Search results

Document control

ISO 27001 requires that documents from an external origin relevant to the ISMS be identified and controlled, but it does not define how, so organizations are free to implement the approach that better suits them. Internal and external contacts can share the same identification approach, but as a good practice you should consider different ways, so you can track them more easily, especially if you have more contracts from one type than the other.

Regarding change control, what generally happens with contracts is that changes on them are included as annexes, pointing out which clauses have been included, excluded, or changed, so you do not need to use a tablet to perform change control.

This article will also help you regarding document management and ISO 27001:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

These materials will also help you regarding document management and ISO 27001:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Email Addresses, Public Domain and US, India and EU Data Protection

You are right in thinking that a publicly listed email on the website is free to hand out, but the GDPR requires also to use personal data (i.e. email address) for the purposes for which are given. If someone lists the email address on his/her website, he/she wants to be contacted about his/her own activity (i.e. as a book blogger) they are not giving their consent to be inserted in an email database. 

You should contact them and ask for consent, even with automatic means, by asking them to be inserted in an email database for that purpose. You can imagine it as a service (something like “do you want to be updated with new authors publication?” or whatever your marketing team could imagine) and you need to ask them to consent to the transfer their address to third parties (authors).

Here you can find some articles about privacy policy and consent:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ 
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

These materials will provide further help:

• EU GDPR document template Privacy Notice: https://advisera.com/eugdpracademy/documentation/privacy-notice/

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Is customer consent needed?

  thanks a lot for your replay. that was helpful. Kind Regards, Elina

• EU GDPR form and permission

  The personal data you are going to collect is considered as sensitive data and are ruled by Article 9 GDPR because they refer to individuals’ health. You need to ask the consent of the interviewed person for collecting and showing results to the moderator. 

  Pseudonymization can be a good solution to protect the identity avoiding to show their name and calling them as “case 1” and “case 2”. Moderators can have access to full documentation upon request. You must specify that in the privacy notice you are going to submit to your individuals before interviewing them. You can also establish a data retention period and inform the interviewed individuals about how long the project will last and you are going to keep their data.

  Here you can find some articles about privacy policy and consent:

  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  EU GDPR document template Privacy Notice: https://advisera.com/eugdpracademy/documentation/privacy-notice/

  You may also consider enrolling in this online EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Clarification of terms used in ISO

  ISO 19011, the most used ISO audit standard uses the term "recommendation" to refer to results that are not a non-conformity but the organization must take a look at to see if they can lead or not to an opportunity for improvement.

  This article will provide you a further explanation about the opportunity for improvement:

  • Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

  These materials will also help you regarding audits:

  • Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • Free online training ISO 27001:2013 Internal Auditor Course

• Gap analysis

  1. I have a question to ask. Do we do the gap analysis first or IT risk framework?

   I'm assuming your questions are about ISO 22301 implementation and the management of IT-related risks.

  Considering that, first is important to note that ISO 22031 does not require a gap analysis to be performed, while the risk assessment is mandatory. Second, gap analysis is not recommended for smaller companies, because in general, it is not worth the effort due to their size and complexity. So, for smaller companies, it is better to perform only the IT risk framework, because will give you more specifics about handling risks in your IT environment.

  For bigger companies, the gap analysis will provide you a quick and comprehensive view of how much of the standard you already have implemented, and the results of gap analysis can be used as input for the IT risk framework.

  2. Which is easier to do? Looking forward to your feedback.

  Because gap analysis requires an overview of the situation, and the IT Risk Framework involves a deeper knowledge of risk management steps, the gap analysis would be easier to perform for a beginner.

  This article will provide you a further explanation about the gap analysis and risk assessment (although the article is about ISO 27001 the concepts also apply to ISO 22301):

  • ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/

• Surveillance audit

  The approach for the surveillance audit is basically the same for a certification audit, the difference being in the fact that in the surveillance not all ISMS scope is audited. Considering that, for the surveillance audit you should check:

  • the documents required by the ISO 27001 standard and any document that exists in the ISMS
  • the records used to evidence compliance with the documents (policies, procedures, etc.)
  • the status of raised internal and external nonconformities, so they are closed, or on schedule before the surveillance audit starts

  These articles will provide you a further explanation about preparing for an audit:

  •  Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
  • Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/

  These materials will also help you regarding preparing for an audit:

  • Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
  • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

• ISO 9001 and calibration

  As far as I understand your situation and questions:

  • Your company was certified according to ISO 9001:2015.
  • Can your company internally calibrate a monitoring resource, use it to make measurements, and send the report of that measurements for the customer? Or should your company need a calibration lab?

  Your company can calibrate monitoring resources internally and use those monitoring resources to make measurements and issue reports for customers. However, to perform that calibration your company must use measurement standards. Those measurement standards must be calibrated against measurement standards traceable to international or national measurement standards. Normally, that traceability requirement makes mandatory to calibrate measurements standards at a calibration lab.

  You can find more information about calibration below:

  • Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• NIST framework

  I'd suggest you t take a look at ISO 27004 (https://www.iso.org/standard/64120.html), a supporting standard that provides guidelines to help organizations in evaluating the performance and the effectiveness of an ISMS.

  These articles will provide you a further explanation about performance evaluation:

  • Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

• Procedure for determining context of the organization

  Yes, the procedure for determining the context of the organization is not mandatory. Please, check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

  The following material will provide you information about the context of a quality management system:

  • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
  • Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/