Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Residual risk
Is it possible NOT to provide employees with laptops and antivirus solutions. Our employees use their own laptops.
Our employees use windows defender. But we can not control if antivirus is on. We can not control if antivirus is updated and scheduled to perform period scans. So, we do not have any control and evidence. What are the options for us?
Answer:
ISO 27001 does not specify who should be the owner of the laptops or which kind of anti-virus software you should use - key point in ISO 27001 is how you deal with risks.
So if your risk assessment says that the risks to those laptops are acceptable even if you do not control the AV software, then you can leave the system as it is; if the risk is not acceptable, then you can require the users to install some kind of AV software where you can control how it operates.
This article will help you more with how to handle risks: The basic logic of ISO 27001: How does information sec urity work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ -
Document controller
Answer:
If you check ISO 9001:2015, clause 7.5, you will see several times the phrase “the organization shall”. However, the organization does not act as such, someone, a person or a function, has authority or responsibility to control the documented information. So, complying with ISO 9001:2015 clause 5.3, top management shall ensure that the responsibilities and authorities for relevant roles, including documented information control, are assigned.
The following material will provide you information about organizational roles, responsibilities and authorities:
- ISO 9001 – How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- free online training ISO 9001:2015 Internal Auditor Course
– https://advisera.com/training/ course/iso-90012015-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 9000 vs ISO 9001
Answer:
Since the beginning, since 1987, ISO 9000 and ISO 9001 always existed as separated standards. ISO 9001 includes the requirements associated with a quality management system and is auditable. ISO 9000 includes quality management principles and vocabulary and it is not auditable. So, ISO 9000:2015 still exists and is very useful for implementers.
The following material will provide you information about ISO 9000:
- List of Quality Management Standards and Frameworks - https://advisera.com/9001academy/knowledgebase/list-of-quality-management-standards-and-frameworks/
- ISO 9000 - https://advisera.com/9001academy/knowledgebase/iso-9000/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Controller and processor obligations
Answer:
The controller should always have a Data Processing Agreement in place with its processors pursuant to art. 28 of the GDPR. Based on the provisions of art. 28.3 (a) the processor needs to act only on the instructions of the controller.
So if the processor refuses to act based on the instructions of the controller it would be a breach of both the GDPR and the Data Processing Agreement.
If you want to find out more about the obligations of processors under the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Toolkit content - BYOD policy
1 - List of permitted devices: How detailed must the device be described? Is it enough to specify PC, laptop or mobile phone? Or should the exact type designation be given?
Answer: ISO 27001 does not prescribe detail levels for device description, so you can use detail levels that you consider sufficient to fulfill your needs, so either a general description or the exact type designation are acceptable for ISO 27001.
2 - Can you give me examples of mandatory device settings?
Answer: As examples of mandatory device settings we have:
- Use of screen lock with password
- Device encryption enabled -
ISO 27001 certification
Answer:
The certification is related to the ISMS scope, so if the scope covers all organization, then certification goes to both units in USA and Russia. If the ISMS scope covers only the tech team and their activities, then certification goes to Russia, and if the ISMS scope covers only the headquarters, then certification goes to USA.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
ISO 27001 and ISO 27018
Answer:
In fact the situation is the other way around. ISO 27018 works in two ways: (1) it augments existing ISO 27002 controls (ISO 27002 provides a detailed explanation of ISO 27001 security Annex A controls) with specific items for cloud privacy, and (2) it provides completely new security controls for personal data.
These articles will provide you further explanation about ISO 27002 and ISO 27018:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
List of legal requirements
European Union Data Protection Directive of 1998
EU Internet Privacy Law of 2002 (DIRECTIVE 2002/58/EC)
Data Protection Act, 1998.
The electronic Commerce (EC directive) Regulations 2002.
Regulation of Investigatory Powers act 2000.
Basel II: BASEL capital accord (April 2003) (Basel Committee on Banking Supervision)
Regulation (EU) 2016/679 (EU General Data Protection Regulation (EU GDPR)), applicable as of 25 May, 2018
Act on Processing of Personal Data, Act No. 429, May 2000
Is there more? Is the Danish one outdated?
Answer:
Unfortunately, the list in this article is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn). To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser. -
Is advisory notice applicable to a subcontract manufacturer ?
Answer:
Even though your company might not be the product owner, Advisory Notice is still applicable for your organization as a manufacturer of the device.
For example, in the situation where there is some field safety corrective action, you might be required to take part in the investigation and hence it is recommended for you to have a procedure for this in order to be compliant with ISO 13485 and local regulatory requirements in your country.
For more information, you might refer to:
How to manage recalls and advisory notices for medical devices according to ISO 13485
https://advisera.com/13485academy/blog/2017/08/31/how-to-manage-recalls-and-advisory-notices-for-medical-devices-according-to-iso-13485/ -
Merging of QMS with Advisera template
Answer:
You should sort out your internal procedures and various QMS into one final version. The next step would be to merge it with Advisera's template and then upload it to Conformio.