Search results

The UK and GDPR commitments.

The UK adopted the UK GDPR, an internal law that mirrors the EU GDPR with the aim to obtain the status of providing an adequate level of protection for freedoms and rights of individuals.

It is an annex of the Data Protection Act adopted on December 18th 2020 before Brexit. 

Here you can find more information on UK GDPR: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

And on the website of the UK Government you can find the text with the modification of the EU GDPR adopted ad domestic General Data Protection Regulation (UK GDPR) https://www.gov.uk/government/publications/data-protection-law-eu-exit

Therefore, if your companies are located in the UK you will need to implement reference to the UK GDPR and the EU GDPR (i.e., in the privacy notice and in internal policies) and if any data transfer with EU happens, you need to indicate the Standard Contractual Clauses as a legal basis because actually UK is considered a third country and there is not an adequacy decision of the EU Commission.

I can suggest you monitor the Information Commissioner’s Officer (https://ico.co.uk) that is the Surveillance Authority for Data Protection in the UK for any update.

Here you can find more information about data transfer:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers.: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

If you need to understand how to process personal data in the light of EU GDPR you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Can a process be ISO 17025 certified but the lab where the process was done is not ISO 17025 certified?

As the accreditation is granted to a laboratory for their management system together with scope of tests, the simple answer is no - a process or test cannot be accredited as a standalone test, without the laboratory accreditation.

For more information on 17025 requirements, have a look at the Whitepaper Clause-by-clause explanation of ISO 17025:2017 which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

EU-US Privacy Shield

No, it has been invalidated by the European Court of Justice in July 2020. Since then, data transfer between the EU and the US need to be done under another legal basis, such as Standard Contractual Clauses.

Here you can find more information about data transfer:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Standard Contractual Clauses for the Transfer to Processors and Standard Contractual Clauses for the Transfer to Controllers: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

If you need to understand how to process personal data in the light of EU GDPR you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

ISO 9001 Non-conformance justification

Normally, auditors audit processes or departments, let us call it the physical audit scope. While auditing a process or a department they have to consider the audit criteria, and the audit criteria can be all clauses of the standard and internal procedures applicable within the scope of the audit.

Let me imagine you are auditing process “Prevent breakdown time” or the Maintenance Department. Now, go to ISO 9001:2015 clause 4.4.1 c) – methods and criteria have to be determined. Then, go to ISO 9001:2015 clause 4.4.2 – organizations are free to design the required documented information structure, they have to comply with the mandatory documents and records of standard, but they can go beyond. Once included in the system’s design those documents and records have to be controlled according to ISO 9001:2015 clause 7.5.1 b).

In the case of documentation being lacking or incomplete, as long as it is considered part of the QMS, you should raise a nonconformity. However, I think it is not about 7.5.1 b). Think, what is the problem with those records? Bad design? (clause 7.5.2). Lack of control? (clause 7.5.3). People not knowing how to fill a record? (clause 7.2). Not clear who has to fill the record? (clause 5.3)

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

ISO 27000: IT technical consultant

To become an ISO 27001 consultant you do not need to have deep technical knowledge (although this knowledge, and related certifications like BCS, can provide a competitive edge).

Considering that, you have the following ISO 27001 career you can follow:

• ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
• ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

These articles will provide you a further explanation about ISO 27001 personnel certifications:

• What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

For courses related to these certifications, please see:

• ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
• ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

Implementation of ISO 27001 Guidelines

In a general manner, to determine the time needed to implement ISO 27001 you need to:

1. Identify which deliveries you need to make (e.g., policies, procedures, training, assessment, audits, etc.)
2. Identify which tasks are required to produce each result (e.g., interview top management, elaborate a policy draft, submit the draft for evaluation, update draft if needed, approve the final version, etc.)
3. Identify how much time you need to perform each task
4. Identify the sequence in which these tasks should be executed

After the sequencing, you only have to sum the times of the longest sequence to know how much time you will spend to achieve that result. Of course, this is a great simplification of the method, but for small and medium implementations it works well.

To see how a sequence of tasks for ISO 27001 implementation looks like, please take a look at this free material:

• Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation?

Regarding times, when you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.

These articles will provide you further information:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should also note that this is the timing that is needed for companies that use our toolkits (e.g., ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

These materials will also help you regarding ISO 27001 schedule development:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ This Foundations course will give you the basics about the standard.

For more advanced knowledge I also suggest the Lead Implementer course for details on how to run the project: https://advisera.com/training/iso-27001-lead-implementer-course/

Risk register

Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.

To share such documents (some of them may have sensitive information about your organization, like your risk register) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable, then you should provide a Non-Disclosure Agreement with these customers to formalize the required conditions for the protection of this information.

Regarding the information in the risk register, all vulnerabilities considered relevant should be included in the risk register.

Risk assessment reference

1. There is a question that the external auditor of ISO 27001 asked me, what is the reference or basis used for the risk assessment methodology that you have in your table? See point 3 of the attached document.

First is important to note that ISO 27001 does not prescribe any risk assessment methodology, so organizations can adopt any methodology they see fit for their needs or create their own, provided it fulfills requirements from clause 6.1.2 – information security risk assessment.

Considering that, the asset-threat-vulnerability approach used in our template follows the guidelines from ISO 27005, the ISO standard for information security risk management.

This article will provide you a further explanation risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2. Another question, do you know where I can buy the ISO 27001: 2013 standard in Spanish?

You can buy a Spanish version of ISO 27001 at Aenor site: https://www.aenor.com/normas-y-libros/buscador-de-normas/une/?c=N0058428

QMS

Yes, it is possible to exclude requirement 7.6 if you do not use any measuring equipment. You must state that in your Quality manual and put a justification why it is not applicable. 

However, consider the following. If you have a server in your company and that server is located in a separate room, is it defined what the temperature must be in that room. If you have a defined temperature range and if you monitor the temperature in that room, then it is necessary that the thermometer be calibrated, and thus covered by this requirement 7.6. 

For more information regarding the calibration, please see the following link:

• Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

• ISO 27001 certificate

  1 - how can I conduct the iso27001 gap analysis

  Answer: First is important to note that ISO 27001 gap analysis is not mandatory, and is actually not recommended for smaller companies because it only takes away the resources without providing many benefits.

  Considering that, the best approach is to develop a checklist of which items you need to verify, and which results you have to find to define if there is a gap or not. When looking for results, some approaches you may use are interviews, documentation evaluation, and field observation. Based on that approach it is easier to develop action plans to eliminate the gaps.

  Regarding ISO 27001, I suggest you take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

  It was developed as a simple question-and-answer questionnaire so you can visualize which specific elements of an information security management system are already implemented, and what is still needed to do.

  For more information, see:
  - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
  - Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

  
  2 - what are the minimum requirements to achieve the iso27001 certificate?

  Answer: Broadly speaking, the minimum requirements to fulfill if you want to go for ISO 27001 certification are related to clauses 4 to 10 of the standard, involving:
  - documentation and implementation of information security-related requirements (e.g., ISMS scope, Information Security Policy, Risk Assessment and Risk treatment, etc.)
  - performing internal audit and management review
  - treatment of nonconformities and corrective actions.

  These articles will provide you a further explanation about ISO 27001 certification:
  - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
  - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  To see how documents compliant with ISO 27001 look like, please take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  These materials will also help you regarding ISO 27001 certification:
  - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/