Search results

Appointing Data Controller

Every company is at some point a data controller, for common personal data processing operations like hiring, payroll, financial reporting, etc, and its responsibilities are detailed in Article 24 – Responsibility of the controller. If your question is related to Data Protection Officer, the requirements of a company whether to designate a DPO or not are detailed in Article 37 GDPR - Designation of the data protection officer. Namely, a company must designate a DPO if it is a public authority or body, or if its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or if its core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses. However, designating a DPO can be seen as a highly-recommended organizational measure to lower the risks related to personal data processing.

If the company decides to designate a DPO, we recommend taking the EU GDPR Data Protection Officer Course on Advisera (link below) and working with the EU GDPR Documentation Toolkit provided by Advisera (link below) that contains all necessary documentation to become GDPR-compliant.

Please also consult these resources:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
• Article 24 – Responsibility of the controller: https://advisera.com/gdpr/responsibility-of-the-controller/
• Article 37 GDPR - Designation of the data protection officer: https://advisera.com/gdpr/designation-of-the-data-protection-officer/
• EU GDPR Data Protection Officer Course: https://advisera.com/gdpr/processor/
• EU GDPR Documentation Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/
• The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/articles/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
• How to hire the right DPO?: https://advisera.com/articles/how-to-hire-the-right-dpo/

What are the laws and regulations to be included in the ISO 27001 Register of Requirements?

Please note that information security is not related only to personal information. Some examples of information that also may require to be protected can be related to business information (e.g., strategic plans, product R&D information), and financial information (e.g., tax payment records).

Considering that, depending upon the Information Security Management System scope, besides Personal Data protection laws/regulations, organizations also may have to be compliant with other legal requirements (laws, regulations, or contracts) related to information, like the ones you mentioned.

Our recommendation is for you to consult a legal advisor in your country.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• Maintaining ISO 17025 certification for labs (Food, Chemical) in Warzones

  There are accreditation policies in each country, aligned with ILAC (International organisation for accreditation bodies)  requirements. These policies state when an accredited facility needs to be suspended or go into voluntary suspension. I suggest you contact NAAU, the National Accreditation Agency of Ukraine. Their website is https://naau.org.ua/.

• Questions about ISO certification

  1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g.  #4): are they required at the ISO certification or can we decide if they concern us or not? 

  Please note that the documents with check marks with asterisks are required when controls related to them are identified as applicable in the Statement of Applicability. Considering your example (#4 List of Legal, Regulatory, Contractual, and Other Requirements), the document is required when control A.5.31 is identified as applicable in the Statement of Applicability.

  From our experience, all companies mark control A.5.31 as applicable in the Statement of Applicability.

  2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us? 

  In the Statement of Applicability, you have to mark a control as applicable if there are unacceptable risks, or if there are requirements from interested parties. Therefore, you have to complete the List of Legal, Regulatory, Contractual, and Other Requirements, and the Risk Treatment Table before you write Statement of Applicability.

  For further information, see:

  • Statement of Applicability in ISO 27001 - What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***.How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary? 

  A single certification covering both sites, or a certification for each site are acceptable possibilities, and your decision should consider your business objectives and strategies.

  A single certification is more complex to manage (e.g., both sites can be affected by issues related exclusively to one site), while different certificates create redundant costs related to the duplication of similar requirements.

  In any case, you need to align this situation with your certification body first.

  4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?

  First is important to note that the definition of confidentiality levels is required only if control 5.12 Classification of information is identified as applicable in the Statement of Applicability.

  Considering that, your classification “for employee use only” for all documents may be acceptable for certification purposes.

  Please note that the control does not prescribe confidentiality levels to be defined (you may have only a single classification level) nor which information need to be classified.

  For further information, see:

  • Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

  • Difference between MIR and FSCA report

    Valid version of the MEDDEV 2.12 is Rev 8, published in January 2013. 

    These two documents are not for the same purpose. So, you need both of them. First, you need to make a report regarding some incident, and then, after you report it, you need to prepare the field safety corrective action. So you need both of them. 

  • ISO 14001 / Questions for your Management team

    Consider this article, Questions to successfully perform ISO 14001 top management audit - https://advisera.com/14001academy/blog/2019/06/17/iso-14001-top-management-audit-what-questions-to-ask/ as a good start to thinking about an approach to develop a checklist regarding top management.

    About leadership – think about questions regarding environmental policy, environmental objectives, and action plans to achieve them. Think about questions regarding management review and system effectiveness.

    About environmental aspects – does top management have an idea about what are the main significant environmental aspects and impacts, and how they relate to the environmental policy?

    About risks and opportunities – you can always ask if top management knows about the main risks and opportunities, what was done to act upon those risks and opportunities, and if those actions were effective.

     

  • Questions ISO 27001

    1. Every information security policy must have at least one procedure associated with it.

    ISO 27001 does not specify that you need to have procedures related to policies, nor does it specify what kind of policies and procedures to write. Our recommendation for smaller companies is to use a minimum number of policies and procedures to avoid overhead.

    For further information, see:

    • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

    2. Can security policies and procedures be written in the same document or should they be separate documents?

    ISO 27001 does not prescribe how policies and procedures must be documented, so organizations can develop them as best fit their needs.

    Considering that, policies and procedures can be part of the same document but you have to take care to not create a document too big or complex to use or maintain. In such cases, it is best to keep policies and procedures as separate documents.

    For further information, see:

    • One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
    • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

    3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?

    Strategic and technical information generally have different publics (e.g., strategic information for top management, and technical information for operational staff), so while you can have both information in the same document, in general, they are developed as separate documents.

    4. What is the difference between Policies, standards and Procedures?

    A policy defines a certain intention and gives direction (e.g., Information Security Policy), whereas a standard specifies a standardized way of doing something (e.g., ISO 27001 specifies how to manage information security).

    As for a procedure, it defines the steps required for performing an action (e.g., a procedure back defines the steps to back up information).

    5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?

    ISO 27001 does not prescribe who should be responsible for information security, so organizations can designate this person as best fit their needs.

    So, this person being or not being part of the area of information technology is an acceptable possibility.

    For further information, see:

    • Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

    6. Can the technology leader also be responsible for information security?

    This role can also be an alternative for the person responsible for information security.

    7. Do you have any template of how to write a strategic information security plan?

    Please note that ISO 27001 does not require a strategic information security plan to be developed. A similar high-level document compliant with ISO 27001 is the Information Security Policy, located in the folder General policies in your toolkit.

    For further information, see:

    • What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
    • Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

    8. Can you send me examples of Major nonconformities and minor nonconformities?

    First, it is important to note that major nonconformities and minor nonconformities are commonly used only in certification audits. Internal audits do not require the application of such classifications.

    Examples of minor non-conformities: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc.Examples of major non-conformities: management review not performed, and a minor non-conformity not being resolved within the defined deadline.

    For further information, see:

    • Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

    9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?

    Please note that ISO 27001 does not prescribe who must perform vulnerability tests, so both alternatives are accepted by the standard.

    10. Is an information security incident the Materialization of a security risk?

    Your assumption is correct.

    Risk refers to the probability of something negatively affecting information.

    An information security incident means that something in fact negatively affected the business or information which should be protected.

    11. What is the difference between an information security event, an information security incident and an information security risk?

    An event refers to something that happened that is relevant to be recorded, but you are not sure it negatively impacted information security.

    An incident refers to something that happened and that in fact has negatively affected information security.

    Risk refers to the probability of something happening and negatively impacting information security.

    For further information,see:

    • ISO 27001 information security event vs. incident vs. non-compliance https://advisera.com/27001academy/blog/2018/12/03/iso-27001-information-security-event-vs-incident-vs-non-compliance/

    For additional support, we suggest these materials:

    • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    • Third Party Response

      When you are accessing data of a data subject on LinkedIn, you are processing that individual’s personal data, and according to article 6 – Lawfulness of processing – you need at least one legal ground for processing: consent, contractual obligation, legal obligation, vital interest, public interest, legitimate interest. If that person is contacted using LinkedIn platform’s features, such as Add Connection, InMail, Messaging, you don’t need data subject’s consent for processing, as that person already accepted LinkedIn’s Terms and Conditions, which allow that person to be contacted (if he/she didn’t modify the privacy preferences in the account). However, if you download/archive a person’s data from LinkedIn, you need another legal ground for the processing. It can be consent, but you need to obtain that person’s consent BEFORE you download/archive his/her data from LinkedIn.

      Please also consult these resources:

      • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/articles/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
      • Data Subject Consent Form: https://advisera.com/toolkit-documents/eu-gdpr/data-subject-consent-form/
      • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/articles/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
      • Article 6 GDPR – Lawfulness of processing: https://advisera.com/gdpr/lawfulness-of-processing/
      • Article 7 GDPR  – Conditions for consent: https://advisera.com/gdpr/conditions-for-consent/