Search results

Third party

Among data controllers and data processors, it is always required a Data Processing Agreement (DPA) by Article 28 GDPR either if the processor has remote access to data or not. The nature of processing is determined by the controller while the processor processes data on the controller’s behalf under a written legal agreement with binding effects.

Here you can find more information about the data controller and the processor, consent, and data subjects:

• Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

In order to understand how to manage data subjects PII, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Are templates mapped with NIST and CIS 20 requirements

By your question, I’m assuming you are referring to templates of the ISO 27001 Documentation Toolkit.

Considering that, these templates are developed considering the requirements of ISO 27001 standard, so there is no available mapping to NIST and CIS 20 requirements.

However, included in the toolkit there is a List of documents file that shows which clauses and controls of the standard are covered by each template. Additionally, NIST documents already have annexes that identify the relations between their requirements and ISO 27001 requirements (e.g., NIST 800-171 Annex D and NIST 800-53 Annex H).

As for CIS 20, most of its controls can be related to ISO 27001 Annex A controls (e.g., CIS control “Inventory and Control of Hardware Assets” can be related to ISO 27001 controls “A.8.1.1 Inventory of assets” and “A.8.1.2 Ownership of assets”).

These articles will provide you a further explanation:

• How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/
• How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

These materials will also help you regarding ISO 27001:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

Clauses that require records

On this link, you can find the white paper with all mandatory documents and records required for ISO 13485. Feel free to download it.

• Checklist of Mandatory Documentation required by ISO 13485:2016 - https://info.advisera.com/13485academy/free-download/checklist-of-mandatory-documentation-required-by-iso-134852016

• Legal basis

  The data processor processes data on behalf of the data controller, under Article 28 GDPR, with a written binding legal document.Therefore, the legal basis of data processing is to perform a contract obligation (toward the data controller).The data subject shall contact the controller to handle their consent and the controller shall inform the processor on how to proceed (in case of Data Subject Access Right procedure or consent withdrawal).

  Here you can find more information on the processor obligations and data subject management:

  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Four main questions for obtaining and managing data subjects’ consent under GDPR https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

  If you need to know more about data subjects rights and processor obligation under the EU GDPR you may consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Change management process

  Change management process according to the automotive management system, IATF 16949: 2016 standard; required for issues related to production or product change. The web page change or IT-based, etc.,  you can use your normal processes for topics.

• ISO 14001 environment objectives

  Everything starts with your environmental assessment:

  

  You determine a set of environmental aspects. Then, you evaluate and segregate the significant from the nonsignificant environmental aspects:

  

  Some of the significant environmental aspects due to the scale of your organization operations are mentioned in the environmental policy, they are very important to improve your organization’s interaction with the environment:

  

  A practical example can be:

  

  So, the organization decides to develop environmental objectives around:

  • Reducing the number of wastes sent to landfill
  • Reducing the unitary energy consumption
  • Reducing the unitary solvent consumption

  Before setting objectives, organizations have to define an environmental policy. A good environmental policy considers the scale and environmental impacts of its activities, products, and services. So, the relevant environmental objectives of an organization must be based on significant environmental aspects and impacts.

  You can find more information below:

  • How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
  • Examples of ISO 14001 objectives based on the different company sizes - https://advisera.com/14001academy/blog/2019/10/22/iso-14001-objectives-examples-for-different-company-sizes/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• ISO 9001 awareness of hospital QMA

  Unfortunately, I cannot give you a specific answer concerning hospitals, I will give you a general answer applicable to any organization in any sector. Please check clause 7.3 of ISO 9001:2015.

  People working for the QMS need to be aware of the quality policy, need to be aware of the quality objectives that they can influence with their work, need to be aware how they can contribute to meet those objectives, and need to be aware of the consequences of nonconformities.

  To meet these requirements, I normally set workshops where the representation of the organization, based on the process approach as a set of interrelated processes, is the starting point. From there I invite people to find in which processes they work in, which processes act as their internal suppliers and which processes act as their internal clients. Then I invite people to make the relationship between processes and quality objectives, from there they see how they influence the quality objectives and the QMS effectiveness.

  The following material will provide you more information about organizational knowledge:

  • How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
  • How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Query regarding the career with ISO 27001 Certificate

  As a telecom security engineer, I’m assuming your main tasks will be of technical nature.

  Considering that, ISO 27001 can help you understand the main concepts of information security and information security controls that can be applied to telecom, however, it will not provide you technical details on how to implement controls. For such knowledge, you should look for other certifications, like CISSP and CompTIA.

  Regarding ISO 27001 certifications, if you want to consider an ISO 27001 career you can follow:

  • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
  • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISMS against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

  These articles will provide you a further explanation about ISO 27001 personnel certifications:

  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  For courses related to these certifications, please see:

  • ISO 27001:2013 Lead auditor course https://advisera.com/training/iso-27001-lead-auditor-course/
  • ISO 27001:2013 Lead implementer course https://advisera.com/training/iso-27001-lead-implementer-course/

• ISO 27001 Foundations Course comment

  Please note that the question refers to the Statement of Applicability document (“The Statement of Applicability document should include:”)

  Considering that, ISO 27001 clauses 6.1.3 d), and 6.1.3.c requires that all 114 controls from Annex A are included in the SoA, not only those deemed applicable, as well as additional controls from other sources. For those controls from Annex A deemed not applicable, you need to provide justification for their exclusion.

  This article will provide you a further explanation about the Statement of Applicability:

  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

• ISO 9001 Audit objectives

  Let us consider two cases:

  

  Case A

  If the audit Program only includes one audit (the scope is the whole quality management system) we may say that both audit program and audit plan have the same purpose, have the same objective.

   

  Case B

  If the audit program includes a set of audits, then we have different objectives. For example, the audit program objective is about the whole set of audits, but each audit will have a different objective and a different audit plan because they may have different scopes and different audit objectives.

   

  For each audit, whatever the case, the audit process objective is the same: being able to arrive at sound conclusions based on the audit plan objectives and on the findings based on solid evidence.

   

  You can find more information below:

  • Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Webinar - Free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
  • Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/