Search results

Data Protection Regulations

Yes, the first bullet point refers to services provided by the Charity to its members (i.e. soup kitchen, health assistance and so on), while the second bullet point refers to people working in the Charity either as volunteers or staff.

Transferring data between two databases in two different companies.

You should first assess if the Canadian company applies GDPR to its data processing (i.e. the company processes data of EU individuals). In this case, no further measure shall be taken because GDPR allows the transfer of data inside the GDPR space.If the company does not apply GDPR, then it is required a written data transfer agreement between the two companies.

The data transfer agreement should reflect the standard contractual clauses as adopted by the EU Commission. These clauses are required to transfer data outside the EU providing sufficient safeguards but adopting it to import data from the Canadian company can help the Scottish company to demonstrate its accountability to GDPR principles.

GDPR is technology-neutral, so you can select the safest way to transfer those data among the two companies.   You can find more information about data transfer here:3 steps for data transfer according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/ 

ISO 27001 2019 review

Please note that ISO 27001:2013 was last reviewed and confirmed in 2019, so the 2013 version remains current, without alterations, and the list of mandatory documents in this article is still valid.

For more information, please access this link: https://www.iso.org/standard/54534.html

Assignment of documents

Considering your folder structure, I'd suggest that you create an additional folder called "Annex A -Security controls", like the one you have in the toolkit and include policies and procedures there. You can create this folder either as folder 11 or as a subfolder in folder 8.

Please note that ISO 27001 does not prescribe how to organize the documents, so you are free to organize them the best suit you.

ISO 9001 / Risk register

Conducting a SWOT analysis with the relevant people of the organization is the simplest solution when identifying the risks together with a register of the risks found, which is non mandatory document but helps to keep track of the risks and if the actions taken have been successful.

To make this analysis easier you can analyse the risks process by process with the heads of each department who are the ones that better know the activities carried out. In addition, writing a procedure can be also helpful, so everyone follows the same way of identifying and assesing those risks. The register also should be a document as easier as possible to complete, for example, you can include the source of the risk with a description of that risk and actions taken to address it. Make sure everyone understands the procedure before going to the register.

Here you can find a free preview of an example of the Procedure for addressing risks and opportunities -https://advisera.com/9001academy/documentation/procedure-for-addressing-risks-and-opportunities/

You can find more information about  risks and opportunities in ISO 9001:2015 in the following links:

- Article - How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/

- Article - Does ISO 9001 require a procedure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Vendor Agreement In relation to ISO 13485:2016

It is mandatory to have a written quality agreement with the company that provides outsourced process (as stated in requirement 4.1.5 from ISO 13485:2016).  In that quality agreement control measures of your company over the outsourced process must be described. Control measures must be proportionate to the risk involved and the ability of the external party to meet the requirements of ISO 13485:2016. 

For more details about the Purchasing process please read the article at the following link: 

How can ISO 13485 clause 7.4, Purchasing, enhance procurement? https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/

BCM framework and policy

For a BCM framework, I can suggest you ISO 22301, the leading ISO standard for business continuity management. To see how the documents to implement this framework looks like, I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-documentation-toolkit/

This toolkit covers all the mandatory, and most commonly used, documents you need to implement and certificate a BCMS against ISO 22301. Also included in the toolkit you can find a template for a Business Continuity Policy (you can take a look at the free demo of this specific document at this link: https://advisera.com/27001academy/documentation/business-continuity-policy/).

ISO 22301 is a generic approach that can be used by business of any size and industry, including those that makes use of SaaS platforms. Included in each template you will find comments that will help you to include the information about your SaaS platform whenever necessary.

These articles will provide you further explanation about ISO 22301 and BC policy and scope (although these articles are about ISO 27001, the same concept applies to ISO 22301):

• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
• 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
• What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Level of information classification

Considering ISO 27001 requirements and controls, to define the proper classification level for your information, you have to consider:

• the results of risk assessment
• legal requirements (e.g., laws, regulations, and contracts) applicable to your organization

For example, Article 9 of EU GDPR defines special categories of personal data https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/ which you should classify with a higher confidentiality level, while the rest of the personal data you can classify with lower confidentiality level.

 This article will provide you a further explanation about information classification:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Business continuity management questions

Hello, I work in management systems consulting and I want to inform myself of information in this business continuity manual, queries:

1. what kind of incidents can disrupt the business?

A disruptive incident is any event that can prevent the business to deliver its products or services, or prevent it from achieving its objectives, for an unacceptable period of time. Considering that, without more information about business nature we cannot offer a more precise answer than a natural disaster, or loss of facilities or essential personnel.

For more precise identification, you should perform a risk assessment, to identify unacceptable risks relevant to your business.

For more information, see:

• How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/
• Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
• Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

2. Does it only refer to information security? or risks associated with the specific business must be identified.

Business continuity refers to any risks that can compromise the business, so it covers not only information security risks but any other risks relevant to the organization (e.g., operational, environmental, etc).

3. Taking into account that we live in XXXX where there are no earthquakes or volcanoes, no snow, there can only be a strong storm is the scope of this oriented emergency planning and evacuation and information security?

Besides natural events, you also have to consider intentional and unintentional man-made events (e.g., strikes, terrorism, vandalism, accidents, etc.)

Opencast procedure

I have no experience in mining. I would gather a set of participants with knowledge about what happens and with sticky notes I would ask them to describe the main activities of the opencast process.

Then, for each main activity I would ask them to describe what is done, by whom, with what equipment, under which rules, using which records. Please check in the following free webinar on demand the use of the turtle diagram to collect information about a process - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/