (Permanent & Freelance) for the construction industry”, I would consider its exclusion once you already have your product defined and as long as you don’t need to change it. Your clients provide your organization with the service characteristics, the specifications, needed for you to plan the service provision processes. I don’t believe you need to change your scope.
The following material will provide you information about scope and exclusions:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
EU GDPR courses
Answer:
Currently we are working on two courses meant to help participant improve their knowledge and skills in the filed of data protection of course with a focus on GDPR. There will be two available courses, one GDPR Foundation Course and the other would be a DPO course. The two courses will be available within the next two week, so follow the Advisera webpage. -
Pasos para implementar ISO 27001
Respuesta: Los pasos globales son:
1.- Obtener el apoyo de la dirección
2.- Tomar la implementación del estándar como un proyecto
3.- Definir el alcance
4.- Redactar la política del SGSI
5.- Definir la metodología de evaluación de riesgos
6.- Realizar la evaluación y el tratamiento de riesgos
7.- Redactar la declaración de aplicabilidad
8.- Redactar el plan de tratamiento de riesgos
9.- Determinar cómo medir la eficacia de los controles
10.- Implementar controles y procedimientos obligatorios
11.- Implementar programas de capacitación y concienciación
12.- Hacer funcionar el SGSI
13.- Supervisar el SGSI
14.- Realizar la auditoría interna
15.- Realizar la revisión por dirección
16.- Llevar a cabo medidas correctivas
Para más información sobre cada paso, puedes leer este artículo "Lista de apoyo para implementación de ISO 27001" : https://advisera.com/27001academy/es/knowledgebase/lista-de-apoyo-para-implementacion-de-iso-27001/
Aquí también puedes encontrar recursos gratuitos en español: https://advisera.com/27001academy/es/descargas-gratuitas/
Y este webinar gratuito sobre el proceso de implementación de la ISO 27001 también te puede interesar “ISO 27001: Resumen del proceso de implementación de SGSI” : https://advisera.com/27001academy/es/webinar/iso-27001-an-overview-of-isms-implementation-process-free-webinar/ -
Internal audit
Answer: The best moment to perform an internal audit would be after a time two or three times longer than the process you want to audit takes to be executed, because after that time you will have more chances to gather evidences to decide if the process is executed properly or not. For small scopes (or when there are sufficient auditors), the internal audit is done a couple of weeks before the management review.
2 - And in regards to the training and awareness... is it enough to provide a PowerPoint video that explains to employees the most important documents (access control, security, acceptable use, etc.), where to find them, what is included in them, what relates to each of them, etc.
Answer: For initial and general training (considering all personnel) this may be a good approach, but you also have to consider specific training and awareness activities considering technical and management personnel, as well as personnel that perform specialized or critical activities.
3 - Also, how long should the internal audit take? should the internal auditor basically go through the provided checklist? I read that the internal audit should be a 1-year plan? Can you elaborate, please.
Answer: For small organizations (up to 20 employees) the internal audit will typically last 1 day, whereas in a company of 100 employees it will be 2 days.
Regarding checklists, they are only one part of the resources an auditor can use. He also should consider documentation review, interviews and process observation to gather information.
Regarding internal audit plan, a 1-year plan generally is developed when an organization has a big scope and wants to audit only parts of it at a time. Considering that ISO 27001 only requires the audits to be conduct at planned intervals (clause 9.2), an organization is free to decide if it wants to perform a single audit during the year, considering all the scope, or multiple audits considering smaller parts of the scope each time. Additionally, for certified organizations, all scope must be audited between certification body's audits, and generally they are performed annually.
Included in the toolkit you bought you have access to video tutorials that can help you plan and perform an internal audit.
These articles will provide you further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
This material will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Benefits of ISO 27001
In general, the benefits of ISO 27001 are related to:
- Enhanced competitive edge
- Reduction on losses due to security incidents
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
To enhance your proposal, it is interesting to identify for the organization examples that can be related to its context, so it will be easier for the employees and management to figure out the benefits on adopting a management system culture.
To help you build a presentation, I'd suggest you to take a look at this free downloadable presentation: Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
These materials will also help you regarding ISO 27001 benefits:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/