Search results

Change in quality manual

If the quality manual mentions the Management Representative by his or her name, then there is need to update the quality manual. For example, some organizations include in the quality manual an organization chart with names. If the person changes the organization chart becomes outdated and the same for the quality manual.

You can find more information about document control below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Audit of completed erasure

I have a GDPR question that’s not related to DPIAs and has been bugging me since I went through our GDPR documentation (from your kit – thank you 😊).

We make software that is sold as a product but also offered SaaS. My question is related to the Right to Erasure. The product has a  directory database in it which holds, at minimum, business contact details.
By design, there is no reason for the directory to hold anything more, although we do allow custom fields to be labeled an populated with anything. We have a Privacy module that allows a nominated set of DP users (either the customer or our managed services team) to run a “forget” process. This anonymizes all data held in the SQL warehouse and directory relating to the forgotten person.

My dev team wants to have an audit trail to demonstrate that the process has been performed, and that is my preference as well, but without the name, it is pretty pointless.

So, my question is: Do we need to have an audit of a completed erasure?

An audit of completed erasure could enhance your accountability in complying with the right to be forgotten and it is a good choice yet it is not mandatory because GDPR leaves up to the Data controller the choice on how to comply with data subjects’ rights.

If we have one and use the forgotten person’s name with no way to reverse engineer the process, is that compliant?

Yes, the GDPR does not provide a specific definition of “erasure”, so it is open to interpretation. Austrian Data Protection Authority in 2018 considered irrevocable anonymization as compliant as data deletion. The key point is to highlight that once anonymized re-identification has become impossible. That’s why an audit of complete erasure (or irrevocable anonymization) is a good idea: you will be able to demonstrate your compliance with the data subject’s request.

You can find more information in these articles:

• Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You can also consider enrolling in this free online EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Internal audit

No, it is not mandatory to do that.

Some may do it:

• to gather more first-hand information that cannot be grasped from an audit report,
• to help auditees in more need,
• because they don’t trust the auditor;
• because they want to check the auditor opinion in some “cloudy” areas;
• because they want to pressure the audit content.

The following material will provide you more information about internal audit:

• 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
• How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Enroll for free at ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
• Book ISO Internal Audit: A Plain English Guide https: //advisera.com/books/iso-internal-audit-plain-english-guide/

Nonconformity detection process

Remember, when ISO 14001 speaks of nonconformity, the requirements refer to the nonconformity of a process with respect to the environmental aspects associated with that process. So, you must start with determining and classifying your organization’s environmental aspects and impacts. From there your organization:

• Design monitoring activities (water discharge quality, air emissions, amounts of wastes, …);
• Develop procedures and instructions to guide behavior.
   

Now, you can use the risk-based approach. For each of these actions your organization can ask:

• What can go wrong?
• Is it relevant?
• Can we do something to prevent it from happening?
• Can we do something to detect if it happens? 

Whenever your detection scheme, your control activities, find something wrong from that list you have a nonconformity. Your organization may develop a central procedure to handle all environmental nonconformities or may have rules inserted in each monitoring plan or procedure/instruction about how to handle each specific environmental nonconformity. For example:

• What to do when air emission quality is noncompliant with legislation or permit?
• What to do when employees are not segregating wastes?
   

Please consider the following information:

• Environmental Nonconformity Management: How is ISO 14001 different from ISO 9001 - https://advisera.com/14001academy/blog/2014/10/08/environmental-nonconformity-management-iso-14001-different-iso-9001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 270001 standard implementation

For ISO 27001 certification, a disaster recovery site is necessary only if you have relevant risks that are reduced to acceptable levels by implementing this approach, or if there are legal requirements (e.g., laws, regulations or contracts) demanding the implementation of this site.

If none of the above-mentioned conditions apply, then you do not need a disaster recovery site to be certified.

This article will provide you a further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 stakeholders

1 - Who are iso 27001 stakeholders?

Answer: For ISO 27001, stakeholders are known as interested parties and are people or entities that can affect, or be affected, by the Information Security Management System. Most common stakeholders are:
- top management
- employees
- customers
- suppliers
- regulators
- government

2 - How do we identify them?

Answer: The ISO 27001 interested parties are identified based on the analysis of organizational context (internal and external issues that can affect, or be affected, by the ISMS), and in the legal requirements (e.g, laws, regulations and contracts) the organization has to comply with.

For further information, see:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//

3 - Are top managers included in the ISMS scope?

Answer: The ISMS scope is normally defined in terms of information, locations, business units or process to be protected, not people or roles.

In most cases, the managers that have the highest position in the ISMS are included in the scope - e.g. if only one department is included in the scope then this is the head of the department; if the whole company is included in the scope then this is the CEO of the company.

 What happens is that top managers take an essential role in the ISMS implementation, by setting directives and objectives and providing resources.

These articles will provide you a further explanation about the scope definition and top management responsibilities:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Business Impact Analysis report

Please note that ISO 22301 does not require a BIA report, and in most cases smaller and mid-size companies are not using such document.

Usually what happend is that the results of the BIA are summarized (reported) through the Business continuity strategy.

To see how a Business continuity strategy looks like, I suggest you take a look at the free demo of our Business continuity strategy at this link: https://advisera.com/27001academy/documentation/business-continuity-strategy/

Experience for taking up ISO27001

I'm assuming you are talking about attending the course and taking the final exam.

Considering that, there is no previous mandatory knowledge requirement for the course and the exam. What happens is that previous knowledge in certain areas, like IT, process management, audit, etc., can allow you to make better use of the course and make the final exam easier.

This material will also help you regarding ISO 27001 courses:
- Free ISO 27001 online trainings: https://advisera.com/training/iso-27001-training/

SoA and selection of controls

You have to implement a control only to the extent it reduces related risks to acceptable levels and ensures legal requirements (e.g., laws, regulations, or contracts) are fulfilled.

This article will provide you a further explanation about risk treatment:

• Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

These materials will also help you regarding risk treatment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Preparing an e-mail policy

How to handle email is included in the IT Security Policy, folder 14.A.8 section 3.14

If you need to find more information on how to fill the document, you can check this article:

• How to structure the documents for ISO 27001 Annex A controls: https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

If you want to learn more about security controls, this eBook can help you:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/