Search results

Clarification on ISO 27001:2022 certification

1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

Due to the size of your company (around 60 employees), unless you have specific requirements for this cloud-based platform to have its own certification (e.g., a law or contract with a customer), the best approach is to consider a single implementation covering all the organization, because, for companies of this size, the effort to separate what is included in the ISMS scope from what is not included is not worthy.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2 - If they were to be separate, how would this even be managed in Conformio?

In case you have a need for the platform to be in a separate implementation/certification, you can create two regular Conformio accounts (one for each instance you want to certify) and do a separate certification for both. As separated accounts, it is not possible to share documents or data to manage both implementations in an integrated form. 

Preventive action

Basically, it can be both. But, in my opinion, it is better to be preventive action. 

Actors considered data subjects in media files?

Names and pictures are personal data, according to Article 4 GDPR – Definitions. By doing media processing of personal data – images, video feeds, and names in credits – you are processing personal data. If you are based in the EU, or if you offer goods and services to people in the EU, according to Article 3 GDPR - Territorial scope – GDPR applies to your personal data processing operations. The first step is to determine your role – controller or processor. If you are a processor, you need a Data Processing Agreement signed with the streaming service providers, where they mandate you to process these films based on their instructions.

If you are a controller, you need a purpose and a legal ground for processing, according to Article 6 GDPR - Lawfulness of processing. The actors and the crew have a contract with the movie production company, so they process their data based on Contractual Obligation, per Article 6.1.b GDPR – contractual obligation. The streaming service providers have a contract with the production company, and you have a contract with the streaming service providers, but the crew and actors are not part of your contract, so you cannot use Contractual Obligation. In my opinion, the best fit for a legal ground for processing would be Legitimate Interest, but in this case, you should perform a Legitimate Interest Assessment and you should inform the actors and the crew.

At Advisera, we have a great resource to help you, an EU GDPR Documentation Toolkit that contains all documents necessary to drive your GDPR-compliance efforts, which also contains templates for privacy notices, data subject access requests, data processing agreements, and so on.

Please check these links:

• EU GDPR Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/
• Article 3 GDPR – Territorial Scope: https://advisera.com/gdpr/territorial-scope/
• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• Article 6 GDPR – Lawfulness of processing: https://advisera.com/gdpr/lawfulness-of-processing/
• Article 28 – Processor: https://advisera.com/gdpr/processor/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
• How to use legitimate interest to comply with EU GDPR – recorded webinar: https://advisera.com/webinars/how-to-use-legitimate-interest-to-comply-with-eu-gdpr-free-webinar-on-demand/

• Purchase (vendors) scorecards

  Of course, you can arrange some of your criteria to score the vendors. Just be aware that you need to establish criteria for the evaluation and selection of suppliers, according to the requirements from the 7.4.1 Purchasing process. 
  So, for example, you can just score it on a scale of 1-3 for the delivery time, price, and certificates that your suppliers have. This means that for price 1 is that you are not satisfied with the price, 2 is that the price is average, and 3 that price is OK for you.   

• Revision of assignment

  First is important to note that, as part of the transition period, an organization can still certify against ISO 27001:2013 until October 31, 2023, so considering you wanted to be certified by this summer, this deadline may give you the extra time you need.

  In case you are not fully compliant with some of your documents, you can postpone their implementation until after the certification audit under the following conditions: (1) if the document is not related to the main part of the standard (clauses 4 to 10), (2) if the related risks are not very high, (3) if you mark related risks as "Accepted" in the Statement of Applicability, and (4) if in the Risk Treatment Plan you define the deadline for the implementation of this document for after the certification audit.For further information, see:

  • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • Setting up and passing the audit

    1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

    Please note that in case these two sites are separated legal entities with different core businesses, then you need to treat them through separate implementations.

    2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

    The certification scope can be only one entity or both entities. To make this decision you should consider the requirements of your customers and applicable laws and regulations.

    For further information, see:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    This tool can also help you:

    • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

  • ISO 9001:2015 Scope

    No, it is not a requirement that all customer-facing products and services have to be included in the scope.

    It may be useful for an organization to exclude products and services from the management system. For example, different requirements from customers, or different requirements from regulation. It’s not a technical decision, it is a management decision.

    For more information about the scope consider the following:

    • What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
    • Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Business Development and Sales - core process?

    Yes, it makes sense, you can put it as a separate company process.