Search results

Using ISO 27001 and 27017 to get GDPR compliance

It is possible to use ISO 27001 to cover the requirements of GDPR Article 32 (ISO 27017 is not required unless you have specific requirements demanding controls from this standard). For the remaining requirements of GDPR, you should define additional approaches.

This article will provide you a further explanation about ISO 27001 and GDPR:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

This material will also help you regarding ISO 27001 and GDPR:

• How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

Management review after audit

Yes, it makes sense to carry out the management review meeting after the internal audit has been carried out. The internal audit captures relevant information that does not come from the simple analysis of the process indicators.

That way, one of the decisions of the management review meeting may be the decision to go to certification.

How long, after the internal audit, should a management review meeting be being held?

Some organizations decide to do it right away, one week or so after the internal audit, they believe that top management can infuse direction and pressure to close any nonconformities.

Other organizations decide to give a one month interval between internal audit and management review meeting because they want to present a picture of what was found and what was done to close any nonconformity. 

So, it is up to your organization to decide what kind of interval will be more useful.

Perhaps the following information could be useful for your organization:

• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free online training ISO 9001 Internal Auditor - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

ISO representative responsabilities

ISO 9001:2015 no longer makes mandatory the existence of an ISO representative function. So, organizations are free to decide to keep that function, and are free to decide what are their responsibilities and authorities. This is the technical answer.

The practical answer, based on my experience, is that an ISO representative can be a Project Sponsor or a Project Manager. As Project Manager an ISO representative coordinates a Project Team. Members of that Project Team should work together with people from each department to question the organization’s status quo, think about improvements and develop work procedures.

Putting an ISO representative as the sole writer of work procedures will delay the project implementation, will fuel resistance to change and will be far from effective to improve an organization’s performance.

Perhaps the following information could be useful for you:

• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• You can enroll for free in this ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO27001 for a Cloud Service Provider

First is important to note that ISO 27001 is not applied to services, but to the process they rely on.

The second issue is, I'm assuming your question is about if the approach to a cloud services provider is similar to a data center provider.

Considering that, the general approach is the same:

• identify relevant requirements (e.g., business, customers, legal, etc.)
• identify and treat relevant risks
• operate, evaluate and improve the controls and processes

The difference will be on the application of controls related to the type of provided cloud service. For example:

• for IaaS, the controls applied by the provider will be limited to physical infrastructure and virtual machines
• for PaaS, the controls applied by the provider will also cover virtual servers, and, to some degree, applications
• For SaaS, the controls applied by the provider will cover datacenter facilities’ physical location, hardware, and software

For a data center provider, the provider will have to consider applying controls to datacenter facilities’ physical location, hardware, software, and data.

This article will provide you a further explanation about ISMS scope for cloud services

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Difference in between ISO 9001 and ITAF 16949

ISO 9001 sets the base requirements of a quality management system. It is a generic standard, that means that can be used in any kind of organization. The IATF 16949 standard is a supplemental standard and is used in conjunction with ISO 9001 in the automotive sector.

Without any doubt ISO 9001 is easier and most appropriate for a small business company. I would only recommend IATF 16949 if your company is operating in the automotive sector and if any major customer requires its use.

You can find more information about ISO 9001 below:

• What are the main differences between IATF 16949 and ISO 9001? - https://advisera.com/16949academy/blog/2019/11/19/iso-9001-vs-iatf-16949-what-is-the-difference/
• What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
• Quality Management System: What is it? - https://advisera.com/9001academy/knowledgebase/quality-management-system-what-is-it/
• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

GDPR and ISMS

I'm assuming that you already have knowledge about GDPR requirements related to information security.

Considering that, the proper course will depend on your objective:

• if you want to understand ISO 27001 and its controls to apply them for GDPR, you must go for the ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• if you want to implement ISO 27001 controls to cover GDPR, you must go for the ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
• if you want to audit if ISO 27001 controls applied to cover GDPR, you must go for the ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

This article will provide you a further explanation about ISO 27001 and GDPR:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

This material will provide you a further explanation about ISO 27001 and GDPR:

• How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

Hand sanitizers under ISO 13485

According to the ISO 13485:2016, device that can be considered as medical devices is disinfectant substances. Here is the differentiation between similar products: sanitizers reduce bacteria on a surface by at least 99.9%, disinfectants kill a wider range of microorganisms (than sanitizers), and cleaners simply remove dirt, soils, and impurities from surfaces. 

So, if you declare that your hand sanitizer KILLS microorganisms, that it is disinfectant and is defined as a medical device that needs to be manufactured under ISO 13485:2016. If this is not your statement, then it is most probable that your product is a cosmetic product and needs to be produced in compliance with ISO 22716:2007 Cosmetics — Good Manufacturing Practices (GMP) — Guidelines on Good Manufacturing Practices.

For more information read the following article: 

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/

In case you decide to implement ISO 13485:2016, following link can help to see which documentation is necessary: 

• ISO 13485:2016 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/  

• Change in quality manual

  If the quality manual mentions the Management Representative by his or her name, then there is need to update the quality manual. For example, some organizations include in the quality manual an organization chart with names. If the person changes the organization chart becomes outdated and the same for the quality manual.

  You can find more information about document control below:

  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Audit of completed erasure

  I have a GDPR question that’s not related to DPIAs and has been bugging me since I went through our GDPR documentation (from your kit – thank you 😊).

  We make software that is sold as a product but also offered SaaS. My question is related to the Right to Erasure. The product has a  directory database in it which holds, at minimum, business contact details.
  By design, there is no reason for the directory to hold anything more, although we do allow custom fields to be labeled an populated with anything. We have a Privacy module that allows a nominated set of DP users (either the customer or our managed services team) to run a “forget” process. This anonymizes all data held in the SQL warehouse and directory relating to the forgotten person.

  My dev team wants to have an audit trail to demonstrate that the process has been performed, and that is my preference as well, but without the name, it is pretty pointless.

  So, my question is: Do we need to have an audit of a completed erasure?

   

  An audit of completed erasure could enhance your accountability in complying with the right to be forgotten and it is a good choice yet it is not mandatory because GDPR leaves up to the Data controller the choice on how to comply with data subjects’ rights.

   

  If we have one and use the forgotten person’s name with no way to reverse engineer the process, is that compliant?

  Yes, the GDPR does not provide a specific definition of “erasure”, so it is open to interpretation. Austrian Data Protection Authority in 2018 considered irrevocable anonymization as compliant as data deletion. The key point is to highlight that once anonymized re-identification has become impossible. That’s why an audit of complete erasure (or irrevocable anonymization) is a good idea: you will be able to demonstrate your compliance with the data subject’s request.

  You can find more information in these articles:

  • Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/
  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

  You can also consider enrolling in this free online EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Internal audit

  No, it is not mandatory to do that.

  Some may do it:

  • to gather more first-hand information that cannot be grasped from an audit report,
  • to help auditees in more need,
  • because they don’t trust the auditor;
  • because they want to check the auditor opinion in some “cloudy” areas;
  • because they want to pressure the audit content.

  The following material will provide you more information about internal audit:

  • 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
  • How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
  • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
  • Enroll for free at ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
  • Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/