Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Annex A controls to be applied while mitigating GDPR related risks

    In general, there are no "GDPR-related risks", there are only risks related to confidentiality, integrity and availabilty of personal data.

    To answer your questions:

    1) Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks?

    Answer: Article 32 (Security of processing) of GDPR requires the following safeguards to be implemented:

    • Risk management - ISO 27001 clause 6.1
    • Encryption - ISO 27001 section A.10
    • Ability to restore the availability - ISO 27001 section A.17
    • Access control - ISO 27001 section A.9
    • Regular testing, assessing and evaluating the effectiveness - ISO 27001 clause 9.2 (Internal audit)

    Further, GDPR Articles 28, 32, 33, 34, 39 and 82 require the following:

    • Relationship with suppliers / processors - ISO 27001 section A.15
    • Handling incidents / data breaches - ISO 27001 section A.16
    • Training and awareness - ISO 27001 clauses 7.3 and 7.4; control A.7.2.2
    • Ensuring confidentiality, integrity and availability - this is basically the whole ISO 27001 standard

    You can find more information in this free webinar: How to integrate GDPR with ISO 27001 https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

     

    2) Also, do we have any other Annex for GDPR related risks controls?

    Answer: ISO 27001 does not have some other Annex that would cover privacy nor GDPR, however ISO 27701 standard covers privacy management in more details - here's some info: Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

  • ISO 14001 risks and opportunities management plan

    About risks and opportunities in ISO 14001:2015 I recommend reading Annex A.6.1.1. What does your organization want from the environmental Management System (EMS)?

    https://www.screencast.com/users/ccruz5284/folders/Default/media/251ea67c-cd40-4465-908e-14cddbd60f16

    How is this done? With a set of action plans:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/bf850849-e208-4f95-bb58-93fba4685729

    Risks and opportunities are:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/eade82e8-3d97-44e1-93b5-6ad8100ed605

    What A6.1.1 tell us is:

    • Look into your list of environmental aspects, which can create risks and opportunities. Your significant aspects can generate significant impacts and those can be seen as risks and opportunities
    • Look into your list of compliance obligations, are there risks of failing to comply, or opportunities to be better than compliance obligations?
    • Look into your context and interested parties, which can create risks and opportunities? For example, trends in environmental legislation, trends in neighborhood or client’s sentiment about your organization’s environmental performance.

    Determining environmental aspects is determining how an organization interacts with the environment. For example:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/9800c317-84db-4a4f-b6db-741f0dc6576d

    Determining risks and opportunities of an organization, according to ISO 14001:2015, is based on its environmental aspects, compliance obligations, and context and interested parties.

    For example, concerning environmental aspects we can have:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/41f52d5c-bdf7-4fad-b0bd-057c24a5634a

    Since organizations have to consider the lifecycle of its products and services, do not forget to consider risks and opportunities around your products and services during use or final disposal.

    For example, concerning compliance obligations, and context and interested parties we can have for example, the above organization can realize that neighbors (an interested party) are pressuring local authorities to not allow its expansion (an external issue) due to non-compliance with wastewater discharging legislation (compliance obligations) translated into river pollution.

    Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations, like startup and closing down operations, but also abnormal and emergency situations. Whenever there is uncertainty there is risk or opportunities, there is a potential deviation from the expected.

    Please check this information below with more detailed answers:

  • ISO 14001 implementation benefits

    A – An EMS according to ISO 14001:2015 requires environmental objectives, requires environmental indicators, requires having a clear picture of the interaction with the environment through a register of classified aspects and impacts, requires having a clear sense of environmental compliance obligations and its status. All these issues help management take decisions based on facts.

    B – An organization with an EMS according to ISO 14001:2015 monitors, controls and communicates its environmental performance. Communication brings more transparency, and more transparency brings more trust.

    C - An EMS according to ISO 14001:2015 keeps an updated register of environmental aspects and impacts.

    D – I don’t know what precise meaning you attribute to “Social security”. So, I translate that into: An EMS according to ISO 14001:2015 can reduce environmental insurance fees, can make an organization more attractive to potential employees that value the environment issue.

    E - An EMS according to ISO 14001:2015 can help organizations win customers and clients that value the environmental issue and can help organizations in being more efficient by focusing attention on reducing environmental costs and higher yields.

     

    Please check below more information:

  • Is ISO 27001 applicable to community non-profit with regards to ensuring continuity?

    Yes, ISO 27001 is applicable to any type of organization (for profit or non-profit), any size of the organization, and any industry.

    You can find more information in this article: What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

    To learn more about this standard, you'll find useful this free online training: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Design master file

    There is no direct requirement that the design master file must have control numbers, revision, and similar. However, in ISO 13485:2016 in requirement 4.2.4 Control of documents is stated that all documents required by the quality management system must be controlled; and that that control includes the following: review and approve documents for adequacy prior the use; ensure that current revision status of and changes to documents are identified; prevent deterioration or loss of documents, and prevent the unintended use of obsolete documents and apply suitable identification to them. 

    Since the Desing master file is part of the quality management system, then this also applies to that file. 

    For more information what are common mistakes with ISO 13485:2016 documentation control and how to avoid them, please see the following link:

    • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

    • Medical Device File

      It will be good if you can add which standard are applyed durign production (if any), and if you are certified by ISO 13485:2016 it would be great if you could put a number of the certificate, validity date of the current certificate and notify body who issued the certificate.

    • Intermediary device security

      ISO 27k series of standards does not have technical standards, i.e. they do not define technical security requirements. The main standard in the series is ISO 27001, and it works on the principle that you have to identify risks, and then based on those risks you have to define for yourself which kind of technical controls are applicable. In other words, to be compliant for ISO 27001, you need to set your own internal standards and rules, and make sure you comply with them.

      If you want more technically-oriented standards, you can take a look at NIST sp800 series: https://csrc.nist.gov/publications/sp800

      Learn more here: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

      You'll also find this free online training useful: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Addressing and closing nonconformity regarding clause 7.2

      Clause 7.2 requirements relate to the selection, verification and validation of methods. I cannot tell from your question what the specific nonconformity (NC) is. 

      For all tests that your laboratory is accredited for you should have access to and be using the most recent standard methods or latest reviewed in-house methods. Then you should know what the performance requirements are to meet the purpose (use)of the test. Validation or verification activities must prove  that the parameters are suitable.

      The nonconformance must be addressed according to your laboratory procedure. The specific problem statement is the crucial starting point, i.e. what should be in place and is not in place 
      (a gap) or deviating from requirements. Then you should perform root cause analysis and find the correctable causes, that if addressed will resolve the nonconformance and stop it from reoccurring. Then select the appropriate actions and implement. Closing the NC will follow once it is verified that the action taken was effective.

      The following may be of interest:

      The ISO 17025 toolkit procedure Test and Calibration Method Procedure, along with two supporting documents Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record. The techniques for method validation are listed as well as the required records.. The procedure is also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/

      A question and response in Advisera Expert Community regarding  Cause 7.2.1.3 at https://community.advisera.com/topic/clause-7-2-1-3/

    • Including WFH or teleworking in audit plan

      1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?

      Even if WFH or teleworking is not included in the audit plan, if the auditor identifies this practice affects the stated ISMS scope, he can include it in the audit (because it may compromise the security of the information the ISMS is intended to protect), checking if relevant requirements were identified, risk assessment and treatment were performed, and, in case there are required controls if they are implemented and working properly.

      In case such items are not properly fulfilled, this could mean a non-conformity that can prevent the certification to be awarded.

      2 - is there such thing as partial certification?

      What is possible is that you limit the scope of your ISMS, and therefore limit the scope of certification - see this article for more information:

    • Monitoring and measuring environmental processes and activities

      Speaking in general terms you can measure outputs like air emissions quality, water discharging quality, environmental noise levels. You can measure amounts and types of wastes generated, amount of reused, recycled or landfilled wastes. You can measure amount of hazardous wastes generated. You can measure efficiency in the use of resources like water, energy or main raw materials. Some of these may be prescribed by legislation with frequency attached, others may be voluntary.

      Please consider the following information:
Page 278-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +