Search results

ISO 27031

ISO 27031 is still a valid stand-alone standard. In fact, it is under review at this moment. You can see information about the status of this standard at ISO site: https://www.iso.org/standard/44374.html

This article will provide you further explanation about ISO 27031:

• Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

Data capture

As often happens when interpretation comes, it depends on the mailing list provided to you from the sales team.

You need to consider that GDPR applies only to personal data, so, first of all, you need to evaluate if the email list your boss provided can be considered personal data. If the email address does not contain any personal data (i.e. info@company.com, sales@company.com, etc.) it can be used to send a campaign because GDPR will not apply.

On the contrary, if the email addresses provided to you are name.surname@company.com or with personal information (name, surname, initials, and anything referring to an individual), you will need to have proven opt-in from them. 

You can find more information about how GDPR impacts on marketing in our articles:

• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/

You can also learn more about GDPR with our online free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course//

Toolkit content

1. Hi there, we need to figure out whether or not we need ISO 27001 compliance. Some of the requirements our potential client has are as follows:

Audit review, plan, and information as to the audit standards they're using Network penetration testing Internal External Application penetration testing Vulnerability scanning for network, internal and external Logical network diagram, with data flow if possible with encryption levels. Security baseline stands? Hardening standards? Info on corporate RTO and RPO standards SDLC - tollgates Application testing? SAST, DAST, SCA, IAST, MAST? All policies, standards, and procedures documents, including Secure coding standards Risk assessment document Change management Conscia to provide a summary of our most recent Disaster Recovery (DR) audit Conscia to provide network and application layout diagram for our product.

First, it is important to note that the requirements you have declared as your prospects do not include ISO 27001; therefore, you do not have to comply with ISO 27001.

However, ISO 27001 provides requirements for the planning, implementation, operation, and improvement for an Information Security Management System (i.e., what you need to do), and by certification against this standard, you will be more prepared to attract new customers.

For further information, see:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
  The following documents in the toolkit will help you with some of the mentioned requirements:
• Audit review, plan, and information as to the audit standards: Procedure for Internal Audit (https://advisera.com/27001academy/documentation/internal-audit-procedure/), Annual Internal Audit Program (https://advisera.com/27001academy/documentation/annual-internal-audit-program/), Internal Audit Checklist (https://advisera.com/27001academy/documentation/internal-audit-checklist/), and Internal Audit Report (https://advisera.com/27001academy/documentation/internal-audit-report/)
• Info on corporate RTO and RPO: Disaster Recovery Plan (https://advisera.com/27001academy/documentation/disaster-recovery-plan/)
• Risk assessment: Risk Assessment and Risk Treatment Methodology (https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/)
• Change management: Change Management Policy (https://advisera.com/27001academy/documentation/change-management-policy/)

You can see a full list of documents included in the toolkit on this page: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
•  The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

2. What is a SIEM solution? What log review tools? Frequency of the log reviews. Is some of this covered in your toolkit?

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across an IT infrastructure.

SIEM collects security data from assets like network devices, servers, domain controllers, etc., and applies analytics to that data to discover trends, detect threats and enable organizations to investigate any alerts.

ISO 27001 does not prescribe the frequency of the log reviews, only that frequency must be defined according to identified risks, so the toolkit provides templates that require the organization to define the frequency of the log reviews. You can see how this is implemented in the Security Procedures for IT Department template at this link: https://advisera.com/27001academy/documentation/security-procedures-for-it-department/ 

Please note that the toolkit does not include software solutions for SIEM or tools for log review. The toolkit provides the mandatory and most common documents to be compliant with ISO 27001.

This article will provide you a further explanation about monitoring:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/

KPI for Document Controller

First, I would use the term KPI with care. 

In my understanding, a Document Controller is responsible for documents control. If we check the requirements of ISO 9001:2015 we can recognize that a good document control means things like:

• No unapproved relevant documents in the QMS;
• No obsolete documents in use;
• People that need a particular document have access to the last approved version
• Records are well protected and easily retrievable when needed

How do an organization check these requirements? Systematically, through internal and external audits. Or through random events communicated by people working in the QMS.

So, indicators to measure a Document Controller performance can be:

• Number of document control related audit nonconformities (internal and external)
• Number of obsolete documents in use (for example, in some sectors like pharma, some documents are published with a planned obsolesced date to promote mandatory review, and organizations have planned checking activities 

And remember, I would use the term KPI with care. An organization where everything is “key” nothing is “key”. I know very few organizations where top management would call document control indicators as “key”.

Below you can find more information about document control:

- Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

House Planning Application

GDPR protects personal data which is information related to an individual person.

So, the house planning may only contain personal information about owners and location of the house. Other information as a modification to the building or planned construction and other technical information are not considered personal information and is not covered by GDPR protection.

Check in the agreement with the company what information you provided to the company and consider that article 6 GDPR allows company to use personal data which “ is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

Therefore, the company may have the right to use all the needed information in order to present an appeal of the decision to the board ***. As Client, you should have access to information provided and be informed on the decision of the board ***. If the company denies you access, consider contacting a lawyer to get full protection as the rights involved does not concern only GDPR aspects.

To know more about the legal ground to process personal data, you may read this article

If you need to know more about GDPR you may consider following our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Vendor Audit

According to the ISO 13485:2016, requirement 7.4.1 Purchasing process, it is not mandatory to audit vendors which are critical. 

This requirement states that organizations must establish criteria for the evaluation and selection of suppliers. These criteria must be based on the supplier’s ability to provide certain products; on the performance of the supplier (e.g. delivery date, minimum quantity for order and similar); and effect of the purchased product on the quality of the medical device. So, what that criteria will be it is up to the manufacturer to take into consideration the risk associated with the medical device. 

Also, this requirement state that organization must plan the monitoring and re-evaluation of suppliers. How often will it be done, will there be an audit or not, it is up to the manufacturer. 

For more information please read the following articles: 

How can ISO 13485 clause 7.4, Purchasing, enhance procurement? https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/

First-, Second- & Third-Party Audits for medical device manufacturers & suppliershttps://advisera.com/13485academy/knowledgebase/first-second-third-party-audits-for-medical-device-manufacturers-suppliers/

GDPR Articles for the recruitment

Recruitment requires to comply with article 5 GDPR which applies to all data processing.

First of all, you must inform individuals about data processing with a privacy notice. The purposes of processing can be seen in recruitment and the legal ground of processing can be either consent (if you collect consent from candidates) or contract (where the prenegotiated phase is included).

You should also determine the data retention policy determining how long will you keep data (CVs, and other personal information) from candidates and keep track of consent giving the chance to candidates to modify the provided data.

You can find more information in this article:

• How the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

You can also find some useful information in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

Here you can find our template of Employee data protection policy: https://advisera.com/eugdpracademy/documentation/employee-personal-data-protection-policy/

HDS

Can an HDS be done between countries?
I mean can we store medical data in a country and use the date in another country?

Implementing QMS with non-mandatory documents

You can use nonmandatory required documents for your QMS, but you must use the mandatory required documents.

Using more or less nonmandatory documents in a QMS should be a function of the QMS complexity and people experience and competence. Please check ISO 9001:2015 clause 4.4.2.

The following material will provide you more information about documentation:

- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/

- Free webinar on demand – How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Customer specific requirement on Supplier Quality Assurance Manual

SQAM is a TOYOTA customer specific requirement and there are different sections in SQAM. Normally you can dowlload from Toyota Portal if you supply to Toyota and have a portal access. SQAM has total of 33 sections and can only be download from the Toyota portal.

All these symbols are from SQAM book,section 11 Quality Problem Reporting and Section 33 Supplier Quality Assurance Manual of Toyota customer requirements.