Search results

Data transfers to 3rd countries

If the headquarter of the organization is in the United Kingdom, then UK GDPR would apply mainly. According to article 3 – Territorial scope – from EU GDPR, the Regulation would apply only if the company would offer goods or services to people in EEA, or if it monitors the behavior of people in EEA. If the data is stored in Serbia, then a transfer takes place from the UK to Serbia. According to UK GDPR, which is almost the same as EU GDPR (with EU references removed), a suitable transfer mechanism should be used for compliant personal data transfer. In this case, the best transfer mechanism would be UK Standard Contractual Clauses. ICO, UK’s Data Protection Authority issued some new SCCs, called IDTAs (International Data Transfer Agreement) that can be used starting March 21, 2022.

You could explore developing Binding Corporate Rules (BCRs) for intra-group personal data international transfers, but they need to be approved by the supervisory authority (ICO in this case).

Please consult these links to find more details:

• Article 3 EU GDPR: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Chapter 5 GDPR: Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• ICO UK IDTAs (International Data Transfer Agreements): https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
• ICO BCRs (Binding Corporate Rules): https://ico.org.uk/for-organisations/binding-corporate-rules/ 

Maintenance requirements of IATF

Items 8.5.1.5, 8.5.1.6, and 6.1.2.3 of the IATF 16949:2016 standard are generally related to maintenance. 

I recommend that you review these requirements.

How to become an BIA expert

I have a question "an organization is AS9100 Rev D certified but organization has no production since one year from any customer then how can compliance of QMS can be interpreted? How internal audits be conducted? How KPI be translated ? What standard say that if an organization have no customer since long time then how QMS compliance be evaluated?

Partial certification

Certification is possible only if you fulfill all clauses from sections 4 to 10, and the applicable controls from ISO 27001 Annex A, so it is not possible to be certified against only part of ISO 27001 clauses.

What you can do is define an ISMS scope covering only part of the organization, a part for which you can fulfill all requirements of the standard.

For certification we suggest you take a look at these Advisera’s resources:
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/

These articles will provide you a further explanation about ISO 27001 implementation:
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Question about how to identify ISO 27001 ISMS Assets

Your understanding that an asset needs to have a security element for it to be considered in the ISMS scope is correct.

To ISO 27001 an asset is anything of value to the organization in terms of confidentiality, integrity, and availability of information.

Considering that, if the asset is related to information that your ISMS needs to protect, then it needs to be considered. In your examples, users' passwords need to be protected, making the work instruction procedure to change users' password part of the scope, while marketing brochure, that does not need to be protected, would not be considered.

In the Risk Assessment Sheet included in the toolkit there is a list of assets you can use.

Contestation

We have the same understanding.

The correct understanding of the assets, and related threats and vulnerabilities, is a critical factor for a successful risk assessment and treatment.

To handle them properly, you need to consider involving personnel that works with such assets during the assessment.

This article will provide you a further explanation about risk assessment:

• ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide - How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section8

Clause 7.2 (Competence)

Great, thanks. I have a training and awareness plan policy already so I guess this should cover it.

Company merger - System Requirments

Since ISO 9001 is the basic standard and IATF 16949 is a requirement above it; IATF 16949 and ISO 9001 are considered together; Quality manual, processes, procedures, etc. can be documented jointly in one system.  You can define scopes separately for each location in the quality manual. Exclusion for IATF certified location is only if there is no product design, product design input, and output.  

Inquiry for missed document

Our ISO 13485 Documentation toolkit is in compliance with all requirements from ISO 13485. FDA revealed plans to harmonize its CFR 21 with ISO 13485 in 2018. Due to the Corona pandemic, this process has been a little bit delayed, but it is expected to be solved soon.

For more information see this link: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201904&RIN=0910-AH99

Considering the EU MDR 2017/745; there are some more documented requirements for QMS (stated in Article 10) as part of our ISO 13485 & MDR toolkit.

For more detail on this topic, please see following article:

• List of worldwide regulations that require implementation of ISO 1348 https://advisera.com/13485academy/blog/2021/03/09/list-of-worldwide-regulations-that-require-implementation-of-iso-13485/