Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Scope as a data controller

    Yes, it is correct, you listed the cases in which your company will act as a data controller. In these cases, in fact, you decide the purpose and means of data processing: the management of the employment relationship, your website, the relationship with your clients, and your suppliers. On the contrary, your app provides a service that other companies (your clients) will use, so all data that you will collect and process through your SaaS will be processed on behalf of your clients, which is the definition of a data processor.

    As a data controller, you are responsible for fair, transparent, and correct data processing, you need to provide information about your processing, collect consent and guarantee that data subjects can exercise their rights. You need to comply with all obligations that the GDPR requires the controller to comply with as stated in Article 24 GDPR.

    Here you can find more information about the distinction between the data controller and data processor:

    If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Concern points 4 and 5 of document procedure for document and record

    Regarding section 4, please note that in clause 7.5.3, ISO 27001:2013 explicitly requires you to control documents of external origin that are important for your ISMS, and this section defines how you fulfill this requirement. External documents are any documents not owned or controlled by an organization that is required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

    Regarding section 5, it defines how the incoming mail register is stored and protected. The incoming mail register is not a mandatory document, so you can simply have a table where you register who received some important external document, or where such a document is stored.

    This article can provide you additional information:

    This material will also help you regarding control of documents:

    • Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

    This material will also help you regarding document management:

  • Trends in OH & S Performance

    Thank you very much for the explanation. This is really helpful.

  • Best practice approaches related to the Asset Inventory

    In case these SaaS accounts are used to access or handle information that is part of the ISMS scope you are working on, the best approach would be for you to include them as outsourced services in your inventory. In case all these accounts refer to the same service, you only need to add a single register in your inventory (e.g., SaaS solutions for data storage, e-mail, collaborative software, etc.).

    This article will provide you a further explanation about assets management:

  • ISO 9001 and ISO 17025 certification

    No, having ISO 9001 certification does not mean a laboratory has ISO 17025 accreditation. ISO 9001 certification is acknowledgement that the laboratory has successfully implemented a quality management system in accordance to the requirements of ISO 9001 standard. This is not the same as achieving ISO 17025 accreditation. ISO 17025 has requirements that include the ISO 9001 management components; but many other related to technical competency.

    For more information, see ISO 17025 – Main guidelines at https://advisera.com/17025academy/what-is-iso-17025/  and the article ISO 17025 vs. ISO 9001 – Similarities and differences at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//

  • Difference between controls

    Please note that ISO 27001 requirements for the Information Security Policy (clause 5.2) do not prescribe that controls need to be implemented based on the Information Security Policy. The purpose of the Information Security Policy is to set the organization’s high-level expectations for information security (e.g., information security objectives, fulfillment of legal requirements, commitment, etc.).

    The definition of controls to be implemented is prescribed by clause 6.1.3 “b” (information security risk treatment).

    This article will provide you a further explanation about the selection of controls:

    These materials will also help you regarding selection of controls:

  • ISO for reputation management

    ISO has not released any new information about a standard for reputation management, but by searching on its site we found three standards that may help you:

    • ISO 10668:2010 Brand valuation — Requirements for monetary brand valuation (https://www.iso.org/standard/46032.html): this published standard can help you evaluate your brand and report the results of such valuation.
    •  ISO 20671, Brand evaluation – Principles and fundamentals (https://www.iso.org/standard/68786.html): specifies the fundamentals and principles for brand evaluation, including an integrated framework for brand evaluation containing necessary brand input elements, output dimensions, and sample indicators.  
    •  ISO/CD 22361 Security and resilience — Crisis Management — Guidelines for developing a strategic capability (https://www.iso.org/standard/50267.html): under evaluation, this standard will help you manage situations that can impact the brand value.

    For more information, please read: 

  • Necessity of MDD and MDR for contract manufacturing companies

    Sorry for the misunderstanding.

    If you are a contract manufacturer, you need to have implemented ISO 13485. The question here is who certified the medical device. If your marketer is responsible for the CE marking of the medical device, then there is supposed to be a Quality agreement between you and your marketer. In that agreement must be stated mutual responsibilities.

    Template of that agreement you can find in our documentation toolkit on the following link:

    Also, as contract manufacturer be ready that notify body for CE marking will audit your company as part of the marketer's audit. It means that the whole audit according to necessary requirements for production and additional services from ISO 13485 will be performed at your company.

    There are no strict requirements that you need to be certified according to the ISO 13485, but your marketer as CE mark holder must be.

  • Comprehensive Information Security Implementation

    Please note that ISO 27701, like ISO 27001, are management systems standards, i.e., they define management systems requirements and controls for privacy information management and information security management, respectively, and other standards from ISO 27xxx series, like ISO 27002, ISO 27035, etc., provide orientation and guidance for their implementation (either for main requirements and security controls).

    Considering that, they can make your implementation of ISO 27701 easier, but they are not mandatory for the implementation of ISO 27701.

    These articles will provide you further explanation about ISO 27001 and ISO 27701:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

     

    These materials will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
     - ISO 27001 vs. ISO 27701 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-27701-matrix
Page 181-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +