Search results

Transfer of pesonal data under GDPR

Yes, it would be a data controller even before entering into a contract, because the third-party service provider will be free to decide the purposes and means of the processing of personal data belonging to the potential customer.

Here you can find more information on the role of processor and controller:

• EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how to process data under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

GDPR Checkpoints in ISO 27001 Audit Checklist

Controls from ISO 27001 Annex A that can help verification of GDPR compliance are:

• Controls from section A.8 (Asset Management), especially control A.8.2.1 (Classification of information)
• Controls from section A.14 (System acquisitions, development, and maintenance)
• Controls from section control A.15.1 (Information security in supplier relationships)
• A.16.1 (Management of information security incidents and improvements)
• A.18.1.1 (Identification of applicable legislation and contractual requirements)
• A.18.1.4 (Privacy and protection of personally identifiable information)  

This article will provide you a further explanation about ISO 27001 and GDPR:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

Statement of Applicability

Please note that this control refers not only to laws but also to agreements (e.g., contracts) and regulations, so you need to also verify these elements. For example, you may have a contract with a customer or a supplier defining requirements for cryptography, or some regulation applicable to your industry may define requirements for cryptography.

In case there are no agreements or regulations applicable to your organization, then you can record these controls as an exclusion in your SoA.

This article will provide you a further explanation about SoA:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding SoA:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO Certified Auditor

Depending upon the training provider, there are two options:

1. attend an ISO 22301: 2019 transition course, if you are already a certified ISO 22301: 2012 lead auditor, where you will learn about the changes in the standard and how to perform audit considering these changes
2. attend an ISO 22301: 2019 lead auditor course, where you will perform all the steps to requalify yourself as a lead auditor (i.e., attend the course, execute course activities, and take the final exam).

Please note that, due to the number of changes in the new ISO 22301:2019, this qualification is not very important if you want to work as a consultant, but this is very important if you want to work as an auditor. 

These articles will provide you a further explanation about ISO 22301:2019:

• Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/
• Mandatory documents required by ISO 22301 revision 2019 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
• Do we need to make the transition from ISO 22301:2012 to the 2019 revision? https://advisera.com/27001academy/blog/2019/11/05/iso-22301-transition-from-2012-to-2019-revision-is-it-needed/

Is consent obligatory for our products?

You should use a contract as a legal basis to provide your service. The processing of data through sensors seems essential to make the device working and so it is necessary to provide the service. If you use a contract as a legal basis, and the user denies agreeing with data processing you can deny the use of service since the processing of personal data is necessary.

Here you can find more information on GDPR extraterritorial effect and on consent:

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Transfer mechanisms

You should use Standard Contractual Clauses (SCCs) as an annex to the contract with the US data importer. SCCs should be implemented by adequate safeguards, like encryption or pseudonymization, and contractual measures.

If you need to know more about how to transfer data in third countries under the EU GDPR here you can find more information:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Regarding intended purpose or intended use

Both terms are used in MDR. The term intended purpose should be inserted in the technical documentation, ie in the product description, instructions for use. Intended use can also be used in clinical evaluation and other documents.

Conformio number of documents

Please note that some documents from the toolkit are now embedded in some Conformio Module (e.g., Risk Assessment and Treatment Table are embedded in the Risk Register Modules, and Audit program, audit checklist, and audit report are embedded in the Audit module). In case of need, you can export this information to documents.

Regarding templates for policies and procedures related to ISO 27001 Annex A, all templates available in the toolkit are also available in Conformio. They will be displayed according to the results displayed in the Statement of Applicability (i.e., related to the results of risk treatment and applicable legal requirements). In case all controls are identified as applicable in the SoA you will have access to the same template available in the documentation toolkit.

Scope question

1 - Our owner/parent company (***) is also our supplier for several IT services (e.g., network). They define rules and settings that automatically apply to us (in their role as owner). However, in their role as supplier they would have to adhere to the standards, we (subsidiary = ***) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA?

Answer: Please note that this question about rules, settings, and standards does not apply to the definition of the ISMS scope.

In the definition of the scope, you only need to mention that your IT services are outsourced (you do not even need to identify the provider in the scope). The detailed information about the outsourcing situation is used when performing a risk assessment.

For further information about scope, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Regarding your scenario, as the owner/parent company, your “supplier” will have the last word in any setting you define regarding the provided services, so you need to agree with them if these settings are needed (based on the results of risk assessment and applicable legal requirements) and feasible. In this situation you have two possible scenarios:
- they agree with your settings and create specific rules for your organization.
- they do not agree with your settings, and you will need to evaluate the related risks to decide on another way to treat them.

2 - And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?

Answer: The fact that your owner/parent company is also your IT supplier does not affect the regular content a SLA should cover, so you need to define in your SLA items like service description, scope, performance supported, contacts, etc.

This article will provide you a further explanation about SLA:
- What’s the content of an ITIL/ISO 20000 SLA? https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/

Module 9 - reviewing documents off-site

You are partially correct. While some documents can be classified in a way that forbids them to leave premises, you may need to make such documents available to the internal auditor when he is off-premises (e.g., during a remote audit due to pandemic) because they are related to mandatory clauses, or are paramount to evaluate a specific control. In these cases, you need to evaluate related risks and implement proper controls to decrease risks to acceptable levels (e.g., sign a specific NDA, provide only access to electronic version through a secure connection to your network, etc.)

These materials will provide you a further explanation about remote audit:

• How to perform an internal audit remotely [free webinar on demand] https://advisera.com/27001academy/webinar/remote-internal-audit-free-webinar-on-demand/
• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/