Search results

Specific legal requirement/protection by implementing ISO 27001

Please note that ISO 27001 was not designed to fulfill any specific legal requirement. It was developed based on globally recognized market practices for the protection of information, but its practices are so widely accepted and used that they can help fulfill most of the general aspects of laws and regulations around the world.

These articles will provide you a further explanation about how to use ISO 27001 to comply with legal requirements:
- Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/21/01/27/hipaa-compliance-vs-iso-27001/
- Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
- PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/

In case you are interested in which legal requirements you need to consider when implementing ISO 27001, our recommendation is for you to hire a local legal expert to help you identify such requirements. An online search can help at the beginning of your work (for an overview), but local expert advice is highly recommended.

This article can provide a start: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

But please note that the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn).

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Mandatory controls for SoA

1 - Right now I'm about to do the SoA but is there anywhere I can find the full list of all 114 controls? 

Answer: Please note that the Statement of Applicability template in your toolkit already contains names of the 114 controls listed in the ISO 27001 Annex A.

In case you are looking for detailed information about them, then you need to buy the standard ISO 27001 because its content is an intellectual property of ISO and cannot be sold with the toolkit.

By the way, included in the toolkit, you have access to a video tutorial that can help you fill in the Statement of Applicability.

For further information about ISO 27001 controls, see:
- A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/

This material can also help you:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - And can i somehow see/know which of them are mandatory to implement?

Answer: Please note that no control in ISO 27001 Annex A is mandatory to implement. The need for implementation is based on the results of risk assessment and identified applicable legal requirements.

Included in your toolkit you have access to video tutorials that can help you perform a risk assessment and determine which controls would be required for your implementation.

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

GDPR Best legal basis for data sharing

The legal basis of data processing is determined by the controller before data collection. The controller can process data on one or more legal bases, but selecting one is essential for the lawfulness of processing under Article 6 GDPR. Before starting to collect personal data, the controller needs to understand why he/she needs those data and the purpose must be declared in the privacy notice. The data subject, in fact, must be informed and aware of the reason for processing. Legal basis are:

1. Consent of the data subject.

2. Performance of a contract (even pre-contractual steps).

3. Compliance with a legal obligation to which the controller is subject.

4. Protect the vital interests of the data subject.

5. Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Processing is necessary for the purposes of the legitimate interests pursued by the controller.

For example, if you provide a service on the web you can state in the privacy notice that personal data of the customer are collected to provide the service and to comply with a legal obligation (i.e., tax declarations), you can ask also consent to the data subject for receiving newsletter or promotions. If your customer withdraws the consent asking to delete all his/her personal information stored, you can reply that you will remove his/her personal information for processing based on consent (newsletter, marketing), while data processed for the provision of service will be kept to comply with tax rules on bookkeeping. This is why the controller needs to determine the legal basis of each data processing before collecting data.

Here you can find more information on the legal basis and data subjects rights:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

If you need to understand how to determine the legal basis of processing under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

ISO 9001 certification renewal in 3 months

I feel that some information is missing in your question.

1. Is your organization currently certified according to ISO 9001:2015?
2. Your organization in the past was certified, but decided to let go of certification according to ISO 9001:2015?
3. Your organization in the past was certified, but decided to let go of certification according to ISO 9001:2008? 

Whatever the situation a possible approach can be:

• Setup a project sponsor, a project manager, and a project team. Ensure top management support, get training about the standard. Designing and implementing a quality management system implies being knowledgeable about ISO 9001:2015.
• As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

From there it is implemented in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

To speed up the process you can use our Documentation Toolkit for the implementation of ISO 9001:2015 here - https://advisera.com/9001academy/iso-9001-documentation-toolkit/ and check the free previews. You can also watch this free webinar on-demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/

Time to implement from scratch and be certified, with our Toolkit Documentation, can take:

• Companies of up to 10 employees - up to 3 months
• Up to 50 employees – up to 3 to 6 months
• Up to 200 employees – up to 6 to 10 months
• More than 200 employees – up to 10 to 20 months 

This is a very short description of the journey but below you can find more detailed information:

You can find more information below:

• Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• How to budget an ISO 9001 implementation project - https://info.advisera.com/9001academy/free-download/how-to-budget-an-iso-9001-implementation-project?utm_source=script-for-iso-9001-lead-implementer-course&utm_medium=downloaded-content&utm_content=lang-en&utm_campaign=free-downloads-9001
• Free webinar on-demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Improving the work of a library with ISO 9001

So, your organization, as a library, is a service provider. Please check the key benefits of ISO 9001 implementation in this article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/

Implementing ISO 9001 means:

• determining and planning key processes – allows standardization of practices and monitorization of performance
• determining relevant interested parties – allows promoting an outward-looking point of view seeing the organization as a services provider 

You can find more information below:

• What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Correction Plan vs Corrective Action Plan

In the event of a non-conformity, there are 3 possible actions to develop

1. Stop the non-conformity from continuing to occur! Stop the damage! Warn people! Do a recall! (examples of what can be done. You are not acting on the non-conformity, you are acting on the process or on the consequences)
2. Then comes correction. Correction is about eliminating the non-conformity (examples of what can be done are: segregate and repair; segregate and dispose of; segregate and downgrade; segregate and ask permission to send the product or accept the service as such – what is also called as a concession). Confirming that the correction was done
3. Then, if the nonconformity is serious or is systematic, comes the corrective action. Collect more information about the symptoms of the problem, investigate the cause, design a solution, implement the solution and do the follow-up to check the effectiveness 

Action 1 is not always possible or necessary to develop.

Action 2 is always done.

Action 3 is done when the non-conformity is serious or systematic.

You can find more information below:

• Free webinar on-demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Implementing ISO 9001 alongside ISO 13485

No, you do not need ISO 9001:2015 certification. There is a difference between ISO 9001:2015 and ISO 13485:2016, and by implementing the ISO 9001 not all requirements for the manufacturing of medical devices will be fulfilled. It is not a question of preference, but what the legal regulations are and what requirements must be met in order for a medical device to comply with its regulations. ISO 13485:2016 is a standard that is specific for Manufacturers of medical devices (Medical devices — Quality management systems — Requirements for regulatory purposes). Besides that, on the web pages of the European Commission are stated which standards are applicable for all types of medical devices:  https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en 

On that list, which has around 300 standards, only ISO 13485:2016 is the standard for the quality management system. 

For more information please read the following articles:

• Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
• What are the ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/
• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

• Differences between ISO 27001 and SOC 2

  The main differences between ISO 27001 and SOC 2 can be summarized as follows:

  • SOC 2 is a set of audit reports to evidence conformance to the Trusted Service Criteria (TSC), while ISO 27001 is a standard for the management of information security
  • SOC 2 is usually required in the U.S., while ISO 27001 is an international standard
  • SOC 2 is not certifiable (it can be only attested by a licensed Certified Public Accountant (CPA), while ISO 27001 is certifiable by accredited certification bodies  

  This article will provide you a further explanation about ISO 27001 and SOC 2:

  • Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Conducting implementation/audit using ISO 27001 and ISO 27701 simultaneously

  Please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002. Considering that, the material already developed for ISO 27001 implementation/audit would need to undergo some adjustments to incorporate ISO 27701 aspects.

  Our ISO 27001 toolkit is approximately 80% compliant with ISO 27701. The remaining 20% refers to small adjustments to include the protection of privacy in the context of the documents (e.g., where a document states “information security”, it now should state “information security and privacy”, and applicable controls should consider complementary privacy protection measures), and the inclusion of applicable controls specifically developed for ISO 27701 (in a total of 49 controls). To see how the documents in the toolkit look like, please access this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  For further information, read:

  • Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

  These articles will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Backup and archiving

  You asked

  I would like to know your opinion on which documents should be backed up. Backup rules. 

  It is the decision of the laboratory, based on customer requirements and or regulations, and based on risk; which documents you need to back up. Typically a laboratory will back up all current work, whilst archive backups are also available.

  You also asked

  it is imperative, in addition to backup copying, to archive the same documents and put an EDS on them"

  Again, do what is necessary for data security and integrity. Exactly how you do it is up to your needs.

  For more information see 

  The Whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ 

  and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/