Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audits and MDR - Internal Audit Requirements

    Yes, you can conduct in-house audits using our internal audit package.

    The only requirement is that your internal auditor(s) comply with competence requirements established by your organization. Normally, those requirements are:

    • Auditor(s) know the audit criteria (the management standard)
    • Auditor(s) know good auditing practices
    • Auditor(s) should not audit their own work to ensure independence (please check ISO 9000:2015 definition 3.13.1 where one can read that an audit is “ a systematic, independent, and documented process.) 

    Usually, organizations translate these requirements into something that can be evidenced like doing an internal audit course and passing an exam.

    Internal auditors don’t need to be professionals approved by a third party, they just have to comply with competence requirements. Of course, if your company requirements say that internal auditors must be approved by a third party, and must have at least 100 hours of audit experience, then that is the benchmark to abide by.

    The following material will provide you with information about audits:

  • GDPR in Sweden

    1. How is GDPR implementation in Sweden different from Germany? We do not all differences. Our focus is the field of customer journey.

    The legislation is overall the same, however, you must check the local laws and regulations related to personal data archiving (like financial data, HR data), mandatory reporting, etc. But GDPR is the same.

    2. Which client data are publicly available in Sweden but not in Germany?

    Public available personal data, although public, is still personal data and protected by GDPR. According to Article 14 GDPR - Information to be provided where personal data have not been obtained from the data subject if you collect personal data from public sources, each processing needs a clear purpose, a legal ground for processing, and the data subject must be informed about the processing, the controllers involved in the processing, the personal data categories that are being processed, the purpose of processing and associated legal grounds for the processing, other processors involved and their roles, retention policies for personal data and about their rights related to personal data. At Advisera, we have some great privacy notice templates, part of our EU GDPR Documentation Toolkit, link below.

    3. Which data can be tracked, e.g. client behavior, websurfing habits etc.?

    Tracking of personal data is the processing of personal data, so you need a purpose (why do you want to track personal data), a legal ground for processing (I recommend Consent for processing operations involving personal data tracking), you need to establish the categories of personal data that are being monitored (applying at the same time the principle of data minimization, as it is described in Article 5 GDPR - Principles relating to the processing of personal data, para 1.c), to establish a retention policy according to GDPR Article 5.1.e and to ensure the security of personal data.

    4. Are there differences in cookie policy?

    The cookie policy is a document that demonstrates that you respect the requirement of transparency as described in GDPR Article 5.1.a, and in this document, you need to outline who are the data controllers, the personal data processed by each cookie, the purpose of processing, to whom the data is transferred and why and how the data subject can withdraw consent. In this respect, there shouldn’t be any differences in how the cookie policy looks. We have a great Cookie Policy template, part of our EU GDPR Documentation Toolkit, link below.

    Please also consult these resources:

  • Asset Owner

    First is important to note that ISO 27002 is not mandatory to implement ISO 27001, it only provides guidance to support the implementation of controls from ISO 27001 Annex A.

    Considering that, the main role of an asset owner is to ensure his asset is properly protected, and in some cases, he will not perform security activities by himself but needs to ensure these activities are performed.

    In the case of the laptop, by "User" we mean the "Person who is using the laptop", and if an auditor questions your choice of this role as the asset owner, you need to show evidence to the auditor about who performs the security activities he asks for and how the laptop user ensures it is performed.

    For example, to ensure information availability, the person using the laptop may require backup copies to be created, and needs to ensure backups are being performed and to do that this person may require testing the backup media by asking for the restoration of specific files.

    For further information, see:

  • Key Risk Management Plan template

    I’m assuming that by “Security Risk Management Plan” you mean for planning how to implement risk treatment.

    Considering that, in your toolkit, there is a Risk Treatment Plan template where you can define what needs to be done to implement risk treatment. You can find this template in folder 07 Implementation Plan.

    For further information, see:

  • Risk based calculation

    ISO 27001 does not prescribe how to calculate risks, so organizations can adopt the approach that better suits their needs. 

    Considering that, please note that the most commonly used approach is the asset-threat-vulnerability, which does not use only physical assets, but also, information, data, services, and other kinds of assets, where risks are determined according to their impacts related to information Confidentiality, Integrity, and Availability.

    For further information, see:

    In this article you will find information about:

    • Main steps in risk management
    • Risk assessment methodology
    • Risk assessment
    • What to use instead of an asset-based approach for ISO 27001 risk identification

    • Inquiry

      ISO 27001 does not prescribe controls hierarchy to be implemented, so large majority of companies do not differentiate between high and low level controls. We also do not recommend this approach because it only creates an overhead.

      Although ISO 27001 does not specify this, you could apply "high-level" and "low-level" concept to policies - the top-level Information Security Policy could be considered as a "high-level" policy because it defines security rules for a whole company, whereas a "low-level" policy could be Backup policy because it defines security rules for only one part of the company.

    • ISO 27001 EA Codes

      I’m assuming that by EA Codes you mean the codes for ISO Certification Scope.

      Considering that, EA Codes are not used or required by ISO 27001. They are used by certification bodies during the certification process to identify the main business activity related to the certification scope.

    • Implementing ITSM and Agile Methods Together

      Thanks for that information 

    • Risks to Impartiality

      Yes, you are correct in your interpretation. A laboratory needs to consider possible risks to impartiality (in terms of the definition of impartiality), then identify any that may be possible  (even if low probability) in your context (what you do, who your clients and external providers are, and what your organizational structure is). They are many aspects that are covered under impartiality. These are explained in the definition of impartiality in ISO 17025, where impartiality is simply the

      presence of objectivity; meaning there are no conflicts of interest (or they are resolved/safeguarded)are resolved so that there are no factors that can negatively influence activities of the laboratory. Look at the standard for the other terms such as “freedom from bias”. So anything that will impact any established policies including a Code of Conduct. For example, personnel is put under undue pressure where they have to as you say take shortcuts that may jeopardize the results. Everything must be in place to ensure competent, consistent operations. i.e. consistently valid results.

      You asked
      is there a good way to communicate these?

      Through risk analysis and the use of tools showing cause and effect, and fishbone diagrams. Involve all relevant personnel. Use brainstorming and set out a process chart for an activity showing the inputs and outputs and the influencing factors. Then indicate the controls in place. Using your risk register indicate whether with those current controls (risk treatment) if the risk is at an acceptable level or not. Then record how you will monitor the effectiveness over time – for example, monthly meeting discussions, when onboarding new personnel, clients, or suppliers, and during internal audits,

      For more information, have a look at the advice answers

      Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/

      Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/

      The ISO 17025 document template: Registry of Key Risks and Opportunities, is available for as part of the toolkit for preview and purchase separately too at  https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/
Page 43-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +