Search results

ISO 9001 and standardization of office documents

ISO 9001:2015 is not about standardization of office documents. It is about the standardization of all documents relevant to the quality management system. It is not mandatory to apply the same standardization to occupational safety. However, I advise doing that. Later, if the organization wants to integrate together quality and occupational safety in the same management system, there is a common set of rules for document standardization.

You can find more information about document control below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Defining process flow requirements

Let us consider clause 4.4.1 a) and b). There is no mandatory requirement to use a diagram format. However, in all my experience I only saw diagram formats. A possible way of answering your request could be:

You can find more information below:

• Please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

EU GDPR representative

"The client is a small company that is a staff of four or five. They are based in the US and provide neurologic brain testing for patients usually suffering from a stroke.  The tests are administered by a doctor or a health clinic.  Recently, there is a clinic in Italy that plans on using their software.  The number of patients, for the near future, may only be a few dozen.I have done some research but can't find an exact answer to these questions:1. Does the company need to have a formal EU Representative?

Yes, the company needs to have a formal EU Representative because they are offering a service/product in an EU Member State.

Are there companies that provide EU Representation services?

Yes, there are consulting firms and lawyers specialized in GDPR and Data Protection laws that offer this service. The company needs an EU Representative located in the country where the service/product is offered as stated in article 27 paragraph 3 GDPR.

Does this representative need to keep the Record of Processing Activities?

Yes, article 30 GDPR requires that “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.” The Record is required because the project will involve health data, which follow under article 9 GDPR and need special protection (this category of data is also known as sensitive data).

If there is one thing that must be focused on to be GDPR compliant, what would that be?"

There is more than one thing to be focused on to be GDPR compliant, but thinking of your project, involving health data which is the particular category of personal data under Article 9 GDPR, I shall say consent and information to the data subject. Patients need to be informed and aware that their data will be processed and transferred to a US company (transfer shall comply with Standard Contractual Clauses) and of course the security of data processing. Information to data subject and safety of data processed is the core of GDPR. Our Toolkit helps organization implement GDPR requirements.

Here you can find more information for starting to be compliant with GDPR:

• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to comply with GDPR, you can consider enrolling in our free online training:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Here you can find all information about our EU GDPR Toolkit and the expert support: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Joint controllers share of responsibilities in IoT

Yes, because it processes the data of clients. Data subjects that purchase an IoT device accept the terms and conditions of that producer and provides personal data to that company. Of course, the producer may shift the liability with the IoT development company.

Please, remind that GDPR does not apply only to IoT software but to all data processed by the company so there are more personal data than those acquired by the IoT device.

The two companies can be the joint controller and there will be a data protection agreement where the liability profiles are separated so that the producer will bear responsibility for customer data (shipping, invoices, customer care, marketing, etc) while the software development company will bear responsibility for data processed through the IoT device.

In case the producer of the IoT hires a software development company to design an IoT software giving specific of the software and having access to data and using those data for any purpose (product development, marketing, etc.) the IoT integrator will be the controller and the software will be the processor (for data processed through software) because all control over data is in the producer company.

The following article may help you how to manage the obligation of controllers:

• The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/ 

• Submitting records for approval

  First is important to note that, for the documents you mentioned, only the ISMS scope and list of requirements documents are mandatory for ISO 27001.

  Considering that, there are some core documents that must be developed and approved before start writing other documents. For example, the ISMS scope must be approved before other documents are written. Another example is that risks must be identified, and treatment for the relevant ones defined, and the Statement of Applicability (SoA) must be approved, before documents related to security controls are written.

  This article will provide you a further explanation about ISO 27001 mandatory documents:
  - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

  This material will provide you further explanation the order to develop and approve documents:
  - Project checklist for ISO 27001 implementation (MS Word) https://info.advisera.com/27001academy/free-download/project-checklist-for-iso-27001-implementation

  These materials will also help you regarding Iso 27001 implementation:
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Difference between strategies and solutions in ISO 22301

  Strategies refer to high-level actions to be developed to achieve defined objectives, while solutions are related to how these actions will be implemented.

  For example, to ensure the objective of recovering operations in a defined timeframe, the strategy adopted may be the use of an alternative site, and the solution would be the definition of the alternative site (e.g., by hiring a third party to provide the alternate site, or the organization can build its own main site.

  Another example is a backup strategy (which could be incremental, differential, etc.), and the solution would refer to the specific hardware and software bought.

  This article will provide you a further explanation 22301:2019:

  • Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/

  This material will also help you regarding 22301:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• Questions related to Controls

  1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.

  For more prescriptive examples you can use to customize your Access Control Policy, I suggest you consult the NIST SP 800-53 document.  

  For further information, see:

  • How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
  • How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

  2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.

  If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?

  ISO 27001 does not limit applicable controls to those listed on Annex A, so organizations can develop their own controls, or use controls from other sources, so you incorporate controls from CSA CCM into your documents.

  As a recommendation for using this approach, you must remember to include a reference to controls external to Annex A into your Statement of Applicability. This can be done either by including a new control in the SoA list (if the new controls cannot be mapped to controls from Annex A), or by including a comment in the implementation method column referring to the mapped control.

  These articles will provide you a further explanation about developing documents:

  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  This material will also help you regarding security controls:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• System Acquisition Development and Maintenance

  Your assumption is correct. Since you do not do any software development, you do not need to complete the Secure Development Policy.

  Since this document will not be used by your organization, you must update the Statement of Applicability to reflect this situation.

  These articles will provide you a further explanation:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  This material will also help you:

  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Disaster recovery ISO 27031

  First is important to note that ISO 27031 has a focus on the recovery of Information and Communication Technology, which is only one part of a business disaster recovery (e.g., it does not cover the recovery of operational and administrative processes).

  Considering that, you should evaluate if the content provided by ISO 27031 is enough to cover your needs (i.e., at this point you only need technical guidance), or you need a more comprehensive view of the business, to prioritize business process (in this case you should start with ISO 22301).

  These articles will provide you a further explanation about ISO 27031 and ISO 22301:

  • Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
  • What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

  This material will also help you:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

• List of most common business-critical information assets

  Besides hardware and software, other commonly used categories for information asset are people (e.g., experts, top management, line managers, users, etc.), documentation (e.g., contracts, blueprints, manuals, etc.), infrastructure (e.g., offices, warehouses, etc.), and outsourced services (e.g., communication providers, electrical power supply, etc.).

  To see a list of assets commonly used for ISO 27001 ISMS, please take a look at the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

  This article will provide you a further explanation about assets management:

  • How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  These materials will also help you regarding asset management:

  • Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/