Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Clause 5.1 / internal audit

    To evidence fulfillment of clause 5.1, you need to look for evidence like:

    • management meeting minutes, where decisions like approval of information security policy and of information security objectives are recorded.
    • policies and procedures, where you can find definitions of security roles and responsibilities.
    • performance reports, where you can find the results related to information security objectives.

    As examples of questions, you can find them in the internal audit checklist template included in your toolkit, in the folder Internal Audit.

    This article will provide you a further explanation about the internal audit checklist:

  • ISO 27001 questions

    1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough?

    We are not legal experts, and without more information about your scope, we cannot provide a more robust solution.

    Please note that you may have other interested parties which may define requirements for information security, like suppliers, and the government. Additionally, as a translation company, you may have requirements regarding how translations should be performed (and if you do not comply with these your translation may have information integrity issues).

    Considering that, we advise you to hire legal expert advice to help you identify these requirements.

    For further information, see:

    2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001?

    It is not enough your service providers are certified according to ISO 27001. You need to ensure they treat the risks you identified as relevant that are related to them as you expect (e.g., if unauthorized access to information is a relevant risk to you, you need to ensure they treat this risk properly). This is normally treated by defining a contract or service level agreement with them including information security clauses covering the risks you want them to treat.

    For further information, see:

    3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general?

    When separation of duties is not feasible to treat relevant related risks, you need to consider compensatory controls, like monitoring activities and management supervision, to ensure that even without segregation of duties the identified risks are properly handled.

    For further information, see:

  • Asset inventory

    First is important to note that an asset inventory is required for ISO 27001 only if:

    • there are unacceptable risks that treatment demands such inventory
    • there are contracts, laws, or regulations you have to follow which demands such an inventory
    • there is a top management decision demanding such inventory

    If none of the above-mentioned situations occurs, then there is no need to keep such inventory.

    In case the inventory is required, the assets should be included considering those that can affect the information you want to protect. For example, if you want to protect R&D information, you need to identify on which servers, networks, and workstations this information flows through, is processed, or stored.

    For further information, see:

  • Risk Management and FMEA

    FMEA is the risk method that best meets all the requirements of ISO 14971: 2019, so it is recommended that it be used for class I medical devices.

  • ISO 27001 Beginner

    To help beginners to understand, implement and audit ISO 27001 Advisera provides several articles and downloadable materials the can provide guidance.

    Additionally, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    This toolkit has the mandatory and most commonly used documents for an ISO 27001 implementation, and they include comments that can help to customize the documents to your organization's needs.

    These articles will provide you a further explanation about ISO 27001:

    These materials will also help you regarding ISO 27001:

  • Query Regarding Internal Audit

    1 - Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit

    The internal audit can be performed in terms of implemented ISMS policies. You only need to ensure that all mandatory clauses and applicable controls are audited before the next certification/surveillance audit.

    For further information, see:

    2 - Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements

    First is important to note that audit criteria need to be something against which ISMS policies are compared, not within ISMS policies, so you should think about requirements “applied” to ISMS policies, not “within” them.

    Considering that, requirements used to develop ISMS policies can be used as audit criteria. In your example, BS7858 requirements are the criteria against which you evaluate your HR screening policy.

  • Question about A.7.1.2

    1 - As I have understood control A.7.1.2 requires mandatory documentation on both above with organization’s own employee.

    I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)?

    ISO 27001 does not prescribe mandatory documentation to cover the description of information security responsibilities, so you can adopt the document that best fits your needs (e.g., a contract, a service agreement, a job proposal, a code of conduct, etc.).

    For further information, see:

    2 - I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us.

    Are the regular IT system vendors part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements?

    The supplier security policy is defined according to the results of your risk assessment and applicable legal requirements, and depending upon these elements they may have mandatory documents to write.

    For example, if your risk assessment identifies that these vendors need to comply with control A.9.1.1 (Access control policy), then they have to document such policy.

    This article will provide you a further explanation about supplier security:

  • Use of shall and must

    Yes, the use of the word "must" is an accepted term in your documentation. In the English language, both "shall" and "must" are verbal expressions that indicate that something is mandatory.  ISO International Standards, like ISO 17025, used for conformity assessment contain requirements and use "shall" to describe a mandatory requirement. For example, the laboratory shall document the competence requirements for each function.

    ISO standards only use the word "must" to refer to an obligation on the user of the document (e.g ISO 17025) due to a country -unique condition or law, or law of nature;, not a requirement of the ISO standard. For example, all buildings in the active seismic area of Los Angeles must be earthquake-resistant.

    This is by agreement of definitions in terms of an ISO directive.

    In the English language "must" is typically used in everyday speech as a command, necessity or request. That is the reason why "must" is used in a procedure to instruct the user on what is necessary to comply with, so the laboratory can meet a mandatory ISO 17025 "shall "requirement.  For example, The laboratory manager must retain the records for determining the competence requirements.

    IF you wish, you can define the use of the word “must” in your quality manual or procedures as a mandatory instruction to fulfil the ISO 17025 “shall” requirements.

    Note too, that anywhere in your documents, you state something “is” or somethings “are” then this is also an mandatory expectation that needs to be met in terms of assessment  during internal auditing and for accreditation, i.e. the evidence “must” be available.

    For more information on ISO 17025, see the White paper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

  • Recruitment

    "1. Do applicants have to submit a declaration of consent so that recruiters can process their data for the application process? This is a recruiter who does not hire applicants himself, but rather places what is known as direct placement with an employer.

    Yes, collecting the data of applicants is data processing so the recruiter needs to provide a privacy notice and ask consent.

    2. Can the recruiter request a driver card and a copy of the driver's license from the applicant if he wants to refer him to a haulage company? The recruiter wants to check the validity of the documents. The recruiting process takes place exclusively online.The recruiter is the person responsible within the meaning of the GDPR. In the first step, he searches for applicants in his own name. This is a job for a professional driver and a direct placement. The applicant will be hired by the shipping company. How do you behave correctly as a recruiter in this case?

    The recruiter is responsible for all the selection periods, while the hiring company will become the data controller of data of the selected applicant. Therefore, if there is a need to verify some requirements in order to make the job, the recruiter can ask for evidence of that documents because it is necessary to carry on the selection. The recruiter shall make clear in the privacy notice that a copy of personal documents may be required for certain job positions.

    3. Recruiting takes place online only. The applicant would have to send the documents such as ADR license, driver card and driver's license by email. Is the following clause sufficient to process this applicant's data: "With this declaration I consent to the collection, storage and processing of personal data about me as part of my application process and being transmitted to potential employers?" Submit customers? Does this declaration of consent have to explicitly mention that the driver's license will be processed? It is a job advertisement for a professional driver.

    The statement is sufficient for all personal data collected through the application process. You don’t have to expressly mention the driver’s license, the reference is to all personal data collected (documents included). Potential employers are the correct definition, better than customers.

    4. Can the recruiter request a copy of the applicant's identity card? The recruiter needs the ID number and series in order to conclude an employment contract with the candidate. How should the recruiter behave GDPR-correctly in this case? The intermediary has no personal contact with the applicant. The applicant would have to send the data by email.

    Yes, the recruiter can request all documents that are necessary to identify and select the candidate. In some fields, it can be required the criminal conviction statement. As mentioned before, the recruiter shall inform the applicant about what data and documents will be required in order to prepare the job contract or to forward it to the hiring employer.  

    5. How should the recruiter behave if the applicant sends him an unsolicited copy of his ID or a copy of his driver's license by email?

    It depends. If the driver's license or the ID copy is necessary, the recruiter shall inform that data will be processed for the hiring process, if data are not necessary, the recruiter shall inform the applicant that those documents are not required and will be deleted.

    6. Can the recruiter ask for the same candidate data as the employer? The recruiter does not hire the candidates himself.

    Yes.

    7. The recruiter is looking for suitable candidates for more than 6 months. The application process takes longer than 6 months. When do the applicant data have to be deleted in this case? The job advertisement is z. B. online for 8 months. When does the 6 month deletion period for applicant data start counting?

    At the end of the call for the application period, so after the 8 months.

    8. How long do you have to keep the recruitment contract between the customer (the potential employer) according to the GDPR?

    The GDPR does not fix data retention periods, it depends, the hiring of a candidate for data of not-selected applicants and longer for the hired candidate (if any) in order to have evidence of compliance with the recruiting contract between the recruiter, the agency, and the employer.

    9. How long should I keep the employment contract between the candidate and the recruiter? This is not an employment contract. The placement is free of charge for the applicant. The recruiter receives the commission from the agent.

    Terms of data retention may be fixed by law or depending on the purpose of processing. If the commission is paid from the agent, the recruiter can store the agreement until the terms of legal proceeding from the agent or the applicant are expired (just to have the evidence that the applicant had been hired). This term varies in each Member State.

    10. I observe with various recruiters that you immediately note in the job advertisement that the applicant should send his résumé including a copy of his driver's license and a copy of his driver's card. Is this allowed? The recruiter is not an employer in this case.

    Yes, it is allowed. You can process all data that are needed to process the application.

    11. Can I ask for a photo of the applicant?"

    Yes if it is necessary or useful for the application, i.e., for some position it is required.

    Here you can find more information about HR department and GDPR compliance:

    If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Conformio – adding responsibilities

    During the development of your documents through the templates wizards, you will be asked to define some responsibilities for specific tasks, and based on how you want to implement ISO 27001 you can decide which steps to assign to specific departments/roles.

    For example, the Finance head can be assigned when a specific task requires money or that something is bought. A more specific example is the training and awareness plan, where you can define the HR manager as responsible.

    The main point is that ISO 27001 does not prescribe which activities assign to specific roles, so it leaves organizations free to define them as they see best for them.

    These articles will provide you a further explanation about roles and responsibilities:
Page 159-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +