Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

CISO and document management

1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?

Answer: I’m assuming that by “releases” you mean “approves”.

Considering that, besides the Information Security Policy, which needs to be approved by top management (usually the CEO when the scope is all organization, or the top role in the ISMS scope when the scope does not cover all organization), ISO 27001 does not prescribe who needs to approve documents, so other documents can be approved by the CISO.

If by release you mean making documents available and communicating them to relevant personnel, these activities are usually performed by roles like the CISO, or the quality manager (top management usually only approves documents).

For further information, see:
- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

Thank you in advance!

Answer: In theory, you can, but since it is highly unlikely an organization does not require any document of external origin for the purposes of its ISMS, you would need to register how to handle incoming mail (which is the record suggested for this section in this procedure) in some other place, what would only increase your effort to maintain documentation.

Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
PECR and GDPR

The Privacy and Electronic Communication Regulations (PECR) is the UK implementation of the e-Privacy Directive and covers the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device.

If you are located in the UK and you apply for the PECR you probably will need to refer to the UK GDPR too. For the regulations (EU GDPR, UK GDPR, and PECR), the legal ground for marketing purposes is always consenting under the GDPR. The legitimate interest may cover the so-called soft-spam which is information provided on products purchased without a call-to-action or general introduction of the company and services/products offered without a call-to-action in B2B context.

Here you can find more information on how to perform marketing activities under the GDPR:
- How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
- Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
If you need to understand how to comply with GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Xl sheet

All Type A and Type B standard uncertainties must be combined to calculate combined standard uncertainty and then an expanded uncertainty. The specific mathematical, statistical aspects are not part of the scope of the ISO 17025 Academy toolkit. I suggest you look to sector guidelines and the references in the ISO 17025 Toolkit. The Evaluation of Measurement Uncertainty Procedure and associated checklists at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ guides you on what is required to meet ISO 17025 requirements.
Stage 1 and stage 2 in internal audit

Specific questions will depend on each audited control, but generally speaking, the questions are related to:
- how actions are performed. E.g., how do you perform backup procedures?
- information knowledge. E.g., what can you tell me about the information security policy?

Additionally, verifications can be made by observing behavior, like asking someone to do something to keep him/her away from his/her workstation and see if the person locks his/her computer when he/she leaves, or by asking for evidence demonstration, like requiring to see the reported incidents from last week.

The important thing is that audit questions are open questions, i.e., they cannot be answered simply by a Yes or No, the answer needs to be developed by the auditee.

In the ISO 27001 Internal Auditor Online Course you bought you can find more details in Module 10 - The main audit “Interviewing techniques”

These articles will provide you a further explanation about auditor questions:

- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Data Protection Legislation

I am afraid that you will need a Data Protection Officer and a Data Protection Impact Assessment because your organization is going to process on a large scale the health data which belong to a particular category of data under Article 9 GDPR.

Here you can find more information about the DPO and the DPIA process:
- How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/
- 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
If you need to know how to implement GDPR in your organization you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Requirement for Post Market Surveillance

According to Article 83 - Post-market surveillance system of the manufacturer - is stated that for each device, manufacturers shall plan, establish, document, implement, maintain and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. Then, in Article 85 - Post-market surveillance report - Manufacturers of class I devices shall prepare a post-market surveillance report summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan.

Therefore, class I medical devices are not exempt from the post-market surveillance system.

More information on the Post-market surveillance system you can find on the following link:
- What are the post-market surveillance requirements in the MDR? https://advisera.com/13485academy/blog/2021/04/29/what-are-the-post-market-surveillance-requirements-in-the-mdr/
- Integration ISO 13485 & ISO 9001
  
  No, we do not have integrated ISO 9001 and ISO 13485. It is not necessary to have both standards. ISO 13485 is a quality management standard specially made for medical device manufacturers. Some manufacturers also have ISO 9001, so we left ISO 9001 in References for them.
  
  If you want to get ISO 9001 toolkit, you do not maybe need to buy the whole toolkit, only some documents according to which ISO 9001 differs from ISO 13485.
  
  Here you can find an article regarding similarities and differences between ISO 9001 and ISO1 3485:
  - Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
  - Processore / Controllore
    
    "Salve, intanto la ringrazio per la risposta e le vorrei chiedere alcune cose in merito alla figura del "processore". Cosa fa a livello di raccolta dati personali il "processore"?Chi si può considerare "processore" all'interno di un'azienda?La posizione da "processore" può essere svolta da una figura esterna?"
    
    Il processore (responsabile del trattamento) è un soggetto esterno che tratta i dati per conto del controllore (titolare del trattamento), può anche raccogliere dati (ad esempio un fornitore del servizio di lead generation). Solitamente è il fornitore di un servizio (ad esempio il cloud che ospita i dati aziendali è un esempio di processore, oppure l'ufficio paghe che elabora le buste paghe dei dipendenti per conto del datore di lavoro). Non è una figura interna all'azienda.
    
    Forse sto facendo confuzione con la traduzione legale dall'inglese all'italiano di "Processor".
    
    Processor dovrebbe essere Responsabile del trattamento. Mentre il Controllore è il Titolare del Trattamento. Giusto?
    
    Esattamente.
  - Post-market surveillance
    
    This is a really helpful response to the question

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

CISO and document management

PECR and GDPR

Xl sheet

Stage 1 and stage 2 in internal audit

Data Protection Legislation

Requirement for Post Market Surveillance

Integration ISO 13485 & ISO 9001

Processore / Controllore

Post-market surveillance

Didn’t find an answer?