Search results

Supplier Security Policy

1. Do you have any SUPPLIER SECURITY POLICY questionnaire template ready on the toolkit or your website?

Answer: A questionnaire to support the application of the Supplier Security Policy is not necessary.

Please note that the Supplier Security Policy is based on risk assessment to find out which controls a supplier need to have to provide the security level your organization needs, and for that, you can use the Risk Assessment Table included in your toolkit, in folder 5 Risk Assessment and Risk Treatment.

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Do you have any SUPPLIER SECURITY MANAGEMENT partner or suggestion that we could consider use?

Answer: I’m assuming the question is about an external software that will handle suppliers.

In this case, it is not very common for smaller companies to use such kind of software (usually the external partners are handled without the use of a software).

For other cases, I'm sorry, but it’s our policy not to suggest specific companies or technologies related to the implementation of controls.

3. In the 3.2. Screening, the policy says “[Job title] decides whether it is necessary to perform background verification checks for individual suppliers and partners, and if yes – which methods must be used.” What method does it mean?

Answer: Methods here means the ways you will use to perform background verification. Please note that these may be limited to local laws or regulations.

Examples of methods for background verification are interviews with previous employers/customers, reference letters, consultation to government agencies. 

ISO 9001 Clause 8.2.3.2

Clause 8.2.3.2 is applicable to any organization. Your organization does not manufacture a product but provides services, storage, and distribution services. Your organization reviews the client’s requirements before presenting a proposal. Your organization must keep records of clients’ requirements, their review, and proposal or contract.

Should trainer be certified with IATF certification body?

If there is no special customer request or expectation in this regard, you can use your own employees who have been trained in 5 core tools before and has experience can provide internal training. It does not necessarily have to be issued by the person appointed by the IATF or by the certification body. 

The important thing is that the trainer can demonstrate these competencies by having received training from a person or organization before and having sufficient experience on the subject in his CV.

Incidente de segurança da informação

A ISO 27001 não prescreve prazos para notificação e tratamento de incidentes, então você precisa identificar os requisitos legais (por exemplo, leis, regulamentos ou contratos) que você precisa cumprir para identificar se há algum prazo exigido e para quais tipos de incidentes.

Este artigo fornecerá mais explicações sobre o gerenciamento de incidentes:

• How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

ISO 14001 communication procedure lacking in ISO 13485

In ISO 13485:2016 there are no requirements that communication within the company must have documented procedure. In requirement 5.5.3 Internal communication is stated that top management must ensure that appropriate communication within the company must be established.

In our toolkit, internal communication is mentioned in the Quality Manual, chapter 5.5.3 Internal communication. In the comment, you can see that we put “Adapt to organization practice”. Here you can describe whether you have bulletin boards, what information is placed and communicated on these powerful boards, whether you have a policy until when emails may be sent during the day, how quickly you need to respond to an e-mail, how important paper information travel around the company etc.

Removing approved risks in Conformio

From your question I’m assuming you want to remove some threats and vulnerabilities associated with an asset once the risk assessment and treatment process is concluded.

It is not possible to remove threats or vulnerabilities, but it is possible to make the risk not relevant any more - for that purpose  you have to enter the Risk Register, find the risk and decrease its likelihood and/or impact so that it becomes acceptable. Please note that this change will initiate changes in the Statement of Applicability and the Risk Treatment Plan, i.e. you will start a whole cycle of risk management. Therefore, we recommend these changes are made every 6 months.

In case the risk management process is not concluded, you can simply roll back the steps to eliminate/alter the risk.

Vendor/third party risk management/assessment

Yes, for vendor/third party risk management you should use the templates for risk assessment and risk treatment included in your toolkit, in folder 5 Risk assessment and risk treatment - these are the same templates as for assessing the risks for your own company, since the assessment process is the same.

This article will provide you with further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

Project Plan in ISO 17025 toolkit

The project plan is a tool to use as you see best fits your need. You can modify it as you works best for you, adding new tables even if that is of benefit.  List the current processes and documentation in place for ISO 13485 which are applicable, and then the additional required by or needing customisation for ISO 17025. This way you can track your progress.

Using messages as evidence

Yes, if the organization uses the messages it is considered processing of personal data under the EU GDPR.However, the processing of personal data to defend a right in a legal claim is a legal basis for data processing.In particular, Article 6 par. 1 lett. f) GDPR refers to the legitimate interest of the data controller and defending a right follow in the notion of legitimate interest. So your organization does not need consent to process that personal data.

Article 6 paragraph 2 GDPR has also a link to the Chapter IX of the EU GDPR where, in Article 88 GDPR, there is a reference to data processing in the workplace. Data processing in the workplace and in court trials are devolved to the Member State legislation, so the practical possibility to use the message as evidence in a judicial trial will depend on your specific legal system.For example, in Italy, where I am located, the Italian implementation privacy law the controller could use the message as evidence.

Here is some information about consent and data processing in the workplace:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/

If you need to understand more about EU GDPR, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

ISO 27001 audits

Thank you Rhand, your answers are helpful.