Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 9001 and Customer focus

    An auditor can formulate an idea about how an organization works with customer focus by collecting information about:

    • What is being done to enhance customer satisfaction
    • How many complaints were received and how they were treated
    • What is the performance of indicators about promises made to customers concerning quality, service, delivery date, for example 

    You can find more information below:

  • Does a small Biotech company need to have a DPO?

    Article 37 GDPR states that the controller shall appoint a Data Protection Officer (DPO) when(a)the processing is carried out by a public authority or body;(b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (included health data).

    Therefore, if your company process data on a large scale or there is regular and systematic monitoring of data subjects on a large scale (i.e. an app tracking Covid infections) you should appoint a DPO. You need to consider the scale of processing rather than the dimension of the company. Large scale is not defined by the GDPR, however, the former Working Party (a group study established the EU Commission) defined few examples of large scale (https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf):

    • processing of patient data in the regular course of business by a hospital
    • processing of travel data of individuals using a city’s public transport system (e.g. tracking viatravel cards)
    • processing of real time geo-location data of customers of an international fast food chain forstatistical purposes by a processor specialised in these activities
    • processing of customer data in the regular course of business by an insurance company or a bank
    • processing of personal data for behavioural advertising by a search engine
    • processing of data (content, traffic, location) by telephone or internet service providers

    Here you can find more information:

    If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Help with ISO 27001 implementation

    1. Tough I would like to approach this topic from a more pragmatic and analytic way. I have seen on your website a categorization of ISO27k controls into organizational, technological, etc. on a pie chart so show with numbers. Could you please send me such a categorization which controls fall into which category?

    Please note that this is not a definitive list, because other people can use criteria different for grouping the controls. Broadly speaking we have:

    • Sections related to organizational issues: A.5, A.6., A.8, A.15
    • Section related to human resources: A.7
    • IT-related sections: A.9, A.10, A.12, A.13. A.14, A.16, A.17
    • Section related to physical security: A.11
    • The section related to legal issues: A.18

    2. It would be also much appreciated if you could suggest on high-level which control main-or sub-chapters would you suggest to include as generally applicable for doing risk assessment for a Domain Controllers and a VPN gateway.

    Since Domain Controllers and VPN gateways are technological solutions, controls from sections A.9, A.10, A.12, A.13. A.14, A.16, A.17 would be generally applicable for risk treatment. Please note that for risk assessment you can consider such controls as guidance to help identify potential risks (controls are not used during risk assessment).

    3. Furthermore in case doing risk assessment for such infrastructure elements, would you suggest to include additional assets like administrators therein? Or even documentation, facilities, because that is also related to my above question, if we have around 30 organizational type controls, the evaluation of those could be more or less the very same way applied to all infrastructure elements or what would you suggest to avoid double work?

    This we could also discuss personally in the course of the online expert support session offered, I am available for this purpose tomorrow or today afternoon.

    In your risk assessment, you should include all infrastructure elements that can impact information security, not only technical equipment (e.g., human error on DC configuration may be a relevant risk for you, or lack of formal procedures may cause important records not to be registered).

    During the assessment, what you can do to minimize rework is to assess how the risk related to these assets impacts the information security, not the DC or the VPN gateway.

  • The best way to include “evidences” of policy implementation

    Please note that ISO 27001 does not prescribe how to store evidence of implementation, so organizations are free to implement them the best that suits them.
     
    Considering that, you can adapt the storage approach to the type of the record (you do not need to adopt a single approach). For example, evidence of monitoring implementation can be stored in the monitoring system (i.e., the monitoring logs). Evidence of awareness and training can be included in the employee's personal folder.
     
    Regarding the use of links in the documents, you should consider including a link only to the general folder of your evidence (for example, the audit folder, not the specific audit). This way you can balance the agility to found the records without adding too much complexity.  

    This article will provide you a further explanation about record management:

    This material will also help you regarding record management:

  • ISO 27001 certification

    Please note that you have to verify the certification scope of the parent company to see if your branch is included in the scope (sometimes organizations include multiple locations in their ISMS scope, but in others do not). In case it is not included in the scope and you want the branch to be ISO 27001 certified, you need to go to the certification process for the branch unit.

    This article will provide you a further explanation about ISMS scope:

  • Meaning of Bomb attack and bomb threat

    In both cases, the meaning is about a physical bomb (i.e., causing a physical explosion). A bomb attack refers to the occurrence of an explosion, while a bomb threat is related to a threatening warning about a possible explosion.
     
    To refer to a logical bomb, the proper way should be to describe it as a "logical bomb" (i.e., a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met).  

  • MHRA & Med Devices RO requirement after Jan 1 2021

    If by RP you mean Responsible person as is defined in MDR 2017/745  Article 15 and  Article 16, Advisera can offer you the following documentation templates that cover the post-market surveillance system:

    In the Procedure for Post-Market Surveillance System is described who can be and what are the responsibilities of the Person for regulatory requirements.

    For more information, see:

Page 276-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +