Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • 17025: 2017 differences

    You asked

    I need to know if there are any differences between the FINAL DRAFT version and the one that was actually issued?

    Please note that both the Final Draft International Standard (FDIS) and the final published document are copyright protected. The FDIS is circulated to all ISO members for an 8 week  vote,  For more details on the ISO various stages to publication, see  https://www.iso.org/stages-and-resources-for-standards-development.html
    I cannot provide a comparison. Although you will see ISO state that “Only editorial corrections are made to the final text”, these corrections can have a significant impact on the interpretation and required implementation steps for the laboratory. ISO state that from FDIS to Publication stage, the project leaders may submit comments on the FDIS. Then the committee managers and project leaders get a two-week sign off period before the standard is published.

    You also asked

    So if someone uses the final draft as guidance, are there any changes that they can be held to?

    ISO 17025:2017 requires the laboratory to have

    • the available resources necessary to manage and perform its laboratory activities (Clause 6.1)
    • relevant versions of all applicable documents  to be available at points of use.

    This will clearly include the need to have the latest version of ISO 17025:2017. 
    For further information on ISO 17025 requirements, see the following:

    The whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
    The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
     

  • Question about joint controller

    It depends on how you intend to structure the application and how data will be processed.

    If you decide how data will be processed by the app you can be the data controller of data of users, while the shop will be the data controller of the users who purchased something on their shop for their own purposes (i.e., billing, shipping, marketing), then, you may be separate controllers (you of the app, seller of the single mall), instead, if data are connected and jointly determine how data will be processed then you will be joint controllers.

    Here you can find more information on data controller:

    If you need how to implement EU GDPR, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Does ISO 17025 cover dimensions measured of a product sold?

    ISO 17025:2017 is the applicable standard for all non-medical testing and calibrations, including dimensional tests such as length.  Depending on the country and accreditation body, the laboratory’s testing scope will fall under, for example, the Dimensional Testing program of the accreditation body for ISO 17025 accreditation.  Note that because there are many ISO standards for packaging, including medical devices and other high-risk goods, the client laboratory is responsible for ensuring the specific requirements of standard test specifications are met.

    Perhaps you do not need accredited tests for dimensions but just want assurance in verifying the measurements? In that case, testing accreditation may not be necessary, but the calibrated measuring devices used for testing must be suitable for use (e.g resolution, range and precision). The laboratory calibrating the devices should be accredited as an ISO 17025 calibration laboratory for dimension metrology (length) and provide ISO 17025 compliant calibration certificates.

    For general information regarding ISO 17025, have a look at the article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/

  • Document 14.1

    I’m assuming you are referring to Appendix 1 – Specification of Information System Requirements.

    Considering that, you should create this record for each software listed in your Risk Treatment Table for which you have identified risks that need to be treated by control A.14.1.1 (Information security requirements analysis and specification). Please note that these records can be created either for each individual software or as a single record for a set of software which share the same security requirements.

    Considering the software under development, you need to create a record for each new version (this will help you track the changes and evolution in security requirements)

    For further information, see:

  • Security and Privacy

    ISO 27001 is a management framework for the protection of information in general, and does not cover specifics related to privacy and medical data, depending upon the defined requirement (e.g., GDPR, HIPAA, etc.).

    Considering that ISO 27001 may not be enough to ensure fulfillment of privacy requirements. In this case, you should consider using additional ISO 27001 supporting standards, like ISO 27701 (for privacy protection) and ISO 27799 (for health organizations).

    For further information, see:

  • Risk Assessments for Early Start up

    ISO 27001 does not prescribe assets and threats to be used for risk assessment, so you should consider assets and threats regarding your own organizational context (e.g., industry, adopted technologies, etc.). Without this kind of information is not possible to provide a more detailed answer.

    What we can say at this moment is that you should avoid using so broad categories, because assets/threats related to them may require different treatment approaches. For example, in software, you can have off-the-shelf software and internally developed software. For the network, you can have firewalls and switches. As for the environment, you may have fire and flood.

    Included in your toolkit you have a Risk Assessment Table with lists of assets, threats, and vulnerabilities commonly used in information risk assessment. It is located in folder 05 Risk Assessment and Risk Treatment. Additionally, you have access to a video to a video tutorial that can help you perform risk assessment, using real data as an example.  

    These articles will provide you a further explanation about risk assessment:

  • Videos and names

    EU GDPR requires the data controller when processing personal data (i.e., the names of participants to a Zoom lesson) to inform the data subjects about the use of personal data. If the data controller aims to modify and add some further use (i.e., publishing the video on Youtube) it shall inform the data subjects and require their consent. Of course, it is needed to have consent from the students mentioned.Another solution can be to anonymize the video by editing the lesson and removing the name of the student. In that case, being only your voice the video may be published.

    Here you can find more information about consent:

    If you need to understand how to comply with the EU GDPR and manage consent you can consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • GDPR query

    1. We are a processor and have received a data subject access request via the controller for a personal data that is bundled together with personal data from several different persons - how should we respond, because if we provide any information, we would reveal personal data from other data subjects as well?

    Article 28 par 1 h) GDPR requires the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.This means that you will inform your data controller who is in charge of the relationship with the data subject that the access request should be rejected because it infringes third parties' privacy. The data controller will decide how to behave.

    2. For a company based in the UK, should we register the name of our DPO with the ICO?

    Yes. Consider that a UK-based company is under UK GDPR since UK has left the EU.

    If you need more information about the difference between data controller and processors or data subjects rights, here you can find some resources:

    If you need to understand how to comply with the EU GDPR you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

  • Defining scope of application and scope for ISMS

    The best ways to define an ISMS scope consider the information, processes, or locations you want to protect. An application cannot be defined as an ISMS scope.

    Considering that, for your context, you can define the ISMS scope in terms of:

    • the development and maintenance processes that support the web application
    • the information processed by the web application

    Please note that for companies up to 50 employees, the best alternative is to include all organizations in the ISMS scope, because the effort to keep only the organization in the ISMS scope is not worthy.  

    These articles will provide you a further explanation about scope definition:

    These materials will also help you regarding scope definition:

  • ISO 14001 and Fire response

    A fire is a risk in your environmental management system (EMS). Also, fire is an environmental aspect under abnormal situations.

    So, you determine fire as a possible environmental aspect. Is there any mandatory prevention and or response preparation under your organization’s compliance obligations?

    Even without any compliance obligations, your EMS should evaluate the significance of that environmental aspect and its impacts. If it is deemed to be significant you should consider ISO 14001:2015 clause 8.2 and prevent and or prepare a response to a possible fire in your facilities.

    You can find more information below:
Page 153-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +