Search results

Increasing the Scope of the ISO27001

To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, on a scale equivalent to the size of this extension.

While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.

In the Secure and Simple book, you should take a look at chapter 5 - FIRST STEPS IN THE PROJECT, which explains how to develop the ISMS scope.

These articles will provide you a further explanation about implementing ISO 27001 (the concepts are the same for scope extension):

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This material will also help you regarding implementing ISO 27001:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Uncertainty Measurement

There are several points to note regarding the requirements. Firstly irrespective of whether the testing is reported as a pass/ fail result or not,  all laboratories must identify contributions to the measurement of uncertainty (MU). Secondly, a distinction is made between identifying contributions and evaluating measurement uncertainty, which involves quantifying the MU. The standard states in a note that when a well-recognized test method is used (i.e. standard methods) and controls are in place to limit the major sources of uncertainty, then the laboratory need not evaluate measurement uncertainty. This applies to both qualitative and quantitative results.  Bear in mind that even if a result is reported qualitatively, for example, a positive or negative for a diagnostic test,  it is still necessary to identify contributions to uncertainty to ensure that they are being controlled sufficiently. Typically a laboratory will state that a standard method is being used and performance parameters are met (verified); therefore, measurement of uncertainty wasn't fully evaluated. However, they need to list the major contributions to uncertainty, such as temperature affecting the volume of solutions in volumetric glassware and the uncertainty of calibrated mass balances. These controls can be considered as measures to minimise risk as part of addressing the risk that results may not be fit for purpose.

If the test involves a measurement rather than an observation, and the method is not a validated standard method, the measurement of uncertainty must be fully evaluated.

For more information, see a previous response to Measurement uncertainty in chemical process at https://community.advisera.com/topic/measurement-uncertainty-in-chemical-process/ and Calculating uncertainty at https://community.advisera.com/topic/calculating-uncertainty/

Questions for DPIA

Do we have to perform DPIA for all our processing activities, or only for some of them? If only for some of them, what is the criteria to distinguish for which activities to perform the DPIA? Is this covered in some of the documents in your GDPR Toolkit?

You have to perform a DPIA for all processing activities following under art. 35 par. 3 GDPR which are:
a) profiling or tracking activities
b) processing of particular categories of personal data falling under Article 9 GDPR
c) video surveillance on a publicly accessible area on a large scale.

In our toolkit, you can find the template of our

• DPIA Methodology: https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/
• DPIA Register: https://advisera.com/eugdpracademy/documentation/dpia-register/ 

If we have a data breach, do we have to report each data breach to the supervisory authority? If not, what is the criteria to distinguish between the breaches we need and do not need to report? Is this covered in some of the documents in your GDPR Toolkit?"

You need to report any data breach unless it is unlikely to result in a risk for the freedom or rights of data subjects. Risks are fraud, identity theft, unauthorized access, monitoring, financial loss, or sensitive data are involved. When a data breach occurs, you need to assess the level of risk and then define whether there is a need to report to the national Data Protection Authority or not. You should keep a register of a data breach.

Our white paper on assessing the severity of personal data breaches according to GDPR can help you in the process: https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr 
 

Here you can find more information about Data Protection Impact Assessment and Data breach:
5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
5 steps to handle a data breach according to GDPR https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/

If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Dúvida no preenchimento dos documentos

Dúvida 1: Alguns links apontados nos comentários não estão mais disponíveis, existe alguma atualização?

Em primeiro lugar, desculpe por esta situação.

Por favor forneça informações sobre os links com materiais ausentes e enviaremos os corretos.

Dúvida 2: Alguns documentos falam em “[cargo]”, gostaria de saber qual a forma mais aconselhável de alterar essa variável? Se por um cargo existente mesmo que esse cargo esteja em várias funções ou preencher com um cargo a ser criado mas que interinamente será ocupado pela mesma pessoa?

Em primeiro lugar, é importante observar que ambas as abordagens são aceitáveis para cumprir os requisitos da norma. A abordagem sugerida é utilizar o cargo que será responsável pela atividade no longo prazo, independentemente da pessoa que for designada para tal. Desta forma, você minimizará a necessidade de atualização do documento para alteração da posição do responsável.

Comentários incluídos em cada [cargo] sugerem quais cargos você pode usar. Além disso, incluído no kit, você tem acesso a tutoriais em vídeo que mostram como essas cargos podem ser preenchidas para alguns documentos. 

Para mais informações, consulte:

- Como documentar papéis e responsabilidades de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2016/06/22/como-documentar-papeis-e-responsabilidades-de-acordo-com-a-iso-27001/

Dúvida 3: Com posso saber quais legislações são obrigatórias para minha empresa/situação?

Para esta situação, nossa recomendação é que você procure aconselhamento jurídico local.

Como ponto de partida, você pode usar as informações deste link:

- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

Doubt in filling in documents

Doubt 1: Some of the links pointed out in the comments are no longer available, is there an update?

Answer: First of all, sorry for this situation.

Please provide information about the missing links and we will send you the correct ones.

Doubt 2: Some documents mention “[position]”, I would like to know what is the most advisable way to change this variable? If for an existing position even if that position is in several functions or fill with a position to be created but which will temporarily be occupied by the same person?

Answer: First is important to note that both approaches are acceptable to fulfill the standard’s requirements. The suggested approach is to use the position that will be responsible for the activity in the long term, regardless of the person that will be designated for it. This way you will minimize the need to update the document to change the responsible position.

Comments for each [position] suggests which job titles you might use. Also, included in the toolkit you have access to video tutorials which show how these positions could be filled out for some documents.

For further information, see:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

Question 3: How can I find out which laws are mandatory for my company/situation?

Answer: For this situation, our recommendation is for you to look for local legal advice.

As for a starting point, you can use the information in this link:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

Documents considered as next-level projects

1 - As you mentioned during the meeting, the following documents should be considered as next-level projects since they are not needed for our company. Am I correct in that assumption?

04.2_Cloud_Security_Policy_Cloud_EN.docx

04.3_Policy_for_Data_Privacy_in_the_Cloud_Cloud_EN.docx

If you want to be compliant with ISO 27001 only, and not with ISO 27017 and ISO 27018, the 2 documents you mentioned are not needed; also in the Statement of Applicability, you need to take into account only the 114 controls that are related to ISO 27001.

2 - Furthermore, I would appreciate it if you could see the attached and tell me which step you mentioned is not applicable to us? (If any)

Please note that to implement ISO 27001 you will have to go through all the folders listed in the toolkit. By consulting the List of Documents file that comes with your toolkit you will identify which documents need to be implemented to fulfill standards requirements (e.g., Information, Security Policy, SoA, etc.), and those that are recommended to be implemented because they are considered as good practice (e.g., Procedure for Corrective Action).

Mock examples

Yes, I agree with this approach. The point here is that you need to prove that you have a system in place, and that system is applicable for any type of medical device or component.

Internal Auditing specifics

“Do you have a white paper or any documented evidence that will support the case of those requirements relating to ISO auditing that you an share - especially ALL clauses and over what time span?"

Answer:

The requirement about auditing all clauses every year it is not in ISO 9001 but in the contract that you sign with the certification body as one of the commitments required. Same for at least one management review per year.

“the internal auditing process needs to be audited by a qualified person independent of the activity”

Answer:

Any function relevant to the quality management system must be performed by a competent person. It is up to each organization to determine internal auditor competence requirements. About independence, please check ISO 9000:2015 definition 3.13.1 where one can read that an audit is “systematic, independent and documented process”. That is why auditors should not audit their own work.

The following material will provide you more information:

• ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
• free online training ISO 9001:2015 Internal Auditor Course
  – https://advisera.com/training/iso-9001-internal-auditor-course/ 
• book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/