Search results

Retaining personal information

I was trying to find the key stakeholders under GDPR. GDPR doesn't set a timeline on how long you must retain personal information of an employee, but what if we want to hold some of their information for auditing purposes, will this be allowed?

GDPR does not set any timeline about data retention because the needs may vary according to the kind of personal data are processed. You need to remember that any personal data must be processed under the principles listed in article 5 GDPR (data minimization, in particular). In some cases, Member States’ legislation may set obligation to keep documentation (i.e. bookkeeping records), so you need to verify first if any internal regulation requires you to retain your employees' personal data for a certain period of time. If you want to process data for auditing purposes you need to specify it in your employees’ privacy notice. 

Here you can find some information:

Who are the key stakeholders in a GDPR compliance project? https://advisera.com/eugdpracademy/blog/2018/09/24/who-are-the-key-stakeholders-in-a-gdpr-compliance-project/How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/

You can also consider enrolling in our free EU GDPR Foundation course: EU GDPR Foundations Course

Configuration management process

Thanks for the clarification, it is informative.

Supplier qualification

I'm looking for information regarding supplier qualification to be compliant with ISO 13485

Application of integrated ISO 9001 and ISO 13485

While ISO 13485:2016 will give to the medical device manufacturer standard to be in complainace with necessary requirements to prove that medical device is produced in safe manner, ISO 9001 will give a more detailed view into management process, especially to business risks and defining the context and strategy of the organization.

Implementing both standards can affect to better management of the whole company. However, some customers are requiring explicitly ISO 9001. 

For more information what are ISO 13485 structure and requirements, please read the article on the following link:
ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/

For more information, please read the following article: What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

Calibration Intervals

You need to prove that in that time from the calibration due date to the end of the month there is nothing wrong with your device. So in your rationale, you can state how often do you use the device in that time (is it daily, weekly), have the conditions of storage the equipment changed, did you remove the equipment or not (if it is applicable for your type calibration device). If you can prove that there are no risks in that time that can influence the accuracy of the calibration device, it will be a good rationale.

For more information on Calibration requirements in ISO 13485, please see the following article:
Calibration requirements in ISO 13485 https://advisera.com/13485academy/blog/2019/03/08/calibration-requirements-in-iso-13485/

A.9.4.4 Use of Privileged Utility Programs

If I understood you correctly, the perimeter of "Privileged Utility Programs" refers to where, or in which situations, you can use "Privileged Utility Programs" (programs that can change or bypass security features).

An example would be the use of Windows Update only in IT labs (where) during the hardening process (situation). This restriction will prevent that regular users install patches not homologated by the organization in their machines.

Advice on dividing workload

Please note that the toolkit approach for implementation is to work the documents in the order they are presented in the folders. You should not work documents and clauses separately, neither work some of the documents in parallel (this will only make things more complicated).

Since you will be working with a partner in the implementation, my suggestion for you is dividing workload only for documents from Annex A.

Conformio dashboard

1. What does " Determine required communication" mean and how do we show compliance

Answer: ISO 27001, clause 7.4, requires a definition of internal and external communications needs relevant to the ISMS (e.g., what to communicate, to whom, when, by whom, etc.), but since the standard does not prescribe how to implement that, organizations are free to chose the approach that better fits them.

Depending on the size of the organization and its security objectives, the communication needs may be fully documented as a separate document or simply stated in a few sentences within other policies, procedures, and plans (the last one is the approach adopted in our toolkits).

This article will provide you further explanation about communication plan:
- How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

2. How do we show compliance to the "introduce no-blame security culture"

Answer: Please note that "introduce no-blame security culture" is not a standard's requirement, but a good practice to support leadership and commitment  (e.g., to direct and support persons to contribute to the effectiveness of the ISMS); 

Ways to demonstrate that this culture is implemented is by evidencing nonconformities and security incidents reported by employees, because this will show that employees are not afraid to report those even if they are the once that have caused them.

This article will provide you further explanation about communication plan:
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

Control A7.1.1

By your question, it is not clear if the law you are referring to demands screening, or defines restrictions to screening.

Considering that, in case you identify a need to implement control A.7.1.1, but this implementation has legal limitations, you have to state in the SoA that this control is applicable with limitations, briefly explaining the exceptions. An example of a justification where you have a legal requirement demanding the control (e.g., a customer contract), but you also have another legal requirement defining limitations on its applicability would be "Control required by Customer contract ABC, limited by Brazilian Consolidation of Labor Laws (CLT)".

This article will provide you further explanation about applying security controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

ISO 22301 planning phase

I'm assuming you are asking for the elements to be considered when planning the implementation of ISO 22301.

Broadly speaking, you must consider:

• obtaining management support
• identification of legal requirements
• development of a business continuity policy and objectives
• development of basic document management system
• development of business impact analysis and risk assessment and treatment methodologies

With these implemented, you will have a solid foundation to implement ISO 22301.

This article will provide you further explanation about ISO 22301 implementation steps:

• 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

This material will also help you regarding ISO 22301 implementation:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
• ISO 22301 Documentation Toolkit https://advisera.com/27001academy/iso22301-documentation-toolkit/