Search results

ISO certification: 7.4 Communication

The official ISO 27001 revision is from 2013, and it was confirmed in 2019 - you can see the details here: https://www.iso.org/standard/54534.html 

When you mention ISO 27001:2017, this is probably a standard that was re-published by a European or a local standardization body in a particular country - however, even though it has the year "2017" it is again the same as the original ISO 27001:2013. 

This article can also help you: European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

Adding new control to SoA after audit

Adding, changing, or excluding a control from SoA is a natural and necessary thing to maintain the ISMS.

To do that, considering the requirements of the standard, you need to review your risk assessment and risk treatment, and your list of applicable legal requirements, to verify if there is any change in your context that can justify a change in SoA. Additionally, you need to check if there is any management decision to implement a control (in such cases there will be no changes in risk management nor in legal requirements).

Once a need for change is identified, you need to define an implementation plan to perform the change.

These articles will provide you a further explanation about SoA:

The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Sending personnel data from UK or Europe for analysis.

The data you are going to process belongs to the special category of personal data under Article 9 GDPR (some legislation call them sensitive data) because this kind of data contains information which may end up in discrimination and in threats to the freedom and rights of individuals. Therefore, the EU GDPR requires controllers and processors to pay particular attention when processing this kind of data. 

Before starting processing, you will need a Data Protection Impact Assessment as Article 35 GDPR requires in order to verify the risk for freedom and rights of data subjects arising from your data process and assess the risks with appropriate safeguards. This will also help you to comply with privacy by design and privacy by default principles.

From the information you wrote, your data processing will be likely based on consent. Therefore, you will need to pay attention to the information provided to data subjects in your privacy notice and the request for consent.The register of processing activities will also be required.You will need to establish a procedure to deal with Data Subjects Access Request (DSAR) because data subjects may always withdraw the consent and you need to be able to verify the request and proceed with the exercise of DSAR and also comply with the right of erasure if requested so.

Be sure to inform data subjects that their data will be processed also in the US. 

Then, transferring data to a processor in the US may request safeguards: adoption of a data protection agreement with the approved standard contractual clauses is necessary because the EU Court of Justice invalidated the US Privacy Shield with the so-called Shrems II decision. You may also adopt secure transfer protocols and encryption (if you can anonymize data it would be a plus while pseudonymization is highly recommended).

Here you can find more information:

• A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
• Everything you need to know about the GDPR Privacy Notice https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• What is privacy by design & default according to GDPR? https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

To have a deeper idea of the list of requirements of GDPR you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Sample size in the field of valve calibration

Thank you so much

Format of procedure preparation

You can write the procedures in either world, excel, or another format.

The procedure writing method for IATF 16949:2016 standard is not different from ISO 9001:2015 standard. 

As you know a procedure states how the process needs to be done. 

A procedure offers a general description of how a company meets a process requirement and the procedure consists of more specifics. 

This includes scope, objective, responsibilities, references, application, specific tools, methods, measurements, and historical change of procedure.

There are 7 steps in writing quality management system procedures for ISO 9001:2015 and IATF 16949:2016 standards. 

These 7 procedure writing steps are listed below, respectively: