Search results

Admin Expert Guest

Created: {{ topic.date_formatted }} Last commented:   {{ topic.last_comment.date_formatted }} Read later:   Pin topic: Unpin topic: Pinned topic:

Assigned topic

Private

IN COMMENT:

COMMENT:

Read more

Replies: {{ topic.reply_count }} Be the first to comment

Tags: {{tag.name}},

Votes {{ topic.downvotes_count }} {{ topic.upvotes_count }}

Want to vote?

Sign in to make your opinion count.

SIGN IN

Load more

There are no topics yet.

• Segregation of duties

  1. Regarding Segregation of duties I believe some jobs can’t be combined (like the SO can’t be the DPO?)

  I'm assuming that by SO you mean Security Officer. Considering that, and ISO 27001 and EU GDPR, there are no requirements in these references preventing a single person to be both SO and DPO. Of course, you should also consider other laws, regulations or contracts you have to comply with to define if these jobs can be performed by a single person.

  GDPR requires an independent DPO who needs to relate with the data controller, data subjects and surveillance authorities.
  For larger companies it is a good practice to have these two positions separated; for smaller companies, this is not feasible.  
  
  GDPR requires also to have a close look at dimensions of the company so that in SMEs if the circumstances do not create risk of conflicts Security Officer and DPO can be the same person. Of course, the reasons for such choices and policies to avoid conflicts must be set in order to comply with the accountability principle.  

  2. Are there specific combinations that are not done? We have these roles in the company? To divide under 4 people:
  Security officer (is also Risk manager & Authorization officer)
  Internal auditor (external consultant)
  Service manager (is also Change manager & Incident manager)
  Security tester (outsourced)
  Compliance officer
  Solutions Director
  DPO

  The most common criteria to be considered for segregation of duties of critical activities are:

  • the person who elaborates something does not approve it
  • the person how performs a task does not review it

  Considering that, for example, the internal auditor/security tester should not be the same person as the service manager. The service manager defines and handles changes/incidents, while internal auditor/security tester verifies if these are effective. So, you should verify exactly which activities will be performed by each role to identify potential conflicts of interest.

  For further information, see:

  • Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

  3. Do you also have standard lists of the Responsibilities & Requirements of these roles?

  ISO 27001 does not prescribe the security officer role, only that relevant information security responsibilities are defined and designated.

  Articles 37 to 39 GDPR describe the designation, the position and the tasks of DPO according to the GDPR. Article 39 GDPR lists the tasks of DPO stating that DPO shall ensure:

  • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
  • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter

  These articles will provide you further explanation about responsibilities for information security:

  • Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
  • How an ISO 27001 expert can become a GDPR data protection officer https://advisera.com/27001academy/blog/20/01/20/iso-27001-practitioner-becoming-a-gdpr-data-protection-officer/
  • What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
  • The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

  You can also find some useful information on our free training online course The role of DPO according to GDPR: https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/ 

• Overlapping between ISO 27001 and ISO 9001

  Since 2012 all ISO management systems have a similar framework, so integrating them is a lot easier today.

  You can find a comparison between ISO 27001 and ISO 9001 in this material:

  • ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

  The matrix shows relationships between clauses of ISO 27001 and ISO 9001 and gives an overview of common requirements of these two standards with tips on how to fulfill them with as little documentation as possible.

  Regarding which one adds more value, ISO 9001 or SOC2, you have to evaluate which objective your organization wants to achieve, legal requirements (e.g., laws, regulations, and contracts) you must comply with, and which framework will bring them more clients.

  This article will provide you further explanation about integrating management systems:

  • How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
  • ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

• Environmental report

  I want to know how to conduct and compile a report on environmental, design, structural and amenities deficiency

• Internal auditor qualification

  Assessor qualification for CQI-9 Heat Treatment process audit are;

• Be an experinced quality management system internal auditor (IATF 16949:2016 and ISO 9001:2015)
• Assessor shall have a heat treatment process knowledge. Minimum 5 years experince' in heat treatment or combination of normal metallurgical education and heat treating experince totalling a minmum 5 years.
• Assessor shall have a process knowledge and be famillar of automotivge core tools including APQP,PPAP,FMEA,SPC,MSA 

Fore more information, please read the following article