Search results

Applying ISO 9001 certification to a new entity within an ISO certified company

No, you cannot use it. Your new operation in Norway is not included in the scope of the other certified systems of the company. So, you must first implement the management system and then your company can request the certification of the operation in Norway or include the Norwegian site in the scope of another certified site. In the second case, in the next recertification or surveillance audit, the Norwegian site will be included.

Organizations shall define, document, and make available the scope of the QMS, referring to the Products and Services that are provided and identifying the limits of the management system. The scope should clearly describe the type of Products and Services covered by the system and provide sufficient information, preventing the transmission of erroneous or misleading information about what the organization covers in the quality management system and what it is able to provide to its customers. It must be available because it is through the scope that the organization communicates to the relevant interested parties, namely customers and potential customers, the Products and Services it makes available, and the locations involved.

The following material will provide you information about the scope of a quality management system:

• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope -
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 9001 and standardization of office documents

ISO 9001:2015 is not about standardization of office documents. It is about the standardization of all documents relevant to the quality management system. It is not mandatory to apply the same standardization to occupational safety. However, I advise doing that. Later, if the organization wants to integrate together quality and occupational safety in the same management system, there is a common set of rules for document standardization.

You can find more information about document control below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Defining process flow requirements

Let us consider clause 4.4.1 a) and b). There is no mandatory requirement to use a diagram format. However, in all my experience I only saw diagram formats. A possible way of answering your request could be:

You can find more information below:

• Please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

EU GDPR representative

"The client is a small company that is a staff of four or five. They are based in the US and provide neurologic brain testing for patients usually suffering from a stroke.  The tests are administered by a doctor or a health clinic.  Recently, there is a clinic in Italy that plans on using their software.  The number of patients, for the near future, may only be a few dozen.I have done some research but can't find an exact answer to these questions:1. Does the company need to have a formal EU Representative?

Yes, the company needs to have a formal EU Representative because they are offering a service/product in an EU Member State.

Are there companies that provide EU Representation services?

Yes, there are consulting firms and lawyers specialized in GDPR and Data Protection laws that offer this service. The company needs an EU Representative located in the country where the service/product is offered as stated in article 27 paragraph 3 GDPR.

Does this representative need to keep the Record of Processing Activities?

Yes, article 30 GDPR requires that “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” The Record is required because the project will involve health data, which follow under article 9 GDPR and need special protection (this category of data is also known as sensitive data).

If there is one thing that must be focused on to be GDPR compliant, what would that be?"

There is more than one thing to be focused on to be GDPR compliant, but thinking of your project, involving health data which is the particular category of personal data under Article 9 GDPR, I shall say consent and information to the data subject. Patients need to be informed and aware that their data will be processed and transferred to a US company (transfer shall comply with Standard Contractual Clauses) and of course the security of data processing. Information to data subject and safety of data processed is the core of GDPR. Our Toolkit helps organization implement GDPR requirements.

Here you can find more information for starting to be compliant with GDPR:

• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to comply with GDPR, you can consider enrolling in our free online training:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Here you can find all information about our EU GDPR Toolkit and the expert support: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Joint controllers share of responsibilities in IoT

Yes, because it processes the data of clients. Data subjects that purchase an IoT device accept the terms and conditions of that producer and provides personal data to that company. Of course, the producer may shift the liability with the IoT development company.

Please, remind that GDPR does not apply only to IoT software but to all data processed by the company so there are more personal data than those acquired by the IoT device.

The two companies can be the joint controller and there will be a data protection agreement where the liability profiles are separated so that the producer will bear responsibility for customer data (shipping, invoices, customer care, marketing, etc) while the software development company will bear responsibility for data processed through the IoT device.

In case the producer of the IoT hires a software development company to design an IoT software giving specific of the software and having access to data and using those data for any purpose (product development, marketing, etc.) the IoT integrator will be the controller and the software will be the processor (for data processed through software) because all control over data is in the producer company.

The following article may help you how to manage the obligation of controllers:

• The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/ 

• Submitting records for approval

  First is important to note that, for the documents you mentioned, only the ISMS scope and list of requirements documents are mandatory for ISO 27001.

  Considering that, there are some core documents that must be developed and approved before start writing other documents. For example, the ISMS scope must be approved before other documents are written. Another example is that risks must be identified, and treatment for the relevant ones defined, and the Statement of Applicability (SoA) must be approved, before documents related to security controls are written.

  This article will provide you a further explanation about ISO 27001 mandatory documents:
  - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  This material will provide you further explanation the order to develop and approve documents:
  - Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

  These materials will also help you regarding Iso 27001 implementation:
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Difference between strategies and solutions in ISO 22301

  Strategies refer to high-level actions to be developed to achieve defined objectives, while solutions are related to how these actions will be implemented.

  For example, to ensure the objective of recovering operations in a defined timeframe, the strategy adopted may be the use of an alternative site, and the solution would be the definition of the alternative site (e.g., by hiring a third party to provide the alternate site, or the organization can build its own main site.

  Another example is a backup strategy (which could be incremental, differential, etc.), and the solution would refer to the specific hardware and software bought.

  This article will provide you a further explanation 22301:2019:

  • Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/

  This material will also help you regarding 22301:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• Questions related to Controls

  1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.

  For more prescriptive examples you can use to customize your Access Control Policy, I suggest you consult the NIST SP 800-53 document.  

  For further information, see:

  • How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
  • How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

  2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.

  If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?

  ISO 27001 does not limit applicable controls to those listed on Annex A, so organizations can develop their own controls, or use controls from other sources, so you incorporate controls from CSA CCM into your documents.

  As a recommendation for using this approach, you must remember to include a reference to controls external to Annex A into your Statement of Applicability. This can be done either by including a new control in the SoA list (if the new controls cannot be mapped to controls from Annex A), or by including a comment in the implementation method column referring to the mapped control.

  These articles will provide you a further explanation about developing documents:

  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  This material will also help you regarding security controls:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• System Acquisition Development and Maintenance

  Your assumption is correct. Since you do not do any software development, you do not need to complete the Secure Development Policy.

  Since this document will not be used by your organization, you must update the Statement of Applicability to reflect this situation.

  These articles will provide you a further explanation:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  This material will also help you:

  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/