Search results

Does Zoom need to be considered as a processor

Whenever a call on Zoom is initiated, Zoom Video Communications, Inc. processes personal data. Mp4 of all video, audio, whiteboard, captions and presentations, audio transcript files, attendee information (screen name, join/leave time), etc, they are all personal data according to the definition of personal data that can be found in Article 4 (1) GDPR: “any information relating to an identified or identifiable natural person”. Zoom Video Communications, Inc. processes personal data on behalf of its customers and acts as a Data Processor according to the definition from Article 4 (8). Since Zoom Video Communications, Inc is a US-based company, the new EU Standard Contractual Clauses should be signed. Zoom Video Communications, Inc, offers a Data Processing Agreement which also includes EU Standard Contractual Clauses requirements, at https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf

You can find more details at these links:

• Article 4 GDPR, Definitions: https://advisera.com/gdpr/definitions/
• Chapter V GDPR, Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

Risk assessment Vs SoA

Please note that the risk assessment, risk treatment, and elaboration of the Statement of Applicability have very different steps, so you do not repeat the same activities. And you cannot go directly to the controls because the standard requires all defined steps for risk assessment and risk treatment to be performed.

In risk assessment you identify, analyses and evaluate risks. As output you have a prioritized list of risks, and which ones require treatment or not.

In risk treatment you define treatment options, applicable controls, elaborates the SoA and the risk treatment plan, approves the risk treatment plan and the accept the residual risks.

Statement of Applicability is different from risk treatment because there you need to take into account (besides the results of the risk assessment) also legal and regulatory requirements, as well as management decisions. On top of this, SoA keeps track of the implementation method and implementation status - these are not mentioned in the risk treatment.

In Conformio, the Statement of Applicability is created automatically based on the results of the Risk Register module. You only need to add some items up in case of need, like justifications based on legal and contractual requirements, or management decisions, or specific information about implementation methods.

For further information, see:
- How to automate the creation of the Statement of Applicability https://advisera.com/conformio/blog/2021/01/20/how-to-automate-the-creation-of-statement-of-applicability/

How to set safety objectives

Setting OH&S objectives in ISO 45001 has not changed much from the OHSAS 18001 OH&S objectives. The objectives are still meant to be objectives for improvement in the system, and are intended to have a target for improvement and a timeline. So, an OH&S objective to “reduce near miss incidents from 10 per month to 5 per month in the next 12 months” is the type of objective that the standard is looking for.

What is new to ISO 45001 is the requirement to actually have a plan in place for each objective that says who needs to do what, by what time, with what resources, and what method to use to tell the steps are adequate. This change is to try to solve the fact that many companies had OH&S objectives with the previous system, but had never made a plan to achieve them so they were never met.

You can read more on OH&S objectives in the article: How to define ISO 45001 objectives and plans, https://advisera.com/45001academy/blog/2018/12/04/how-to-define-iso-45001-objectives-and-plans/

About the IT security Policy and some documents mentioned as "implementation method" in the SOA

ISO 27001 does not specify roles to handle spam, so organizations can define what better fits them, from creating a new role to designating an already existent role for the task. A common approach is blocking the origin of email identified as spam from reaching the organization, and in this case, some role from the IT staff that can authorize such procedure can be defined as the person responsible (e.g., IT head, system admin, etc.).

Content of ISO 27001 & EU GDPR Toolkit

I’m assuming the information you provided is from the List of documents file from the ISO 27001 toolkit (ISO 27000 is not a certifiable standard).

Considering that, the Incident Management Procedure document is mandatory only if control A.16.1.5 Response to information security incidents deemed as is applicable.

Considering the ISO 27001 & EU GDPR Toolkit, the document you should look for is the Data Breach Response and Notification Procedure, which covers the same requirements of the Incident Management Procedure, and also GDPR Articles 4(12), 33, 34. This is document 14.A.16, item 85, in the List of documents file from ISO 27001 & EU GDPR Toolkit.

Clean room criteria for ISO 13485

Thank you for the question. There is a lot of things that need to be taken into consideration when wanting to get an ISO 13485:2016 certificate. For the documentation, you can use our Documentation toolkit which has all necessary and required documentation from the standard. Prices and what is contained in the toolkit at the following link: https://advisera.com/13485academy/iso-13485-documentation-toolkit/

More information on the ISO1 3485, you can find on the following links:

• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
• Checklist of ISO 13485 implementation steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

• Question about notify body

  If you want to have proper certificate, that will be recognized worldwide, it has to be a certification body.

  For more information on this topic, please see following article:

  • How to choose an ISO certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/</

  • CONTROLS A.18.2.1 AND A.18.2.2

    For control 18.2.1 Independent review of information security, please note that this control is usually done in the form of an internal audit or certification audit.

    In companies very small like yours, the common approach for the internal auditor is hiring an external party for the task, because the organization wouldn’t have enough work to justify contracting a full-time auditor, and a part-time internal auditor would have difficulty keeping his independence over all organization processes for performing his task.

    About certification audits, they are conducted by accredited organizations (the certification bodies) to evidence that an organization is compliant with all requirements of the ISO 27001 standard.

    For further information, see:

    • Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
    • List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

    Regarding control 18.2.2 Compliance with security policies and standards, it does not require independence of the reviewed area. In fact, it is quite the opposite (the management is the focus of this control - they have to do the review). So, your current implementation for critical analysis is acceptable to fulfill the control.

    This article will provide you a further explanation about management review:

    • Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  • What sections of ISO 13485 cover computer systems?

    If you think computer systems that you use for example for: production, for calibration, for service, for warehouse management and similar processes, than managing computer services are under the requirement 4.1.6 which is about the validation of software used in the quality management systems. Such validation must be done prior to initial use, and than after each updated. However, which actions will be taken, how often, which parts of the software will be validated depends on the risks that software have on the quality management system and on the quality of the product. 

    
    There must be a procedure for software validation together with records that proves that validation has been conducted.