Search results

Implementing ITSM and Agile Methods Together

Thanks for that information 

Risks to Impartiality

Yes, you are correct in your interpretation. A laboratory needs to consider possible risks to impartiality (in terms of the definition of impartiality), then identify any that may be possible  (even if low probability) in your context (what you do, who your clients and external providers are, and what your organizational structure is). They are many aspects that are covered under impartiality. These are explained in the definition of impartiality in ISO 17025, where impartiality is simply the

presence of objectivity; meaning there are no conflicts of interest (or they are resolved/safeguarded)are resolved so that there are no factors that can negatively influence activities of the laboratory. Look at the standard for the other terms such as “freedom from bias”. So anything that will impact any established policies including a Code of Conduct. For example, personnel is put under undue pressure where they have to as you say take shortcuts that may jeopardize the results. Everything must be in place to ensure competent, consistent operations. i.e. consistently valid results.

You asked
is there a good way to communicate these?

Through risk analysis and the use of tools showing cause and effect, and fishbone diagrams. Involve all relevant personnel. Use brainstorming and set out a process chart for an activity showing the inputs and outputs and the influencing factors. Then indicate the controls in place. Using your risk register indicate whether with those current controls (risk treatment) if the risk is at an acceptable level or not. Then record how you will monitor the effectiveness over time – for example, monthly meeting discussions, when onboarding new personnel, clients, or suppliers, and during internal audits,

For more information, have a look at the advice answers

Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/

Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

The ISO 17025 document template: Registry of Key Risks and Opportunities, is available for as part of the toolkit for preview and purchase separately too at  https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

Disaster Recovery and Business Continuity Testing

Considering the most used standards for these topics (ISO 27001 for information security and ISO 22301 for business continuity), these standards do not prescribe how often testing and exercises should be taken.

To comply with these standards, you need to perform a risk assessment and identify applicable legal requirements to define the proper frequency for these testing and exercises.

In case your risk assessment and requirements do not provide a proper reference, you can try starting with these suggestions:

• testing backups and sequel databases - e.g., once a quarter
• BC testing and exercises - e.g., once a year

For further information, see:

• Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/
• How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

• Clarification on ISO 27001:2022 certification

  1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

  Due to the size of your company (around 60 employees), unless you have specific requirements for this cloud-based platform to have its own certification (e.g., a law or contract with a customer), the best approach is to consider a single implementation covering all the organization, because, for companies of this size, the effort to separate what is included in the ISMS scope from what is not included is not worthy.

  For further information, see:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  2 - If they were to be separate, how would this even be managed in Conformio?

  In case you have a need for the platform to be in a separate implementation/certification, you can create two regular Conformio accounts (one for each instance you want to certify) and do a separate certification for both. As separated accounts, it is not possible to share documents or data to manage both implementations in an integrated form. 

• Preventive action

  Basically, it can be both. But, in my opinion, it is better to be preventive action. 

• Actors considered data subjects in media files?

  Names and pictures are personal data, according to Article 4 GDPR – Definitions. By doing media processing of personal data – images, video feeds, and names in credits – you are processing personal data. If you are based in the EU, or if you offer goods and services to people in the EU, according to Article 3 GDPR - Territorial scope – GDPR applies to your personal data processing operations. The first step is to determine your role – controller or processor. If you are a processor, you need a Data Processing Agreement signed with the streaming service providers, where they mandate you to process these films based on their instructions.

  If you are a controller, you need a purpose and a legal ground for processing, according to Article 6 GDPR - Lawfulness of processing. The actors and the crew have a contract with the movie production company, so they process their data based on Contractual Obligation, per Article 6.1.b GDPR – contractual obligation. The streaming service providers have a contract with the production company, and you have a contract with the streaming service providers, but the crew and actors are not part of your contract, so you cannot use Contractual Obligation. In my opinion, the best fit for a legal ground for processing would be Legitimate Interest, but in this case, you should perform a Legitimate Interest Assessment and you should inform the actors and the crew.

  At Advisera, we have a great resource to help you, an EU GDPR Documentation Toolkit that contains all documents necessary to drive your GDPR-compliance efforts, which also contains templates for privacy notices, data subject access requests, data processing agreements, and so on.

  Please check these links:

  • EU GDPR Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/
  • Article 3 GDPR – Territorial Scope: https://advisera.com/gdpr/territorial-scope/
  • Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
  • Article 6 GDPR – Lawfulness of processing: https://advisera.com/gdpr/lawfulness-of-processing/
  • Article 28 – Processor: https://advisera.com/gdpr/processor/
  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
  • How to use legitimate interest to comply with EU GDPR – recorded webinar: https://advisera.com/webinars/how-to-use-legitimate-interest-to-comply-with-eu-gdpr-free-webinar-on-demand/

  • Purchase (vendors) scorecards

    Of course, you can arrange some of your criteria to score the vendors. Just be aware that you need to establish criteria for the evaluation and selection of suppliers, according to the requirements from the 7.4.1 Purchasing process. 
    So, for example, you can just score it on a scale of 1-3 for the delivery time, price, and certificates that your suppliers have. This means that for price 1 is that you are not satisfied with the price, 2 is that the price is average, and 3 that price is OK for you.