Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO9001 Scope
The scope of the QMS (Quality Management System) should include all processes that affect quality of products and services and customer satisfaction. Also, in the document about the scope you need to document what locations of your organization are covered by the QMS scope.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
These materials will also help you regarding the QMS scope:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Privacy Framework
Answer:
Based on the information you provided it looks like your question relates to cross border personal data transfers, more precisely to the safeguards needed in order to ensure that a cross border transfer is lawful.
Before jumping into the matter at hand we should first clarify what does a cross border data transfer means: a cross border data transfer means a transfer to non EU/EEA countries as well as countries that have not been deemed by the European Comission as providing an adequate level of protection as regards to personal data (adequacy decisions countries). In a nutshell any transfer out of EEA or to countries without adequacy decisions is a cross border data transfer.
As a general rule the EU GDPR states that cross border data transfers are forbidden unless proper safeguards are used.
Coming back to the question:
1. transfers to UK are not considered cross border data transfers since UK is still in the EU thus no need to have any safeguards. Once UK will leave EU this issue would have to be reconsidered based also on the results of the Brexit negotiations.
2. transfers to Canada are not considered cross border because Canada has been issued an adequacy decision by the EU Comission.
3. Australia is not in the EU/EEA and no adequacy decision has been issued thus adequate safeguards must be set in place. One of the most commonly used safeguards are the use of the "Model Contracts for the transfers of personal data to third countries" (Model clauses) . The EU GDPR implementation Toolkit provides guidance on how to use these contracts - see details here : https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
4. US and EU have agreed (July 2016) on the new framework for transatlantic data flows: EU-US Privacy Shield. This new framework replaced Safe Harbour which was declared invalid by the European Court of Justice (EUCJ) in October 2015. Currently transfers between EU and US can be grounded on Privacy Shield although this is currently challenged in front of EUCJ as well and, there is no telling what would be the outcome. As an alternative "Model clauses" can be used as safeguards instead of Privacy Shield and this approach would cover the risk of Privacy Shield being invalidated. -
Exclusiones de las cláusulas 8.3 y 7.1.5
He recibido esta pregunta: Estoy implementando ISO 9001 en una empresa que distribuye y vende válvulas y equipos de medición a industrias Oil & gas en toda latinoamérica. Los equipos son comprados previamente a otra companía. Mi pregunta es si debo excluir de mi SGC los requisitos 8.3 Diseño y Desarrollo y 7.1.5 Recursos de seguimiento y medición, ya que vendemos productos terminados Mi respuesta: Como la empresa no posee ningún proceso de diseño y desarrollo dentro del alcance del SGC, entonces puedes excluir la cláusula 8.3 del alcance de la organización. A la hora de excluir cláusulas de la norma, necesitas documentar dichas exclusiones en la documentación sobre el alcance del SGC y proporcionar justificaciones de las exclusiones. Interpreto por otro lado, que la companía además no hace seguimiento y medición de los equipos en sus procesos por lo que también podrías excluir la cláusula 7.1.5 del alcance. Para más información puedes ver "Qué cláusulas pueden ser excluidas en ISO 9001:2015" (en inglés): https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ Estos materiales pueden ayudarte con respecto a la implementación de ISO 9001: - Libro"Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de fundamentos ISO 9001 https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (Herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Continual vs step change improvement process
Answer:
The process of continuous improvement is a kind of incremental process, each improvement is a small breakthrough built on what previously existed. It works well when the outside world does not change greatly. When the outside world changes rapidly, or when an organization has been without incremental improvements for a long time, and therefore has become very out of phase with external reality, incremental improvement is no longer enough. It is in these situations that a step change improvement process is required, other name for step change improvement process is, for example, reengineering. With a step change improvement process the improvement is not based on what previously existed.
The following material will provide you information about improvement:
ISO 9001 – Plan-Do-Check-Act in the ISO 9001 Standard - https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/
ISO 9001 - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
Corrective actions vs. continual improvement in AS9100 - https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
SoA content_
Just taking as example the HR security, the division which is to implement ISO 27001 is using Company's HR procedures. Does the division need to describe exactly in SoA what processes are shared, or is it enough to write in SoA that HR Security controls are Shared with the Company?
Answer: By "processes" I'm assuming you are referring to security processes performed in a shared way by the Division and the Company's HR.
Considering that, first of all, for shared controls you have to state clearly in the SoA which part of each control is implemented by whom. Regarding the level of detail about how a control is implemented, if you have documents related to HR security available (e.g., policies or procedures) you can write a small text to provide an general overview and include references to these documents, or to the location where they can be found. If you do not have these documents available then you have to describe in SoA the whole HR security process. -
Data mapping for GDPR
Answer:
Based on the background provided it seems the information asset inventory is limited to IT assets only and performed from the perspective of an IT security manager. This approach most likely won't provide a full picture of the processing activities performed in your organization.
Using a data discovery tool, although useful in some instances, will only provide some information about where the personal data is being stored and how it transits through different systems. The information gathered this way would not be sufficient to build a record of processing activities as required by art. 30 of the EU GDPR.
Our advice would be to start the data mapping process by first identifying the data proce ssing activities based on the processes that are ongoing within your company, for example in an university this could be gathering information about students onboarding, students lifecycle, HR management, security (IT Security and Physical security), suppliers management etc.
After identifying the relevant processes and processing activities the record of processing activities can be filled in with the information required by art. 30 of the EU GDPR. The EU GDPR implementation Toolkit provides guidance on how to perform a the data mapping as well as a template containing all the fields needed to ensure compliance with the EU GDPR art. 30 requirements - see the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Template content
I have just started work with the Risk Assessment Table template. Is it possible to change the colour range in the Risk column? Would like to have 0=green, 1=yellow, 2=orange and 3 and 4 =red. 3 and is red, but there is no colour scaling on 0,1 and 2...
Yes. The templates are fully customizable, and you can adjust them to fit your organizations needs, including the colour range in the Risk Column.
I did have a look at the post in Expert Advice Community – could you also describe how to change the colour scaling, please
Please follow these steps:
1- Select cells I4 through I700. Do this by dragging from I4 to I700.
2- Then, click Home > Conditional Formatting > New Rule.
3- In the New Formatting Rule dialog box, click Format only cells that contain.
4- In the box where is select is between, change to is equal to
5- In the box besides the box filled with is equal to include the value 0.
6- Click Format.
7- In the Fill tab, select Green.
8- Click OK until the dialog boxes are closed.
9- The formatting is applied to column the selected cells.
Repeat the process to include rules for the colours yellow and orange for values 1 and 2 respectively.
For more information please access this link: https://support.office.com/en-us/article/Use-formulas-with-conditional-formatting-fed60dfa-1d3f-4e13-9ecb-f1951ff89d7f -
Cuantificación impactos ambientales
He recibido esta pregunta: Estoy haciendo la cuantificación de impactos y tengo el histórico de consumo eléctrico, mi consulta es que si es necesario especificar en algún momento todos los aparatos eléctricos que posee en la empresa?? Realizar algún tipo de inventario detallada con, por ejemplo, detectores de humo, alarmas, computadoras, etc?? o con solo especificar la cantidad de kw es suficiente?? Mi respuesta: La principal razón para llevar a cabo la identificación de los aspectos ambientales es proporcionar los datos necesarios para decidir qué procesos requieren de un seguimiento y control, y qué procesos se tratan de los mejores objetivos para garantizar unos resultados óptimos en cuanto al impacto ambiental de tu empresa. Cada organización, sin embargo, debe establecer sus propios criterios en cuanto a la significancia, basándose en una revisión sistemática de sus aspectos ambientales y de sus impactos actuales y potenciales. Así que, si crees que identificando cada uno de los equipos y sus correspondientes consumos ayudará a la compañía a determinar qué y dón de tiene que ser controlado el aspecto ambiental, entonces podrías hacerlo. Para más información, vea"4 pasos en la identificación y evaluación de impactos ambientales ": https://advisera.com/14001academy/es/knowledgebase/4-pasos-en-la-identificacion-y-evaluacion-de-aspectos-ambientales/ Además estos materiales pueden ayudarte en la implementación de ISO 14001 : - Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Formación gratuita en línea: Curso de fundamentos ISO 14001 https://advisera.com/es/formacion/curso-fundamentos-iso-14001/ - Conformio (herramienta en línea para ISO 14001): https://advisera.com/conformio/ -
ISMS and QMS
I am still thinking of implementing the ISMS without QMS is possible (and it is a better approach) and it does not require additional workload. Beside many organization has done ISMS without QMS.
Note: The end goal is to have the system (operations & maintenance) to have its ISMS certified after 2 years in operations.
There is no rush to have it ISMS certified during the development stage.
Question – Thus, I am thinking of doing these steps first even before doing the rest of ISMS activities
1 - I am want to focus to the system requirements – security requirements to design the system to be delivered to the customers. The main input of security requirements will be from risk assessment.
2 - Establishing the context of risk assessment
3 - Conduct the risk assessments, risk evaluation & risk analy sis – thus the risk treatments.
4 - Identifying the all the relevant controls based on ISO 27001 Annex A/ISO 27002
5 - Implement all the security measures and controls in the system design.
6 - Write all the necessary security policies, procedures and guidelines in relations the systems.
7 - Built the system (based on the security requirements), Test and UAT, FAT and deliver.
While doing all the activities above, other ISMS compliance requirements will gradually implemented and done, as we have enough time to get it certified after its being delivered.
Answer: In fact there is no need to implement a QMS to implement an ISMS, although you can take advantage of some practices required by the ISO 9001 standard to improve ISMS performance (identifying and documenting the processes in the scope will help you understand the organization al context and perform the risk assessment). So, it may be a good idea to take a look at ISO 9001 to verify which practices you can adopt now without compromising your current deadline and resources. For more information about this, please see these materials:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Regarding your approach, it seems fine considering a system development project. The only point you should consider is documenting a risk assessment and treatment methodology before performing it (so everyone in the project will have the same procedure to follow) and write the security policies, procedures and guidelines in relation to the systems before implementing the security measures and controls in the system design, because during the elaboration of these documents you can find further system adjustments to be made, and it will be easier to make the corrections before the security measures and controls implementation. For more information, please see these materials
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
These materials will also help you regarding implementing ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
NIST CSF, ISO 27002 and PCI
Answer: I'm assuming that for PCI you are referring to PCI-DSS. Considering that:
NIST Cyber Security Framework (CFS) gives you a methodology on how to implement information security or cybersecurity in an organization (in this point it is quite similar to ISO 27001, the ISO standard for Information security management systems).
ISO 27002 is a standard that provides guidelines and recommendations for the implementation of the controls listed on ISO 27001. It differs from NIST CSF in the point it does not establish a system methodology, only practices to be considered when implementing individual controls.
PCI DSS is a standard of data security for the credit card industry, providing a group of mandatory controls to be implemented by organizations that work with credit cards. Like ISO 27002 it does not define a methodology.
These articles will provide you further explanation about CSF, ISO 27002 and PCI:
- Which one to go with – Cybersecurity Framewo rk or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/