Search results

ROSH requirement

Only if your organization manufactures in, or exports to, the European Union, will RoHS will be a compliance obligation to be met by your organization or by your representative in the European Union. 

The following material will provide you more information about compliance obligations:

Article - Compliance requirements according to ISO 14001:2015 – What has changed? - https://advisera.com/14001academy/blog/2015/09/14/compliance-requirements-according-to-iso-140012015-what-has-changed/
Free webinar - Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Systems Audit and Compliance Audit

A Compliance Audit is used to conclude if within the scope of an audit there is compliance with established standards. So, it answers to the question: are rules being followed?

A System Audit can also be a Compliance Audit if the audit objective is to verify compliance. A System Audit can also be a different kind of audit, like an audit to verify effectiveness. In that case, it answers to the question: are rules helping us in meeting our objectives?

My answer is based on the world of quality management systems. I know that “Systems Audit” is also used for audits used to validate the integrity of information and data stored in information systems.

Adding AS9100 after implementing ISO 9001 and ISO 13485

The AS9100 Rev D standard includes all of the ISO 9001:2015 requirements with the addition of specific aerospace requirements (and nothing taken away); so, the answer is yes, if you have AS9100 you also have ISO 9001 (and many of the certifications include both standards printed on the certification. You do not need to have a separate QMS for the AS9100, and can integrate these additional requirements into your existing QMS for ISO 9001 and ISO 13485. You are correct, some of the requirements are similar between the two standards as aerospace and medical devices are both highly regulated and might have similar legal restrictions.

If you want a better understanding of the AS9100 Rev D requirements to compare to your QMS, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d

Controls for BYOD

First, it is important to note that no controls or technologies are mandatory by ISO 27001. You can apply those you consider will resolve particular risks.

Considering that, both RDP (Remote Desktop Protocol) and MDM (Mobile Device Management) are good and common applied solutions to help protect the organization's information on employees' personal devices.

Now, considering you are referring to personal devices, the main topics to support this decision are legal requirements regarding privacy and labor relations your organization has to follow. Our suggestion is for you to seek expert legal advice on these matters to understand the risks related to the application of these controls and see if by implementing them you will not be incurring on risks higher than the ones you are trying to mitigate regarding your own information.

This article will provide you further explanation about BYOD:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

Consent for taking pictures and videos

I would strongly recommend that you delete all the pictures or videos from the event or alternatively get back to the participants and ask for their consent.

If you want to find out more consent check out this free webinar "How to handle consents under GDPR" (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/).

Remote internal audits – an increasing possibility

Thanks 

Standards new versions

Please note that most recent versions of these standards are:

• ISO 27001:2013 - this standard was last reviewed and confirmed in 2019, so it remains current and there is no need for changes in webinars and documentation.
• ISO 27002:2013 - this version is now under review, so until the release of a new version there is no need for changes in webinars and documentation.
• ISO 22301:2012 - a new version of this standard will be released by this month (October 2019), and like all transitions of ISO management standards, there will be a period by which documents related to the previous standard will be accepted (normally this period is of 2 years).

This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts requirements defined by the ISO 27001:2013. Considering that, Conformio set of documents is also compliant with this British version of ISO 27001.

This article will provide you further information about this 2017 version:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

Privacy questions

1. Are there any available GDPR certifications?

So far there are no certifications available in the sense of art. 40 of the GDPR. However, you need to keep an eye on the Supervisory Authorities websites and see if there is any news since is the Supervisory Authorities that need to endorse such certifications.

2. How do I start with mapping my processing activities?

My suggestion is to have a process-based approach. For example, you can split HR activities into several processes such as recruitment, on-boarding, etc. and record these into your Records of processing.

You can find readily available Inventories of processing activities in this "EU GDPR Data Mapping & DPIA Toolkit" (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/).

3. Is there any video surveillance policy available in the toolkits?

No, unfortunately not. However, you do not necessarily need one if you provide adequate privacy notice and explain the extent of the video monitoring and the purposes.

4. I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

Usually, Insurance companies act as independent data controllers so you would need Controller to Controller Clauses in place.

5. How can I best present a privacy notice? Do clients need to sign the notice?

Some of the best way to present a privacy notice are:

• Layering - Provide the individual with a short summary of the important or unusual uses of their personal data and provide a link to a full privacy policy for those who want the detail
• Just in time - Consider using additional notices for particular interactions with the individual. For example, if signing up for a new service means their personal data will be processed for additional purposes.

ISO 27001 security aspects for logical security

What important aspects of ISO 27001 can I include for logical security in a company in which I work?

First, it is important to note that, to follow the logic of ISO 27001 to apply security controls, you first have to perform a risk assessment to identify which information security risks are more relevant to your company's context. Without this assessment, you may apply unnecessary controls while not implementing relevant controls.

Considering that, controls related to most common risks raised on a risk assessment regarding logical security are:
- Access control
- Backup
- Network segregation
- Clear desk and clear screen
- Controls against malware

These articles will provide you further explanation about selecting controls and structuring documents:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

Risk assessment and risk treatment

If I understood your template correctly, "Risk plan implemented" refers to the status of any action defined to implement controls to treat the risk:

• Yes - the risk plan is already implemented
• No - the risk plan is not implemented yet
• N.A. - No Applicable action is needed to be implemented

For low-level risk general option is N.A., since low-level risks are accepted.

For high-level risk, the option Yes/No will depend on when the implementation is checked and the plan due date. The N.A. option is used when the high-level risk  is accepted (e.g., when it is identified that the cost to implement the control is higher than the impact, if the risk occurs)

These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/