Search results

Consultants considered processors?

We have a couple of consultants at our company, most of them working full time. Some of them are hired through a consultacy firm and some of them are self employed. The consultants work according to our policies and processes as any other employee. Some of them work from home and some of them work mainly in the office. Would you consider these cosultants (or the consultancy firm) to be a data processor? I would say that they are not but we have different opinions at my company so just seeking advise. 

Request for guidance

To be compliant with the 2022 revision of ISO 27001, you need to make a new Statement of Applicability with 93 controls.

From your question, it is not clear if your Information Security Management System (ISMS) is certified or not. In case you are searching for certification, you can certify your ISMS against ISO 27001:2013 until October 31, 2023, and there is no need to change your SoA. For certifying after October 31, 2023, you need to be compliant with ISO 27001:2022, and for that, you will need to update your SoA to the 93 control version. 

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

This material can also help you:

• How to Make the Transition From 2013 to 2022 Revision of ISO 27001 https://advisera.com/27001academy/webinar/transition-iso-27001-2013-to-iso-27001-2022-free-webinar-on-demand/
• ISO 27001:2022 Transition Course https://advisera.com/training/iso-27001-transition-course/

• TIA/TRA assessment tools

  There are not so many TIA/TRA tools in the market, as the term became popular after Schrems II decision, however a well-known Transfer Impact Assessment model is David Rosenthal’s TIA template, shared under Creative Commons license. The model has examples related to personal data transfers to several countries outside EU, but not all of them.

  When an international transfer of personal data occur, if the risks are high, a DPIA should be performed, and you have a DPIA Methodology in the EU GDPR Documentation Toolkit that you already purchased, in Directory 06 – Data Protection Impact Assessment.

  Please consult these links:

  • David Rosenthal template: https://www.rosenthal.ch/downloads/Rosenthal_EU-SCC-TIA.xlsx
  • Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en

• ISO 27001:2013 VS ISO 27001:2022

  My question was to get free upgrade to 2022 version

   

• ISO 9001 - Control Chart in Monitoring Variation

  If you monitor quality or process control through laboratory analysis results you can use a control chart to check if variability is normal or if special causes are present. If special causes are present, it makes sense to investigate to discover and eliminate them. If only random causes are present, and performance is not adequate, the system must be modified.

  Moreover, the use of control charts makes the analysis and evaluation of the results much more objective because it does not depend on opinions or states of mind, it follows clear rules of interpretation.

  If your question is not about quality or process control, but about the quality of laboratory results I do not use control charts, but Repeatability and Reproducibility (R&R) studies.

• No budget to implement control A.8.12 Data Leak Prevention

  A way to implement control A.8.12 Data leakage prevention is by implementing the following documents (the mentioned sections specifically cover the requirements of control A.8.12):

  • Information Classification Policy (https://advisera.com/27001academy/documentation/information-classification-policy/)
    
    • section 3.4 Handling classified information already provides a good set of rules for preventing data leakage (e.g., sensitive documents must not be exchanged via services such as FTP, instant messaging, etc.), but you can add more rule in case of specific needs.
    • Section 3.5 Handing data exposure provides rules to prevent leaked data from being exploited (e.g., by application of data masking)
  • Security Procedures for IT Department (https://advisera.com/27001academy/documentation/security-procedures-for-it-department/)
    
    • sections 3.4 Network security management and 3.9 System monitoring helps you define which systems for monitoring and prevention of data leakage should be used by administrators and their parameters (e.g., log review frequency)
  • IT Security Policy (https://advisera.com/27001academy/documentation/it-security-policy/)
    
    • section 3.14 Internet use provides rules for what is and what isn’t allowed for regular users to minimize risks of data leakage (e.g., use o proper communication channels)

  For further information, see:

  • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

• Important parameters when analyzing samples in ISO accredited laboratory

  The parameters all depend on the purpose of the test. You must meet the requirements of ISO 17025:2017 Clause 7.2.  A laboratory needs to understand the client’s requirement, i.e. the purpose of the test and if there are any self-imposed or regulatory specifications for a pass or fail. For example, a specific measurement should be below a particular threshold. When these conformity statements are made, the laboratory must specify the decision rule and get agreement from the client. This addresses whether measurement uncertainty is considered in the decision of a pass or failed result. When deeming the actual test method as suitable (fit for purpose) the laboratory needs to follow regulatory or sector guidelines and any mandatory requirements from the accreditation body. For example which method performance parameters such as limit of detection are evaluated. It usually starts by proving the method is specific, sensitive enough, and accurate (from assessing trueness and precision).

  If you are interested, view the ISO 17025 toolkit procedure for validation and verification of methods, named Test and Calibration Method Procedure, along with two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification, and Validation Record. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

• Medical Molecular Lab certification

  Always confirm with the relevant regulatory bodies. However, if the results of the tests are being used for medical diagnostic purposes then ISO 15189:2022 Medical Laboratories - Requirements for quality and competence is the standard to be accredited to. If the testing is for non-medical purposes (for example forensics or in some cases for trial purposes only), then ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories is the appropriate standard to be accredited.

  For more information on ISO 17025, have a look at https://advisera.com/17025academy/what-is-iso-17025/

• Confidentiality Statement

  In fact, all people who need to access information that is sensitive should sign a confidentiality statement. E.g.:

  • employees should sign a confidentiality statement so they can access clients’ information.
  • clients should sign a confidentiality statement so they can access the organization's internal procedures.
  • suppliers should sign a confidentiality statement so they can access the organization's data.

  To identify which information may need a confidentiality statement so it can be accessed, you should check the results of risk assessment, and applicable legal requirements.

• ISO 27001:2013 to ISO 27001:2022 Conversion Tool

  First of all, thanks for this feedback.

  Please note that this tool follows the ISO 27002 guideline about merging and splitting controls from ISO 27001 Annex A.

  Considering that, the converted output for control A.12.6.1 (i.e., control A.8.8) does not mention the split of control A.18.2.3 because this information is not relevant for presenting that information from controls A.12.6.1 and A.18.2.3 are now included in the new control A.8.8 (i.e., it is not necessary to explain that only part of one control is included in the new control, this only would complicate things).