Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Addressing Impact Assessment (DPIA) requirement

    According to article 35 in GDPR, “Data protection impact assessment”, DPIA is performed for personal data processing operations “likely to result in a high risk to the rights and freedoms of natural persons”. In the case of ISO, the risks that are documented and treated are related to the organizational information,while in the case of DPIA the risks are related to the rights and freedoms of natural persons. There are really good templates that can help you address these risk assessments in our EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT.

    Please find more details here:

  • Right to Erasure

    As a cloud hosting provider, according to article 28 GDPR, Processor, you should act as a Data Processor. In this case, the data subjects who have personal data on your servers on behalf of your customers must exercise their right to delete to the data controllers, (your customers), per Art 17 (Right to erasure) para 1: "The data subject shall have the right to obtain from the controller the erasure of personal data". You, as a Data Processor, if you receive a deletion request from a data subject, you should either forward the request to the right customer or inform the data subject that they should exercise their right towards the respective data controller. 

    However, if one of your business customers request you to delete the personal data they are accountable for, you should comply with this request, because they act as a data controller, per Art 28 para 3 (e): "taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights". Regarding data from the backups, that data is deleted anyway after a while.  

    We are preparing a Live Virtual Training around How to handle a Data Subject Request according to GDPR, stay tuned for the announcements!

    Please explore the following links to find more details:

  • Are there any things in ISO 9001 not covered by ISO 17025?

    Although ISO 9001 requirements are very integrated into ISO 17025, as the approach and purpose are different (being  customer focussed),  you need to assess whether your compliance for certain ISO 9001 requirements is adequate. If your laboratory went straight to ISO 17025 accreditation, i.e Option A (not preceded with ISO 9001 certification) there may be gaps that exist. Depending on the extent a laboratory develops its QMS beyond the minimum requirements of ISO 17025, the level of ISO 9001 compliance differ. I suggest you do a gap analysis of your current QMS to the specific requirements of ISO 9001.

    Look at the article ISO 17025 vs. ISO 9001 – Similarities and differences at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities/

    Also have a look at the Advisera 9001 academy resources at https://advisera.com/9001academy/, which includes resources to assist, such as whitepaper Clause-by-clause explanation of ISO 9001:2015 and the ISO 9001:2015 Gap Analysis Tool.

  • Acceptance of ISO 27001 Lead Auditor certification in Europe and US

    ISO 27001 Leal Auditor certification issued by an accredited training provider is a globally recognized certification, being accepted all Europe and US. 

    We are not aware of any specific legislation enforcing or forbidding the acceptance of such certification, however, the lead auditor certification is a requirement for people who want to work for certification bodies as certification auditors.

    To determine whether ISO 27001 Lead Auditor certification is enforced or forbidden in specific countries, you should look for expert legal advice in the countries where you want to operate. 

    This article will provide you with further explanation about the ISO27001 lead auditor course:  
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

    This material will also help you regarding the ISO27001 lead auditor course:
    - ISO 27001 Lead Auditor course https://advisera.com/training/iso-27001-lead-auditor-course/

  • Process Capability in ISO 9001:2015

    No, process capability analysis for the use of process control is not a requirement in ISO 9001:2015

    However, if it is a client requirement it must be performed.

  • Business Continuity Management

    The Recovery Time Objective (RTO) means how fast after a disaster an organization wants its business to resume operations, and its definition is made through the Business Impact Analysis, which helps you understand the level of resources are required and the evolution of losses over time (in shorth, the faster the losses increases over time, the shorter the RTO needs to be, and more resources will be required).

    As a reference to evaluate how much resources are enough, you should consider the losses to the organization if the operations are not resumed in a given time. For example, if the losses for not returning in 12h are US$ 200k, and the resources required to return operations at this time cost US$ 250k, then it is not practical to define an RTO of 12h. On the other hand, if the losses for not returning in 14h are US$ 1M, and the resources required to return operations at this time cost US$ 750k, then it is practical to define an RTO of 24h.

    These articles will provide you with a further explanation about business continuity concepts:

  • Amendments to ISO 27001 Toolkit

    First of all, congratulations on your approval.

    Included in the toolkit you purchased you are entitled to receive free updates for one year after your purchase date. In this situation, you will receive documents considering the appropriate changes. We will send you the updated toolkit shortly after the ISO 27001 update is officially published.

  • Business Continuity Policy

    Considering the explicitly stated missing parts, please note that ISO 22301 does not require policy statements, definitions, compliance, and consequences for Non-Compliance. 

    While we agree that such items could be considered, our templates are designed to fulfill the standard’s requirements with minimum overhead to minimize administrative effort to keep and maintain them.

    In terms of policy, ISO 22301 clause 5.2.1 requires: alignment with the organization’s purpose, an approach to defining business continuity objectives, commitment to fulfilling legal requirements, and commitment to the continual improvement of the Business Continuity Management System.

    In case you want to include such items in your own policy, you can schedule a meeting with one of our experts so he can help you develop them.

    For further information, see:
    - The purpose of Business continuity policy according to ISO 22301 https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/

  • ISO 27001 / Conformio questions

    1. How should we treat the risk assessment process? Should we consider all the risks within our company and go over a bit or should we be more conservative? For example, should we consider our CEO being on leave as a risk while doing the risk assessment?

    Considering the Conformio platform, first, you need to define your Risk Assessment and Risk Treatment Methodology. In the document provided by Conformio, you will define the risk acceptance criteria, i.e., when identified and analyzed risks must be treated. Conformio automatically determines which risks need to be treated based on the acceptance criteria you define.

    For further information, see:

    2. In terms of SoA should we mark all the controls as applicable? How should we approach this?

    Considering the Conformio platform, Conformio automatically marks controls applicable based on the results of risk assessment and legal requirements.

    For further information, see:
Page 109-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +