Search results

GDPR

Since you offer IaaS and PaaS services to an EU company, you will have access to personal data. You should be a data processor unless you have autonomy in the way you process personal data. According to Chapter V in GDPR, you need to do the data transfer via one of the accepted transfer mechanisms: adequacy decision (Art 45 GDPR), binding corporate rules (Art 47 GDPR), standard contractual clauses, approved code of conduct, approved certification mechanism (Art 46 GDPR) or Derogations (Art 49 GDPR). My recommendation is to use the new EU Standard Contractual Clauses for Controller to Processor, adding the necessary additional technical and organizational measures to offer the same level of protection for transferred personal data as it is offered under GDPR in the EU.

Please read more details:

• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• Article 45– Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• Article 46– Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 47– Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/
• Article 49– Derogations for specific situations: https://advisera.com/eugdpracademy/gdpr/derogations-for-specific-situations/
• Cross Border Personal Data Transfer Procedure: https://advisera.com/eugdpracademy/documentation/cross-border-personal-data-transfer-procedure/
• EU GDPR Toolkit (containing all documentation for GDPR Compliance): https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Clause 4.3: ISMS scope

ISO 27001 ISMS scope can be defined in terms of information, processes, or location to be protected. Considering that, you can make your scope more precise by defining information (e.g., customer information, sales, information, research, and development information, etc.), processes (e.g., software development processes, production processes, etc.), or location (information in the company building, in the finance floor, etc.).

This article will provide you a further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

This material can also be helpful:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Confidentially statement

Please note that the controls related to the Information Classification Policy do not require any documentation to be written, so you can have a Policy for Handling Classified Information implemented only as a set of practices that everyone knows and follows. For example, you can simply define that all your information is classified as restricted and include this information in the Statement of Applicability, as an implementation method, without the need to write a specific policy document.

This article will provide you a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

These materials will also help you regarding information labeling:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
   

NIST 800-53 vs ISO 27001

You should first study information security regulations for financial organizations in the countries you operate to evaluate whether 27001 or NIST is closer to the requirements the requirements you need to fulfill. For example, in most European countries 27001 is more appropriate.

These articles will provide you a further explanation about ISO 27001 and NIST:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

Risk assessment of impartiality

@sajid

i need some help

Hello!

Our colleague in charge will contact you shortly to assist!

Laboratory activities in Section 5 - Structural Requirements

Section 5 refers to legal business, organisational structure and management responsibility. Typically this is included in the Quality manual. You then have other procedures, appendices and associated records available to provide evidence that the stated approach is followed.

Clause 5.1 refers to the need for a legal entity.

5.2 Requires you to define who the Senior management are and who holds the top management position. This is for resource allocation (budget), dealing with any conflicts of interests in the laboratory. That is who has overall responsibility to ensure policies are supported and that quality /accreditation objectives are met. This person signs the quality  policy, typically approves the quality manual and chairs or oversees the Management Review.

5.3 Requires you define the scope of work (what you do) and state which activities comply with ISO 17025. Those are the tests you will apply for accreditation for.

5.4 Requires you to look beyond just your operational and quality preferences, the mandatory requirements of ISO 17025 and those of your accreditation body. You need to consider and include all applicable regulations and requirements of interested parties. For example, Safety laws, labour laws and any requirements of your sector for the laboratory to be registered or certified with a particular regulatory body.

5.5 a) Requires you have a clear management structure documented and to provide an organogram as defined.

5.5 b) ties in with clause 6.2. Personnel must be informed of their roles and this must be documented. For example, a small laboratory may not have a person appointed as a quality manager; however senior analyst may be required to perform the role of a quality manager together with other functions. This must be clearly stated and communicated.

5.5 c) This ties in with clause 8.2 Management system documentation. All mandatory requirements must be met plus any needed (processes, procedures and records) to control your specific risks (operational and quality) as necessary. These requirements should be directed by your policies, objectives and method performance. For example if turnaround time (TAT) for resulting is an objective, you need to document a way and use charts or other tools to monitor your success and risks of not meeting TAT.

5.6 Ties in with clause 6.2. Personnel must be assigned to the activities listed in a to e.

5.7 Is directed specifically at laboratory management. You have to define how communication is going to take place, such as how often you have meetings and how management idevelop a quality culture in the laboratory to meet your quality objectives. Secondly, management must have a system in place for change control so that  laboratory personnel, even if authorised, don’t just move ahead with changes to the management system to adopt opportunities for improvement without considering the risks to current operations and quality.

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 may assist you, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

Questions about Stage 1, and Scope

1 - It is the certification body who is insisting that if we want to include development in the scope, and the relevant SoA controls, then all the developpers must be included. In our opinion not all the developpers are relevant for the ISMS.  What can we argue against that vision? 

Please note that if all developers have access to the information you want to protect, then all developers need to be included in the scope (the point is not if they are relevant or not, but which information they can access). In case you can evidence that the developers you do not want to include in the scope cannot access the information you want to protect, then you do not need to include these developers in the ISMS scope.

2 - You mention to reduce the scope. We dont have a specific requirement from our customers regarding the scope or the development department, but we think that since we develop software it should be included. Why do you think that doesnt matter and that it is ok to reduce the scope?

Please note that it is not a question if we consider if it matters or not to keep the development in the scope (this decision is up to the organization according to its objectives and strategies). The situation is that the certification body is suggesting you make some adjustments, and we just provide informed alternatives for you to make a decision.

In our point of view, if you want to keep the development process in the scope, you need to make the adjustments suggested by the certification body (more details about the rationale are in the answer to question 1). If you understand the adjustments are not necessary, you need to reduce the ISMS scope, so these points are not questioned by the certification body anymore.

Please note that you can keep the information security practices for development regardless they are in the certification scope or not. Maybe after some time, you have more data to decide to include it in the scope.

3 - Other questions, does really this little wording means so much in terms of who should be included in the scope?

"The information systems that support" vs "The operation of information systems that support"

Please note that when you refer to "The information systems that support", all personnel who interacts with the information systems needs to be included in the scope (e.g., IT personnel, users, customers, etc.).

When you refer to "The operation of information systems that support", you limit the personnel who interacts with the information systems to the people who keep them running, i.e., the IT staff.

Inquiry: ISO 17025 accreditation of a microbiological laboratory

ISO 17025 is applicable for all testing and calibration laboratories. There is no mandatory requirement to use standardized methods. When using a in-house developed method you have to show you can meet the performance requirement of the method to fit the purpose. In other words, achieve suitable accuracy and precision and other parameter such a s limit of detection, based on need and risk. i.e. tolerated variation in results.

For accreditation all mandatory requirements of ISO 17025 must be met. For technical requirements this includes method validation, ongoing internal quality control to ensure the validity of your results and participation in a proficiency testing scheme or interlaboratory comparison. I suggest you engage with your quotation body and pose the question to them of how you would proceed for your accreditation in your field. 

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 may assist you, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

For more information on the mandatory requirements, see the Whitepaper Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025

ISO/IEC 27001/2 Harmonization

There still is no official date for starting the review of both ISO 27017 and ISO 27018 considering the new ISO 27002. The expectation is that this timeline will be published together with the information about the update of ISO 27001.

DMS/Apps - information/content delineation questions

1. What we are getting confused over is, what information/content can stay in Fibery and Hubspot (and other Collaborative apps like Confluence – which we will be using) and what we need to move into the DMS.  Is there any guidance on how to approach this? For example, if we leave ISMS related content in Fibery and point the hyperlink to the content is that OK ...

ISO 27001 does not prescribe where to store documents and files, so organizations can adopt the approach that better suits their needs, provided the standard’s requirements for creation, update, and control of documents are fulfilled.

Considering that, your approach of leaving ISMS-related content in Fibery and pointing the hyperlink to the content is acceptable, provided you fulfill the standard’s requirements for the creation, update, and control of documents.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

2. Another question is, most 3rd party apps provide features to create documents. For example, Fibery has a document function to create docs to their standards. However, they do not have the fields to store many of the ISO Document standards, like control info. and classification type. And access can be open to anyone authorised. Would it be fair to say, that any ISMS related documents and records should not be stored in such an App. ? 

Your understanding is correct. You should avoid the use of apps that cannot allow document management according to ISO 27001 requirements.