Search results

MDR and Contract Manufacturer

The main question here is who certified the medical devices (in your case dental instruments). Who has the CE certificate? You mentioned that you do not sell by your own name. In that case, the comment from the EU Ar company is right. EU AR can be a representative only for the products and the company that puts the products on the market.

If I understand your situation correctly, you are outsourced production for the company that puts dental instruments on the market. In that case, you do not need an EU representative. 

Yes, on the label you can state that *** is a contract manufacturer or a place of production (using the white factory symbol).

GDPR Compliance questions

I agree with you, the organizational side can make the difference in increasing compliance and awareness about security and GDPR requirements. Setting an access policy determining the level of confidentiality of documents and persons allowed to access or modify them is a good security measure.

Another organizational measure is to set the rules of data processing for your employees with a data protection policy and also an IT security policy in order to define some technical aspect like software that is not allowed in your organization's IT system.

Thinking about the storage you mentioned, keeping all data on your laptop can expose you to a data breach in case the laptop stops working or something happens to data, so that if you decide to follow this path implement some backup solution.

Another approach is to keep data on cloud setting access levels to your employees and increase the possibility to work from anywhere. In this case, consider installing a VPN in order to protect access and navigation and, of course, set access levels for your employees.   

Here you can find some information about starting the compliance process:

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
• Privacy, cyber security, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

Document for monitoring

I’m assuming you are referring to an ISO 27001 certified information security management system.

Considering that, you should consider looking at these templates:

• Measurement Report (it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results.): https://advisera.com/27001academy/documentation/measurement-report/
• Management Review Minutes (it documents the results of management review): https://advisera.com/27001academy/documentation/management-review-minutes/

These articles will provide you a further explanation about measurement and management review:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Working from home

I have a query. ISO has a standard that links information security to Teleworking or Home Working?

ISO 27001, the ISO standard for information security management systems, has information security controls that can be applied to Teleworking or Home Working. Additionally, there is ISO 27002, a supporting standard that provides guidelines and guidance on the implementation of such controls.

To see how a document covering Teleworking or Home Working based on ISO 27001 looks like, please access the free demo at this link: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

These articles will provide you a further explanation about telework:

• How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
• What to include in an ISO 27001 remote access policy https://advisera.com/27001academy/blog/2019/04/23/iso-27001-remote-access-policy-how-to-develop-it/

ISO 27017 and ISO 27018

You need to confirm this information with your certification body, but if the ISO 27017 ISO 27018 controls were audited during your ISO 27001 certification audit this information can be included in your customer certificate.

These articles can provide further information:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
• ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Is there a difference between ISO 27002 and Annex A?

The difference between ISO 27001 Annex A and ISO 27002 is that while ISO 27001 Annex A defines control objectives, ISO 27002 provides orientation and guidance on how to implement the controls listed in ISO 27001 Annex A (the controls objectives are exactly the same in both standards).

This article will provide you a further explanation about ISO 27001 and ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

This material can also provide additional information:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

What is considered personal data for survey company

Thank you for this.  I am confused though.  I realize that ethnicity is a "special category" of "personal data" but if we don't collect any PII (name, email, IP address, etc) then how is the data subject to exercise their rights for the erasure of the data?   We have nothing to specifically identify the data record after the survey has been completed.

Question on ISO 27001 Documentation when ISO 9001 is already in place

Unless your client has specific legal requirements (e.g., laws, regulations, or contracts) demanding a separated set of documentation, integrating common documents of both ISO 9001 and ISO 27001 is recommended, to avoid unnecessary duplicated documents (e.g., a procedure for document and record control, internal audit, etc.).

Regarding the integrated toolkit for ISO 9001 and ISO 27001, this one is not available, but you can use the documents referred to in the paper you downloaded as guidance.

These articles will provide you a further explanation about integrated systems:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding ISO 27001 and ISO 9001:

• ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

RPO, RTO, BC strategies, testing and exercising

RTO (Recovery Time Objective) is defined based on how fast you want to resume your operations after a disruption, while RPO (Recovery Point Objective) is defined based on how much data you can afford to lose due to a disruption.

For example, if an application has an RTO of 1 day and an RPO of 4 hours, it means that this application can be recovered (resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.

Business Continuity strategies refer to high-level actions to be developed to achieve defined continuity objectives.

For example, to ensure the objective of recovering operations in a defined timeframe, the strategy adopted may be the use of an alternative site. Another example is a backup strategy (which could be incremental, differential, etc.).

Testing and exercising are activities performed to find what doesn’t work in your business continuity in a controlled situation. In other words, when you lack real incidents, you create simulated ones to be able to improve your plans.

These articles will provide you a further explanation about these concepts:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
• Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/
• Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/
• Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
• How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

This material will also help you regarding business continuity:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Certification Process

HI, just following on from the webinar last week regarding the Certification Process - which was very good thank you – I’ve a couple of questions if that’s OK:

1 - Training / Awareness

Prior to the webinar we had been led to believe that our planned approach – namely:

Publish the IS policy & notify everyone it is available – but not actually record who has read it
Publish a number of awareness bulletins and encourage people to discuss them at team meetings
Run a small number of online sessions whereby information on various aspects of ISO 27001 / Information Security are presented. The attendee list for these events would be retained
would be sufficient. Would you agree with that or, as I think you implied would the auditor expect that we had a more formal approach to training with people being recorded against the training sessions they have completed?

Please note that while your proposed approaches cover the communication from organization to employees, you are not considering an approach to ensure employees have understood your message, i.e., that they understand the importance of information security, the impacts in case it is compromised, and what they can do to protect information.

So, you should also consider the application of small quizzes or other methods to evaluate employees' understanding.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/

2 - Internal Auditor

Is it mandatory that the internal audit is carried out by a certified auditor (whether that’s an internal member of staff that’s been trained or a 3rd party retained for the audits)? One thought was that following the first initial audit where we would use a qualified third party we would compile questions that would need to be completed for subsequent audits. Selected people would then take those questions round the business at the appropriate time – though they would not necessarily be accredited.

Any information you can give would be greatly appreciated.

Thanks

You do not need a certified auditor to perform an internal audit, provided that you can evidence his audit competencies by other means, like previous experience, or formal education in an audit.

These articles will provide you a further explanation about internal auditor:

• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/