Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
"Do we have to proactively apply for GDPR compliance by proving that we are compliant or we should make our product compliant without showing to any authority.
In short is it enough if I follow the guidelines and make the changes or will I have to apply/show it to some authority"
You must follow guidelines and regulatory requirements, implement changes to your product/organization without showing them to any Authority. However, Article 24 GDPR requires the data controller to be able to demonstrate compliance in case of controls by Supervisory Authority (the so-called principle of accountability).
Here you can find some information about how to implement EU GDPR
9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
If you need to understand how to implement EU GDPR in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
Great move! Video is a powerful tool as instruction, as a procedure.
According to my experience, be sure to:
The best way to keep on top of the OH&S performance of the OHSMS is to develop some Key Performance Indicators that you can track to show how the organization is doing for OH&S performance. These indicators may start with “number of accidents” which you can then improve, but organizations that are working towards more prevention may look closer at “close calls” (incidents that could have cause injury but did not) and try to reduce these incidents so that in future they do not cause injury. Monitoring and measurement in the OHSMS is the key to keeping on top of what is happening.
For mor on how monitoring and measurement works in the OHSMS, see the article: How to establish and evaluate key performance indicators for ISO 45001, https://advisera.com/45001academy/blog/2015/07/22/how-to-establish-and-evaluate-key-performance-indicators-for-iso-45001/
1) 11.1 Measurement Report in the ISO 27001 is Not Referenced as Mandatory whrereas in the integrated toolkit it is17.1 Measurement Report - Referenced as Mandatory
First of all, sorry for this confusion.
The Measurement Report is to be considered mandatory.
Please note that the Measurement Report is related to ISO 27001 clauses 6.2 and 9.1, and both require documented information about security objectives (clause 6.2) and monitoring and measurement results (clause 9.1).
2) A.16.1 Appendix 1 - Incident Log can you please advise where that is referenced in the integrated toolkit?
In the integrated toolkit, the document to be used to log incidents is the Data Breach Register, located in folder 14 Security Controls >> 14.A.16 Incident Management and Data Breaches
3) Can you please advise where the below are included in the ISO-27001 toolkit
14.A.13.1
Includes Annex 1 – Standard Contractual Clauses for the Transfer of Personal Data to Controllers applicable to ISO-27001
14.A.13.2
Includes Annex 2 – Standard Contractual Clauses for the Transfer of Personal Data to Processors applicable to ISO-27001
The requirements regarding privacy applicable only for ISO 27001 are covered in the Information Transfer Policy, located in folder 08 Annex A Security Controls >> A.13 Communications Security
“A) say notes will be taken of their response as evidence that they are doing their job.
Answer:
Saying that “notes will be taken of their response ”is a good approach, you are warning them, but it is better to justify that you have a report to write and you don’t trust your memory, you have to write your notes
B) establish a good rapport with the auditee: as short questions and listen.
Answer:
Establishing a good rapport with the auditee is a good approach. Present yourself, put people at ease, some may have never been audited and they may be scared. Explain why you are doing the audit. Ask them things about what they are doing, rephrase their answers when you want to check you really understood their answer.
C) put the auditee at ease and encourage them to mark out existing nonconformities."
Answer:
No, “encourage them to mark out existing nonconformities” that is not a good approach. You know the audit criteria, interview people, observe actions, check documents and records. If you think you found nonconformities state them, to allow any clarification.
The following material will provide you information about audits:
From a certification point of view, provided the certification body is accredited, it can be from any country, not only the one from the on of the company to be certified.
However, you also need to check if you have local laws/regulations, or customer contracts, about the country of origin of the certification body.
If you have no legal or contractual limitations, you can get ISO 27001 certified by a certification body from any country.
These materials will provide you a further explanation about selecting a certification body:
To extend the ISMS scope you have to perform all the steps as if you were implementing the ISMS for the first time, on a scale equivalent to the size of this extension.
While you will have less effort related to common requirements such as document and record control, internal audit and management review, the effort for the risk assessment and treatment will depend on how similar this extension is to the current scope. If they are similar you may use existent controls and security metrics with only minor adjustments.
In the Secure and Simple book, you should take a look at chapter 5 - FIRST STEPS IN THE PROJECT, which explains how to develop the ISMS scope.
These articles will provide you a further explanation about implementing ISO 27001 (the concepts are the same for scope extension):
This material will also help you regarding implementing ISO 27001:
There are several points to note regarding the requirements. Firstly irrespective of whether the testing is reported as a pass/ fail result or not, all laboratories must identify contributions to the measurement of uncertainty (MU). Secondly, a distinction is made between identifying contributions and evaluating measurement uncertainty, which involves quantifying the MU. The standard states in a note that when a well-recognized test method is used (i.e. standard methods) and controls are in place to limit the major sources of uncertainty, then the laboratory need not evaluate measurement uncertainty. This applies to both qualitative and quantitative results. Bear in mind that even if a result is reported qualitatively, for example, a positive or negative for a diagnostic test, it is still necessary to identify contributions to uncertainty to ensure that they are being controlled sufficiently. Typically a laboratory will state that a standard method is being used and performance parameters are met (verified); therefore, measurement of uncertainty wasn't fully evaluated. However, they need to list the major contributions to uncertainty, such as temperature affecting the volume of solutions in volumetric glassware and the uncertainty of calibrated mass balances. These controls can be considered as measures to minimise risk as part of addressing the risk that results may not be fit for purpose.
If the test involves a measurement rather than an observation, and the method is not a validated standard method, the measurement of uncertainty must be fully evaluated.
For more information, see a previous response to Measurement uncertainty in chemical process at https://community.advisera.com/topic/measurement-uncertainty-in-chemical-process/ and Calculating uncertainty at https://community.advisera.com/topic/calculating-uncertainty/