Search results

ISO 27001 helping in implementing ISO 22301

ISO 27001 and ISO 22301 are quite compatible, so that risk management, document control, internal audit, management review, corrective action, human resource management and measurement can be used in common for both of these standards. 

These materials will help you: 

• ISO 27001 & ISO 22301: Why is it better to implement them together?  https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar-on-demand/
• Can ISO 27001 risk assessment be used for ISO 22301? https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/ 
• ISO 27001 & ISO 22301 Premium Documentation Toolkit https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/ 

ISO 13486:2016 certification for a machine

You have to see that with the manufacturer of that device. There is no any restriction from the standard to do this, but you will need to seek permission from the manufacturer itself for this.

Ways to define ISMS scope

Here are the answers:

What are the concrete methods and ways to define a good ISMS scope

You need to identify in which part of your company is your most valuable information - see the details here: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

what steps need to be taken while identifying the risk

Here's the article that will help you: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ 

and while writing the policies itself

Here are the articles that will help you: 

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Copyright notice

This relates to the copyright notice in the footer of the document(s) as well as copyright notice in properties of the particular document.

Position and Function of an information security specialist

I assume that by "graduate" you mean a student that has graduated from an university. 

ISO 27001 has no requirements in this respect - usually, people with less experience could be a part of a security team, but not lead the security team. 

Here are some articles that can help you: 

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ 
• Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/

These materials will also help you on how to position yourself in ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

ISO certification code

You can ask an organization a copy of their certificate. Check the name of the certification body and verify if its name is in any list of an accreditation body recognized by the International Accreditation Forum (IAF). If that certification body is working with an accreditation body recognized by the IAF you can contact them and confirm if their certificate is valid or not. Sometimes certification bodies  issue lists with the name of certified organizations. In that case you can search the name there.

The following material will provide you more information about solving doubts around a certificate validity:

- How to know whether ISO 9001 certificate is valid? – https://advisera.com/9001academy/blog/2018/05/23/how-to-know-whether-iso-9001-certificate-is-valid/- Free webinar – ISO 9001:2015 clause 4 – Context of the organization, interested parties, and scope – https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/- Enroll for free course – ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

SaaS products

Basically, you need to include in the ISMS scope the cloud elements you can control - this article will provide you with details: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ 

GDPR & CE Mark

Would you recommend for a medical device company that maintains a QMS system (under CE mark) to incorporate all GDPR changes inside the QMS?

QMS is established to certify quality and compliance of products to legal requirements.

A QMS system under CE mark may be related to product safety which can affect data protection if personal data are acquired by the medical device.

Certification process is encouraged by European Authorities and Member States under article 42 GDPR.

Are there subjects or areas that you would not want to be checked by the CE/QMS audit that relate to GDPR?

CE mark or QMS audit can be helpful to demonstrate accountability to GDPR requirements. However, depending on QMS audit that you implement in your company some areas may be not covered. Employee data processing and its storage or the transfer of data outside the EU may be not covered, if your QMS is focused only on product safety, it can be an example. Also, compliance of the data processor to GDPR provision should be checked.

Please consider that according to paragraph 4 article 42 GDPR “certification does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities”.

Joint responsibility

I would like to have known whether it is possible that jointly responsible persons can assert a legitimate interest as a legal basis?

Legitimate interest is more deeply explained in the preamble of GDPR. Paragraph 47 of GDPR explains how to use legitimate interest as a legal ground.

The key element of legitimate interest as a legal ground of data processing is the existence of a relevant and appropriate relationship between “the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” (see paragraph 47 of the Preamble of GDPR)

Therefore, you must assess whether the four companies have a relevant and appropriate relationship with the customer (i.e. they all provide a service to the customer like sales of goods and logistics).
It must be assessed whether “a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.” It means that the customer who disclosed his personal data for a certain purpose can reasonably expect that his data will be processed by all the four companies because of the nature of the service provided.

In those cases only legitimate interest can be used as a legal ground of data processing by co-controllers.

Example: 4 independent organizations/companies want to share their customer and supplier data because they partially overlap. If one of the four companies wants to create a new customer, they should first be able to search in a joint program to determine whether it already exists so that they do not have to create it again. Each of these four companies can view this customer record and change it if necessary.

Can I assert a legitimate interest here and say that it makes work easier for the four companies and also means data minimization?

Paragraph 48 in preamble rules the situation of group companies or grouped undertakers which jointly process personal data.

According to paragraph 48 of the GDPR Preamble, the controllers “may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data.”

Delivery and monitoring records within ISO 9001 clauses

Based on your information, as an auditor, I would write that the ISO 9001:2015 clause is 7.5.3 b). Let us consider that you are writing an audit nonconformity. Now, the manager of the warehouse/delivery, when answering the request for corrective action, should look for the root cause of the contradiction. For example, during his/her investigation he/she might discover that it is a lack of competence issue (clause 7.2), or a misleading identification issue (clause 8.5.2), or a lack of people at a certain shift (clause 7.1.2).

The following material will provide you information about audit nonconformities:
- Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/

- Article - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
- Article - How to use root cause analysis to support corrective actions in your QMS - https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/