Search results

Assets detail level and segregation of duties

1. I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.

ISO 27001 does not prescribe a detail level for assets, so organizations can define the detail level that best suits them. This is generally a balance between the administrative effort and the need for information to ensure proper security. For example, you do not need to record organizations notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to a SaaS service.

Included in the toolkit you bought you have access to a tutorial that can help you fill in the risk assessment.

2. Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.

To implement separation of duties it is not mandatory to define strict roles (e.g., to have a developer and a tester), you only have to ensure that a single person does not perform the whole process. For example, if you have two developers, one can make the development and deployment of a system, and the other can perform test and acceptance of release candidate of this same system and you can change the places for another system.

If this arrangement is not possible, you can consider compensation controls like:
- Monitoring activities
- Audit trails
- Management supervision

This article will provide you a further explanation about segregation of duties:
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Clause 4.4.1

"Does your IATF package include the format and metrics for these 16 processes?

IATF requires at 5.1.1.2 that top management shall review the effectiveness and efficiency of the Quality Management System. It is mandatory measures process effectiveness for all organizational processes, and measures the efficiency for product realization processes (see 9.3.2.1).  All documented processes according 4.4.1, with inputs and outputs should have performance indicators accordingly (per example metrics). It is acceptable for an organization to group multiple documented processes into one (or more) processes, per example “Engineering Specification” (7.5.3.2.2) could be grouped with Design and Development process and documented based on documented procedure approach. For these one, metrics is not mandatory. 

For each of the 16 "documented processes" do I have to show a metric for that process that falls under clause 4.4.1?"

You can download a free demo of the IATF 16949 Documentation Toolkit where you will be able to see templates of all documents included in the toolkit, but also a document called 'List of Documents' that displays which documents are mandatory and which are optional.

ISO 27001 data center control requirements

ISO 27001 does not prescribe specific controls for data centers, although controls from ISO 27001 Annex A can be applied to data centers as well. To identify which controls would be applicable to your data center you need to perform a risk assessment process. Some common adopted controls are:
- Physical Access Control
- Uninterruptible Power Supply (UPS)
- Audit Logs of all user activities and monitoring the same

For more information, see:
- The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/

 For requirements for a data center, you can take a look at the ANSI/TIA-942 standard. Although it is not ISO (it is an American National Standard) it provides several specifications considering availability and other security needs.

This article will provide you a further explanation about controls definition:
 - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

 These materials will also help you regarding controls definition:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Implementing ISO 27001 in different countries

For certification purposes, you can either have a single certificate covering the three sites or one certification for each site, but regardless of the adopted approach all sites will have to be audited to achieve certification.

Considering that all sites have to be audited, the best course of action would be to certificate each site at a time. This way you can better plan your expenses with implementation, and a problem with one certified company wouldn't affect the others.

These articles will provide you further explanation about ISO 27001 implementation:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 Effectiveness - PEAR (Proess Effectiveness rating)

ISO 14001:2015 does not have an equivalent process to AS9100 Rev D for measuring process effectiveness. Likewise, there is no equivalent to AS9101 scoring in the certification audit. ISO 14001 does include a bibliography which includes ISO 14031, Environmental management – Environmental performance evaluation – Guidelines, however, the use of this standard is not mandatory for the EMS. So, it is up to you to determine how you will monitor and measure process effectiveness within the EMS, while of course still meeting your legal compliance requirements which may dictate how this is to be done.

You can find out more on measuring EMS effectiveness in the article: How to measure the effectiveness of your EMS according to ISO 14001:2015, https://advisera.com/14001academy/blog/2016/09/05/how-to-measure-the-effectiveness-of-your-ems-according-to-iso140012015/

If you are looking for help to implement AS9100, you may find our book helpful: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Scope of service provider

Clause 4.3 of ISO 9001:2015 requires that the scope of the quality management system be maintained as a document. If clause 7.1.5 (calibration) is not applicable you should state that with a justification in a text. For example, in the same document as the scope. If your organization keeps a quality manual it can be written there together with the scope.

The following material will provide you more information about scope:

- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- What clauses can be excluded in ISO 9001:2015? https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

Change management

In our toolkit, changes that affect the quality system are covered in the 21_Procedure_for_management_review, as a part of Review inputs. Therefore this requirement from ISO 13485:2016 is fulfilled.

Questions regarding GDPR

I would very much appreciate some clarifications of the above:

Are there any available GDPR certifications?

If you are looking for a certification of individuals, GDPR does not require any certification.
Even the DPO role does not require being in possession of a certification, yet DPO must have deep knowledge of GDPR and privacy regulations. 
In reference to companies, article 42 GDPR encourages the Member States to establish a data protection certification mechanism for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 
There is plenty of courses in the market. Advisera also developed a free course where you can purchase access to the examinations and get a certificate. So if you are looking for a solution in order to certificate the process of your company as data controller or data processor you can look for these solutions on the market.
 

• Article 42 GDR: https://advisera.com/eugdpracademy/gdpr/certification/
• Check our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

How do I start with mapping my processing activities?

The first thing is to know your business. Think about:

- what data do you collect (i.e. name, surname, telephone numbers, IP address, physical address, pictures, health data, etc), 
- who collect them (i.e. administration, HR, management,) 
- why you collect them (i.e. provide a service or a product, video surveillance, security reason, public interests,) 
- how do you collect (i.e. do individuals provide data to you through a form, a contract, website, with/without consent)
- long do you store those data (the time which is necessary to provide the service, 1 hour, 1 year, 10 years, for a legislatively determined period)
- where do you store data (physical archives for paper documents, cloud service, internal servers)

You can find some useful information here:
- 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
- 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

- In our Advisera GDPR Toolkit, there are Guidelines for Data Inventory and Processing Activities Mapping, here you can download a free demo in order to verify if it suits your business needs: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

 Is there any video surveillance policy available in the toolkits?

We did not include video surveillance policy in the toolkit because video surveillance is not directly regulated by GDPR, and most EU countries have their own rules. You should verify compliance with the internal rules of your country.
Most rules require to highlight security reasons for video surveillance, to avoid workers monitoring and public path.
They can require you to minimize the period you store images before overwriting them, to determine who can have access to images (you should set access procedures to those images) and the location where records are stored. Most Surveillance Authorities or Member States have set their specific requirements to comply with.
You can draft your own policy considering your country requirements and the limits set in GDPR as a data processing policy using the blank template from the GDPR Toolkit.

You can also schedule a call with Advisera's expert who can provide you with some guidelines on how to proceed with this document.
 

I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

It depends if they process personal data on your behalf or not. 
Insurance companies usually are considered as data controllers because they determine the purposes and means of data processing on their own. 
However, if they can have direct access to your internal data (i.e. geolocalization data from security tools installed on board of your company car fleet) and process them on your behalf, by storing data in their servers, they can be considered data processor with reference to those data.

Here you can find some references referring to data controller and data processor:
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

How can I best present a privacy notice? Do clients need to sign the notice

Signature is a clear sign of knowledge yet it is not mandatory. GDPR only requires you to inform your customers on your data processing activity and collect their consent when required.
Consent can be acquired through signature but also orally or by a clear affirmative action (i.e. clicking on a flag boxes)
Therefore, you can present a privacy notice as a link in your email signature in order to make easy for them to be informed, you can attach a privacy notice to your contracts, you can also inform them via telephone and register their consent (if needed), most depends on your activity.

Here you can find some useful material to make a GDPR Privacy Notice:
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
- Article 13 GDPR https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/

ISO 9001 / QS Registered

The term “registered” is sometimes used in North America where the rest of the world (and sometimes in North America) the term “Certified” is used. This is why the terms “registrars” and “certification bodies” are sued for the audit companies that perform these audits. So, the term registered is not necessarily obsolete, but can be confusing for some companies, especially outside of North America. The “QS registered” is not really a term used any more as this was mostly attributed to automotive.

What you should scrutinize more is what your labels are sued for. For instance, if you are labeling products that they are “ISO 9001 registered” this is not correct, as ISO9001 certifies the management system and not the products. For more details on how the certification marks and labeling can be used you should talk with your certification body (or registrar) on the rules for using certification labels.

ISO 9001 / Supplier approval requirements

Your organization approves a procedure with supplier approval requirements. You can divide time before and after the approval of the procedure. After approval you have to follow the procedure, regular suppliers before the procedure approval can be grandfathered. You can list regular suppliers and state that they are approved based on past performance. 

The following material will provide you more information about supplier performance:

- How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/