Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Applicability of EU GDPR

    EU GDPR is applicable to the company I work for (in the UK - a subsidiary of the American organisation) as we store and process personally identifiable data for our staff, and EU GDPR will be applicable to the American Organisation's located in Germany and Italy.
    As we are owned by an American Company, I am assuming that the American Company will need to be EU GDPR compliant as it owns companies operating in UK, Germany and Italy? Our company is a B2B company and sells products and services to other businesses, but stores personally identifiable data on behalf of it's staff that work for it.
    Is EU GDPR applicable at the Corporate level?
    If there was a breach at one of the companies operating in the EU, is the fine applicable to the Corporate annual turnover or the company that has breached?
    Finally, if one of the companies is storing personally identifiable staff data on a Corporate database where the data is stored in the US - I'm guess ing that Corporate will have to be EU GDPR compliant as the data is stored outside the EU?

    Answer:

    The EU GDPR will be applicable to all companies established in the EU/EEA regardless where their parent companies are established. So any companies established in the EU/EEA will have to comply with the EU GDPR.

    Regarding the EU parent Company, is not necessary to be compliant with the EU GDPR just because of the mere fact that it owns subsidiaries in the EU/EEA.

    GDPR would be applicable to the if US based parent Company would be acting as controller that offers goods and services to, or monitor, individuals in the EU/EEA. Depending on the actual processing activities carried out by the US based parent Company the EU GDPR may or may not be applicable, an exact answer can be offered after a more in depth analyze of the relations between the US based parent Company and its EU/EEA subsidiaries.

    If one of the subsidiaries within the EU/EEA were to suffer a data breach that might result in a fine, the worst case scenario means that the amount of the would be established based on the annual turnover of the “undertakings” which are as defined by reference to the competition law definition in Articles 101 and 102 of the Treaty of the Functioning of the European Union (TFEU). The TFEU sees undertakings as economic units, so potentially includes group companies. In other words is possible, at least in theory, that a global turnover of a group of companies to be considered when establishing the fine.

    If the US based parent Company would just be storing personal data of EU/EEA employees and acts as a processor on behalf of the EU/EEA based subsidiaries, then the parent Company would have to provide appropriate safeguards for cross border transfers of personal data which could be for example: adherence to Privacy Shield or using “Model Contracts for the transfer of personal data to third countries” (Model Contracts).

    The EU GDPR implementation Toolkit provides guidance on how to use the Model Contracts as safeguards for cross border transfers of personal data- see the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

  • Revision Control of AS9100 Quality Manual


    My Answer: The revision of a document is maintained with that document, so in your case your quality manual should go from Rev K to Rev L. This is not dependant on any outside information or documents that cause the change, so it in not relevant that AS9100 has changed to Rev D. The only reason you would create a Rev A document is if you deleted the current quality manual document and started with a new document number for your AS9100 Rev D quality manual. If you do this you may lose the link to the previous manual though, so it is not recommended.

    If you want to know more see this blog article on configuration management: https://advisera.com/9100academy/blog/2017/05/08/understanding-configuration-management-in-as9100-rev-d/

  • Risk assessment on IaaS


    Answer: The general approach will be the same, the main difference is being in the fact that during risk analysis you will have to consider situations that are specifically related to IaaS environment (e.g., geographic location of the provider, performance monitoring, tenants segregation, etc.). To support your risk treatment I suggest you to take a look at the ISO 27017, which offers recommendations and guidelines for the implementation of controls of ISO 27001 considering cloud environments.

    These articles will provide you further explanation about ISO 27107 and cloud aspects to be considered:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - How to use ISO 27 017 to manage legal risks related to geographical location https://advisera.com/27001academy/blog/2016/09/19/how-to-use-iso27017-to-manage-legal-risks-related-to-geographical-location/
    - Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
    - Network segregation in cloud environments according to ISO 27017 https://advisera.com/27001academy/blog/2016/09/26/network-segregation-in-cloud-environments-according-to-iso-27017/

  • Implementing BCM


    Answer: The implementation of BCM requires some level of cultural and knowledge change, so according to ISO 22301, once you have defined your BCM scope you have to identify which competences are required to implement all stages of BCM, identify the gaps you have among your personnel and plan measures to eliminate them, by means of training, education and/or hiring experienced people on fields you lack proper competencies.

    This article will provide you further explanation about ISO 22301 training and awareness:
    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

    This material will also help you regarding ISO 22301 training and awareness:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ mplementation/

    For a view of a complte way to learn about a BCMS, I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-documentation-toolkit/
    This toolkit has 33 document templates, including all documents required for ISO 22301 certification plus commonly used non-mandatory documents, so you can learn what is needed to implement a BCM.

  • BIA and business strategy


    Answer: The purpose of BIA is to give you an idea about the maximum time an organization can be out of operation and the maximum data that can be lost and it still can resume operations. Considering that, you should consider the information provided by a BIA as inputs for your company's digital transformation strategy, so you can devise the strategy considering these limitations and include proper actions to maximize the chances of success.

    This article will provide you further explanation about BIA:
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

    These materials will also help you regarding BIA:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Free webinar – Implementing Business Impact Analysis acc ording to ISO 22301 https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

  • Weak signal detection and ISO 31000


    Answer: I'm assuming that by "weak signal detection" you are referring to an ongoing process of scanning an environment for changes, although they are still too incomplete to allow an accurate estimate of their impact and/or to determine a full adapted response.

    Considering that, this approach can relate to risk identification, risk analysis and risk monitoring steps from ISO 31000 risk management process. These steps require the identification of risk sources, impacts and events, the understanding of how they can affect the organization, and the periodic review of those risks.

    In case the information gathered by the weak signal detection is not sufficient to estimate impact and/or to determine proper response, you can decide to only monitor the related risks waiting for additional information to arise.

    This article will provide you further explanation about ISO 31000:
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

  • Activity Recovery Strategy and Plan


    Answer: The templates are designed this way so they can cover situations where an organization, for whatever reason, decides not to adopt such "flicking a switch" solutions, and thus it has to develop detailed p rocedures, but the templates are fully editable, and you can alter or delete sections you deem as unnecessary.

    Considering the scenario you described, you may simplify or delete:
    - sections 2, 3 and 4 from Activity Recovery Strategy Template.
    - sections 3, 5 and 6 from Activity Recovery Plan Template

    For these sections you may change the content for a single paragraph providing a general overview of the necessary steps.

    Additionally, by your description you are considering ICT core infrastructure only, but you also have to consider situations where ICT recovery is needed when the work site is made unavailable (and you need to relocate personnel to other sites), or the ICT in that site is affected and the site is unable to communicate with the central ICT infrastructure (even warm sites require some activities to be performed to become fully operational).

    This article will provide you further explanation about ICT recovery:
    - Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

    This material will also help you regarding business recovery:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • Risk value calculation


    And if the risk value is calculated before considering existing controls, which risks should be moved to the risk treatment table? Is it only risks that are above the threshold value and do not have an existing control? Or any risk above the threshold value?

    Answer: When defining the likelihood and impact values to calculate the risk you must consider any controls that are already implemented (and mention them in the column Existing controls at the end of the Risk Assessment Table).

    Regarding which risks you should move to the Risk Treatment Table, you should move risks that are above the threshold value and any other risk you decide to treat (e.g., because you want to implement an improvement or you have to treat them because of a legal requirement).

    By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.

  • BCM documentation


    We our self are in process of developing a frame work document. I just want to know how we can structure that document. What can be its contents? I have just bought dejan book “becoming resilient” so more questions after going through that book.

    Answer: For structuring a BCM documentation I suggest you to analyse the mandatory documentation required by ISO 22301, the leading ISO standard for business continuity. These mandatory documentation cover the basics you need to ensure a solid and relevant implementation, considering your business needs. You can sees the list of mandatory documentation, and some common adopted documentation at this link:

    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

    For the content of specific documents you can also see these materials:
    - BS 25999-2 implementation checklist https://advisera.com/27001academy/blog/2010/11/16/bs-25999-2-implementation-checklist/
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
    - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

  • Manual de calidad

    He recibido esta pregunta: Buenas tardes, le comento que en mi empresa, dedicada al rubro de la minería, nos encontramos actualizado nuestro SGI (calidad, medio ambiente, seguridad y salud ocupacional) bajo las nuevas normas ISO 9001:2015 e ISO 14001:2015, por lo tanto mi pregunta es: ¿Es obligatorio que mantengamos un Manual del SGI?, ya que tengo entendido que la nueva norma ISO 9001:2015 ya no lo exige, ¿pero que pasa con las otras? Mi respuesta: El manual de calidad no es ya obligatorio en la nueva versión de la norma ISO 9001:2015. Sin embargo, todos los requisitos del manual de calidad, excepto 4.2.2 b) se mantienen en la nueva versión del estándar. El alcance del SGC y las interacciones entre los procesos aún tienen que ser definidas. Estos requisitos se detallan aún más en la nueva versión, y aún deben de presentarse en la forma de información documentada. Esto mismo puede ser aplicado a las demás normas también. La nuevas versiones tienen algunos requerimientos que necesitan cumplirse en forma de información documentada, lo cual puede incluirse en el nuevo manual, como por el ejemplo, el contexto de la organización. Para más información, vea "El futuro del manual de calidad en la ISO 9001:2015": https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/el-futuro-del-manual-de-calidad-en-la-iso-90012015/ Estos materiales pueden también ser de ayuda en la implementación de ISO 9001: - Libro "Preparación para el proyecto de implementación ISO: una guia en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (herramienta en línea ISO 9001): https://advisera.com/conformio/
Page 830-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +