Search results

ISO 27001:2013 VS ISO 27001:2022

My question was to get free upgrade to 2022 version

ISO 9001 - Control Chart in Monitoring Variation

If you monitor quality or process control through laboratory analysis results you can use a control chart to check if variability is normal or if special causes are present. If special causes are present, it makes sense to investigate to discover and eliminate them. If only random causes are present, and performance is not adequate, the system must be modified.

Moreover, the use of control charts makes the analysis and evaluation of the results much more objective because it does not depend on opinions or states of mind, it follows clear rules of interpretation.

If your question is not about quality or process control, but about the quality of laboratory results I do not use control charts, but Repeatability and Reproducibility (R&R) studies.

No budget to implement control A.8.12 Data Leak Prevention

A way to implement control A.8.12 Data leakage prevention is by implementing the following documents (the mentioned sections specifically cover the requirements of control A.8.12):

• Information Classification Policy (https://advisera.com/27001academy/documentation/information-classification-policy/)
  
  • section 3.4 Handling classified information already provides a good set of rules for preventing data leakage (e.g., sensitive documents must not be exchanged via services such as FTP, instant messaging, etc.), but you can add more rule in case of specific needs.
  • Section 3.5 Handing data exposure provides rules to prevent leaked data from being exploited (e.g., by application of data masking)
• Security Procedures for IT Department (https://advisera.com/27001academy/documentation/security-procedures-for-it-department/)
  
  • sections 3.4 Network security management and 3.9 System monitoring helps you define which systems for monitoring and prevention of data leakage should be used by administrators and their parameters (e.g., log review frequency)
• IT Security Policy (https://advisera.com/27001academy/documentation/it-security-policy/)
  
  • section 3.14 Internet use provides rules for what is and what isn’t allowed for regular users to minimize risks of data leakage (e.g., use o proper communication channels)

For further information, see:

• Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

Important parameters when analyzing samples in ISO accredited laboratory

The parameters all depend on the purpose of the test. You must meet the requirements of ISO 17025:2017 Clause 7.2.  A laboratory needs to understand the client’s requirement, i.e. the purpose of the test and if there are any self-imposed or regulatory specifications for a pass or fail. For example, a specific measurement should be below a particular threshold. When these conformity statements are made, the laboratory must specify the decision rule and get agreement from the client. This addresses whether measurement uncertainty is considered in the decision of a pass or failed result. When deeming the actual test method as suitable (fit for purpose) the laboratory needs to follow regulatory or sector guidelines and any mandatory requirements from the accreditation body. For example which method performance parameters such as limit of detection are evaluated. It usually starts by proving the method is specific, sensitive enough, and accurate (from assessing trueness and precision).

If you are interested, view the ISO 17025 toolkit procedure for validation and verification of methods, named Test and Calibration Method Procedure, along with two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification, and Validation Record. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

Medical Molecular Lab certification

Always confirm with the relevant regulatory bodies. However, if the results of the tests are being used for medical diagnostic purposes then ISO 15189:2022 Medical Laboratories - Requirements for quality and competence is the standard to be accredited to. If the testing is for non-medical purposes (for example forensics or in some cases for trial purposes only), then ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories is the appropriate standard to be accredited.

For more information on ISO 17025, have a look at https://advisera.com/17025academy/what-is-iso-17025/

Confidentiality Statement

In fact, all people who need to access information that is sensitive should sign a confidentiality statement. E.g.:

• employees should sign a confidentiality statement so they can access clients’ information.
• clients should sign a confidentiality statement so they can access the organization's internal procedures.
• suppliers should sign a confidentiality statement so they can access the organization's data.

To identify which information may need a confidentiality statement so it can be accessed, you should check the results of risk assessment, and applicable legal requirements.

ISO 27001:2013 to ISO 27001:2022 Conversion Tool

First of all, thanks for this feedback.

Please note that this tool follows the ISO 27002 guideline about merging and splitting controls from ISO 27001 Annex A.

Considering that, the converted output for control A.12.6.1 (i.e., control A.8.8) does not mention the split of control A.18.2.3 because this information is not relevant for presenting that information from controls A.12.6.1 and A.18.2.3 are now included in the new control A.8.8 (i.e., it is not necessary to explain that only part of one control is included in the new control, this only would complicate things).

Questions on Retention Policies

1: Categories of recipients – maybe a dumb question but would this be the people that receive the data. For example, for a quantitative 13 minute survey where a third party is collecting the data. The recipients would be Ypulse employees? Because categories of data subjects would be Survey Panelists, and processor is the third party.

2: Also, another silly question, but I believe the lawful basis for processing is Legitimate Interests. Although, we do provide marketing research services to companies via Presentations and PPTs that we deliver, and we provide consulting services based on the research we conduct. And we do have a contract/ SOW designed with our clients. Can you confirm this would still be Legitimate interest or if this would be more considered ‘contract’, as legitimate interest?

3: I am also not clear on what to add under this column: Data Protection Act 2018 Schedule 1 Condition for processing. I am not really sure what to add for this column. Can you advise on this one.

For example, for Quan surveys?Or for when we are communicating with clients – this would be legitimate interest again?Or when we conduct qualitative surveys as well.

Please also consult these links:

• Article 9 GDPR – Processing of special categories of personal data: https://advisera.com/gdpr/processing-of-special-categories-of-personal-data/
• EU GDPR Glossary of Terms: https://advisera.com/articles/eu-gdpr-glossary/

Who should write mandatory documents in organization?

Nice 

Retention for SIEM

The identification of such times will depend on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts), considering each country you want to cover.

As a tip, you could define an initial time retention period (e.g., 1 year) and see if this would fit your business and legal needs, and adjust it in a case by case basis.

For further information, see:

• Logging according to ISO 27001 A.8.15 https://advisera.com/27001academy/logging-according-to-iso-27001/
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment