Search results

Question-MDR

Yes, you are right, we did not have in our documentation toolkit GSPR list. We are just preparing it and it will be issued by the end of this year. So, if you have given this one, feel free to use it. 

Controls A.17.1

1 - How to define the information security controls within the activities of the continuity plan? I do not understand if it is necessary to define in each activity how the security of the information would be ensured or have a general section the continuity plan where I mentioned that the information security controls established in the production environments are applied in all activities.

The easiest way to comply with A.17.1 is to list all security processes within your company, and ensure these processes are covered through the Disaster Recovery Plan. In other words, do not focus on security controls, but focus on security processes.

To see how a Disaster Recovery Plan compliant with ISO 27001 looks like, please take a look at this template: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

For further information, see:
- Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

2 - Additionally, how is it proven that there are information security controls in the continuity plan?

Answer: The easiest way is to include references to controls described in ISO 27001 Annex A into the Disaster Recovery Plan document. For example, in the abovementioned template, you can add a section to include the controls covered by the actions defined in the plan.

For example, in case your plan includes activities for recovery of access control, then you can include the reference “Controls from ISO 27001 Annex A.9” 

Internal Context and Safety Management System

In the ISO 45001 OHSMS the internal context includes your internal issues that can affect your OH&S management system, along with the needs of employees and other internal interested parties. These internal issues can include such things as the stability of your workforce since a large employee turnover means that you will be re-training people all the time which can affect safety knowledge, and understanding employee needs for OH&S will help to identify where specific controls are needed to safeguard your specific employees for your specific hazards.

Implementing an OHSMS is more than just using the requirements of ISO 45001, you need to incorporate any other requirements that are applicable, such as legal requirements or employee safety needs. Understanding all of this context will help you to know the requirements that need to included on top of ISO 45001 to make your OHSMS work for your unique organization.

You can learn more on the context requirements for the OHSMS in the article: Defining the context of the organization according to ISO 45001, https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

Transfer impact assessment

Appreciate your support to answer below questions related to transfer impact assessmentWho should create the data transfer impact assessment the controller or the processor

The data transfer impact assessment should be created by the controller who is the subject in charge of GDPR compliance towards the Authority and data subject. However, in some cases, if the data processor exports data to a sub-processor, the processor can assess the transfer impact in order to demonstrate compliance to GDPR to the data controller.

Is there any available Transfer impact assessment template for the processor

No, currently we have the template for the Cross Border Personal Data Transfer Procedure which can be tailored on transfers as controller or processor.

https://advisera.com/eugdpracademy/documentation/cross-border-personal-data-transfer-procedure/

Where can I find the updated version of the controller-processor SCCs"

You can find it on the website of the EU Commission: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Here you can find more information about data transfer:

• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you want to learn how to implement GDPR compliance in your organization, you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Statement of Applicability in Conformio

The information about the interest groups to be contacted and how to contact them can be documented in a simple spreadsheet. ISO 27001 does not define the information to be documented, so you can add any information you mean relevant.

As for where to store it, you can use the Documents module in Conformio.

This article will provide you with a further explanation about special interest groups:

• Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/

Writing Emergency Management Guide

There is no one right format for the emergency preparedness and response procedures required in ISO 45001, but there are certain things that should be considered. After identifying what potential emergencies you may face, your plan should include the actions to take to respond to the situation, the training necessary for the planned response, the communication for workers or other relevant stakeholders, and periodic testing and evaluation of the plans for improvement.

You can read a bit more in the articles: How to ensure effective emergency preparedness and response in ISO 45001, https://advisera.com/45001academy/blog/2015/10/21/how-to-ensure-effective-emergency-preparedness-and-response-in-iso-45001/ and 5 elements to consider when testing your organization’s health & safety emergency response procedure, https://advisera.com/45001academy/blog/2017/02/22/5-elements-to-consider-when-testing-your-organizations-health-safety-emergency-response-procedure/

Binding Corporate rules

If a company is based in non-European country wants to transfer European data to non-European country, what are GDPR requirements?

GDPR requirements for the transfer of data outside the EU are listed in Chapter V GDPR and require to the data controller to ensure that the level of data protection offered by the GDPR is not undermined. The steps are the following:
1. Verify if the destination country benefits from an adequate decision of the EU Commission. If so, you can proceed with the data transfer. Here you can find the countries with adequacy decisions: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
2. If the country importing EU data is not included you need to assess the security of the country and select another transfer mechanism like the Standard Contractual Clauses (SCC) which incorporates the requirements of the EU GDPR.  https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
 

Does a company need to create binding corporate rules if it has only one branch?

No, the mechanism of approval of Binding corporate rules is long and complex and requires approval from the Supervisory Authority or the European Commission. Usually, large multinational company groups require the approval of Binding Corporate Rules (BCR), while many companies (included large tech companies, like Google) prefer the Standard Contractual Clauses.

Is there any available approved binding corporate rules approved by authorities to be followed

Yes, I believe you can find it on the web, but the BCR adapts to the structure of the company, is tailored to the processing and transfers.

Here you can find more information about data transfer:
3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Stage-1 Audit

1. What do auditor look for in Stage- 1 audit?

According to IATF 16949:2016 rules 5; the documents, I mentioned below should be ready for Stage -1 audit. In other words, the quality management system should be established, an internal audit should be done, and a management review should be completed before the stage 1 audit.

Documents and subjects should be ready before Stage 1 audit:

a) Description of the remote location and the support they provide.

b) Description of processes showing the sequence and interactions, including the identification of remote supporting functions and outsourced processes.

c) Key indicators and performance trends for the previous twelve (12) months, minimum.

d) Evidence that all the requirements of IATF 16949 are addressed by the client's processes.

e) Quality manual, including the interactions with support functions on-site or remote.

f) Evidence of one full cycle of internal audits to IATF 16949 followed by a management review.

g) List of qualified internal auditors and the criteria for qualification.

h) List of automotive customers and their customer-specific requirements, if applicable.

i) Customer complaint summary and responses, scorecards, and special status, if applicable.

2. Is it mandatory that MRM & Internal audit is conducted before a stage-1 audit?

As you can see as listed above, the completion of the management review and internal audits are mandatory matters.