Search results

Screening requirement

Please note that if control A.7.1.1. (screening) from ISO 27001 is applicable to your ISMS, then you have to apply it to all candidates for employment (by sampling candidates you will not be fulfilling the requirements for the control).

What you can do to minimize effort is to apply screening only to roles that are related to unacceptable risks, or because legal requirements require the screening to be performed. Additionally, you can perform the screening only at late stages of the hiring process, when you will have fewer candidates to evaluate 

This article will provide you a further explanation:
- How to perform background checks according to ISO 27001 https://advisera.com/27001academy/blog/2018/03/26/how-to-perform-background-checks-according-to-iso-27001/

ISO 9001 / Certification and Trainings

I do not know if under Philippine law you have to comply with any legislation in order to conduct training as a professional. So, let us skip that and believe that anyone can start a training business. Now, you want customers. Potential customers would like to have evidences of your know-how on the subject. 

One way of getting evidences of know-how is to have a certificate stating that. Advisera developed a set of online courses that allow people like you to enroll for free in a course and at your own pace follow the course and at the end make an exam and get a certificate recognized by Exemplar Global. Currently Advisera has the following courses:

• ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

Advisera also has a blended or hybrid course (online course at own pace and an 8h online workshop):

• ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/

Integrating EMS into a Quality Management System

If your QMS is already compliant to the ISO 9001:2015 standard, then it becomes easy to integrate the ISO 14001:2015 standard for an EMS, or even the ISO 45001:2018 standard for an OHSMS. All of these standards follow a common format, so it is easy to go through an see which requirements are common, meaning that you can use a common process. You will need to perform a gap analysis to the additional standard to see what additional requirements you need to add.

The most common processes to be easily integrated include Internal Audits, Corrective Actions and Management Review. However, you can also reuse many processes such as the identification of interested parties and their needs and expectations. If you have already done this for your QMS, you just need to use the same process and re-think who the interested parties are for your EMS or OHSMS.

For more detail on integrating management systems, see our whitepaper: How to integrate ISO 9001, ISO 14001 and ISO 45001, https://info.advisera.com/9001academy/free-download/how-to-integrate-iso-9001-iso-14001-and-iso-45001

ISO 27001 data center control requirements

I have a question, what ISO 27001 data centre control requirements for facilities and operations?

Privacy perspective for facial reconstitution software

I want to set up a startup and develop software for facial reconstitution.

Are there any constraints from a privacy perspective?

Most constraints will depend on the kind of software you are going to develop. Consider that if your software does facial recognition it will be considered as biometric data under Article 9 GDPR so consent will be needed from the end-user of the software.

If it is a software used for forensic reasons it may be under Article 9, letters (f) and (g), GDPR so that consent may not be needed. 

For more information, please see the article: 
Article 9 GDPR: https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/

What do I need to consider before in the implementation stage?

In the early stage of setting up a startup for developing facial reconstitution software, you need to make a Data Protection Impact Assessment in order to verify what kind of data your company will process and how it will handle and secure them.

In these articles, you may find some help and guidance:

• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/

In developing the software, you should consider the principles of privacy by design and privacy by default as set in Article 25 GDPR. Here you can find more information about those principles:

 What is privacy by design & default according to GDPR?: https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/

Is it required for us to have a DPO?

In case your software uses biometric data, DPO appointment is mandatory under Article 37 letter c GDPR, because your core business will be the processing of special categories of data. 

You can read more about it in the following article: 
- How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

- The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ 

We are planning to use AWS for storage is this OK or is better to keep the data in our own servers? 

There is no one answer. It is up to the data controller to assess if data are better protected with internal servers or with a cloud solution.

AWS, as a storage provider, claims to be committed to having the highest security and compliance and privacy standards. You will need to check the terms of service of AWS in order to verify protection standards and decide which measures ensure a level of security appropriate to the risk. 

Do we need to perform some kind of risk assessment before starting? 

Article 35 GDPR requires to perform a Data protection impact assessment (DPIA), where using new technologies there is a high risk for the rights of freedom of individuals. However, DPIA is highly recommended also when it is not mandatory in order to demonstrate accountability to GDPR provisions. 

For more information, please read the article: 

 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

How would ISO27001 help us? 

ISO27001 implementation may help you to have an international standard for Information security risk and be accountable to security measures under Article 32 GDPR although there is no complete match between the two rules.

These materials will also help you regarding GDPR implementation:

 What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

- EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

GDPR and Coronavirus

We are an international university (and the university is also a city where everyone who works and studies also lives/resides).  As such, we are currently placing individuals who are returning from high risk areas (of the Coronavirus) or those whom have had contact with those in high risk areas (i.e., roommates) in quarantine.

It would be great to receive some guidance on things we should be able to do in terms of GDPR in the context of:

• Informing them we will place them in quarantine
• Sharing information of those who are placed in quarantine (we may for example send to housekeeping, their course instructors, etc.)

You must inform the individuals returning from high risks areas about how you will process their data concerning health (collecting, sharing, storing data), why you are collecting their data about health. Please consider that while health data is included among the special categories of data under Article 9 GDPR, the reasons for public health allow you to process these data without consent. Although consent is not needed, you always must inform individuals about how their data are processed.
You should also reveal how long will you retain this data (as long as the public health risk is concrete)

You can find more information about:
Public health reasons for processing special categories of data in Paragraphs 52-55 of the Preamble of GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=IT#d1e1374-1-1 />Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

Information Security Policy vs. IT Security Policy

IT Security Policy is a document which allows your company to comply with security measures under Article 32 GDPR for Information systems and Information assets, it identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. The goal of an IT security policy is to keep systems and information confidential, available and intact.

Information Security Policy is a top-level document that defines general principles and responsibilities for information security - it does not go into details like the IT Security Policy does.

These materials will also help you regarding Information security policy:

-    What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/  

- EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course// 

RTO and MBCO and MTPOD - Business continuity concepts

BCMS is very important for any organization to see its business flourishing 

BIA: longest disruption time in BIA questionnaire

 You can tweak the disruption periods in the questionnaire to fulfill your needs, but considering your case, the recommendation is for you to first check how many activities can support a longer periods of disruption, and which periods these would be, so you can adjust the questionnaire properly.

Please note that the shorter the period for the disruption to become catastrophic, the greater the resources and costs involved for continuity and recovery, so if your questionnaire defines disruption periods properly you will allocate your resources in a more efficient way.

This article will provide you a further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

ISO 9001 clause 8.3

1. Tooling design ( Mould) and development comes under which clause of ISO.

Answer:

Who designs the mould? If your organization designs the mould, then Tooling design (Mould) and development comes under clause 8.3 of ISO 9001:2015.

2.If we don't have product design can we exclude clause No 8.3 Totally.
But we have Tool design and development process. How to manage this process under which clause

Answer:

If your organization does not design the moulds you can exclude clause 8.3. When an organization designs a mould it is a project, every mould is different. When an organization does not design the moulds, the language “Tool design and development” is about a process that is followed to manufacture moulds according to customer’s specifications. In that case the relevant clause is 8.5.

The following material will provide you more information about training and competence:

- What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Free webinar on demand - ISO 9001:2015 clause 4 – Context of the organization, interested parties, and scope – https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course – ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/