Search results

Control 6.6 – Confidentiality or Non-Disclosure Agreements - NDA compliance

Since this is a legal issue more than one related to information security risks, the better would be for the employees of Ycompany to sign the NDA of Xcompany, because as the acquirer company, the NDA of Xcompany will have broader coverage than the one from Ycompany.

Data privacy

According to Article 4 GDPR – Definitions, a Data Controller means “the […] legal person, […] which, alone or jointly with others, determines the purposes and means of the processing of personal data” while the Data Processor means “a […] legal person […] which processes personal data on behalf of the controller”. The basic difference between the controller and the processor is that the controller has a large degree of autonomy in how it determines the processing operations and purposes for processing, while the processor has almost no autonomy – it processes the personal data according to the controller’s requests.

If you want to be a Data Processor, you should ensure logical separation of customers’ environments, full customer control on their tenants, ability to download/ delete their data, etc. You could allow your customers to connect to other providers via your ecosystem, whether your providers are controllers or processors (for your customers) or subprocessors (for your customers, but subcontracted by you).

If you want to perform telematics on customer data (such as recording performance data in order to improve your ecosystem), you might become a joint controller in the relationship with your customers.

At Advisera we have an EU GDPR Documentation Toolkit that can help you on your journey to becoming GDPR-Compliant using a step-by-step approach. It contains 39 document templates – unlimited access to all documents required by GDPR, access to video tutorials, email support, expert review of a document, and one hour of live one-on-one online consultations with a GDPR expert. It contains templates for Supplier Data Processing Agreements that you can use with your suppliers or with your customers, an International Personal Data Transfer Procedure as well as guidelines on how to fill the Standard Contractual Clauses needed for personal data exports outside of the European Union.

Please also consult these links:

• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• European Data Protection Board Guidelines 07/2020 on the concepts of controller and processor in the GDPR: https://edpb.europa.eu/system/files/2021-07/eppb_guidelines_202007_controllerprocessor_final_en.pdf

GDPR - which mailing is allowed?

Article 15 GDPR is about the right to access, and it allows a data subject to request confirmation that his/her personal data is processed, and if yes, to receive a copy of the personal data that is processed as well as information related to purposes categories of personal data concerned, and other key information. Regarding your question, you have 30 days to send to the data subject all the details required by Article 15. At Advisera we have an EU GDPR Documentation toolkit that you can purchase in order to help you answer the data subject access request using a dedicated procedure and specific templates. You can also purchase only the Data Subject Access Request Procedure and the data subject disclosure form, at the links below.

I also recommend you to take our free GDPR courses, the GDPR Foundations Course and the GDPR DPO Course, at the links below:

• Article 15 GDPR – Right of access by the data subject: https://advisera.com/eugdpracademy/gdpr/right-of-access-by-the-data-subject/
• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
• EU GDPR DPO Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/
• EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• Data Subject Access Request Procedure: https://advisera.com/eugdpracademy/documentation/data-subject-access-request-procedure/
• Data Subject Disclosure Form: https://advisera.com/eugdpracademy/documentation/data-subject-disclosure-form/

ISO 9001 - Company's organization log

Forms are a particular kind of document. Documents need to be controlled according to ISO 9001:2015 clause 7.5.It must be clear which documents are relevant to the system, who has the authority to approve them, which version is in force, be accessible to those who need them.

If documents are paper-supported, you need a log to record this kind of information. A form needs an identification, a name, and a way of evidencing the revision number to be easy to check if it is the last version.

If documents are digital-supported, you still need a log to record almost the same information. Normally, a digital form does not evidence a revision number, we expect that the version online is the approved and last version.

So, I think you should develop that log.

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Backup Policy and the Cloud Storage

Even though the backup is done automatically, in the Backup Policy you need to mention how this is done, together with backup frequency, and the way you will test backup restoration.

ISO 27001 Stage 1 & 2 Audits

The standard ISO 17021, which defines requirements for bodies providing audit and certification of management systems, in its clause 9.3.1.2.4, requires certification bodies to determine an interval between performing stage 1 and stage 2 audits but does not prescribe any specific interval, so the interval is defined according to each accreditation body.

Common practice is an interval between 30 and 90 days.

Organizational chart - ISMS

1 - Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?

For further information about the CISO, see:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

2 - What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?

3 - Could all these roles be covered by *** current QARA Manager?

I’m assuming that by QARA you mean Quality Assurance & Regulatory Affairs.

Considering that, provided that the QARA manager has the competencies needed to perform the roles relevant to information security, this person can assume these roles.

4 - What do you recommend in this regard?

Roles and responsibilities generally designated to a CISO are very similar to those of a QMS manager:

• ensuring that the ISMS conforms to the ISO 27001 requirements
• reporting on the performance of the ISMS to top management

Considering that these management activities can be designated to the QARA.

However, some security roles may require expertise in other areas that may require to be performed by other roles (e.g., network security, performed by an IT analyst).

A proof for fulfillment of requirement A.9.5.1 from ISO 27017

I’m assuming you are referring to control CDL 9.5.1 - Segregation in virtual computing environments.

Regarding the “Risk assessment performed” you can show as evidence the last risk assessment and treatment report, showing to which risks related to “customer-developed/supplied software in the cloud environment” the control CDL 9.5.1 is used as treatment.

Regarding the “mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment”, examples of evidence of implementation of this control are:

• Network diagrams showing how computing environments are segregated
• Firewall rules tables showing the configurations implemented in network devices to segregate the environments
• Results of independent penetration tests covering the evaluation of this control

• Control A.11.2.4

  First is important to note that ISO 27001 controls that are related to business continuity are those from section A.17. Controls from other sections focus on information security, not business continuity.  

  Control A.11.2.4 - Equipment maintenance applies to all equipment in the ISMS scope.

  Considering that, this control may be applied either to your laptops (where you will have to implement the control) or to the equipment provided to you by your supplier (e.g., WiFi router as part of the leased office where you work).

  For further information about applying this control, see:

  • How to implement equipment physical protection according to ISO 27001 A.11.2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Specific requirement to provide After-Sales Service

    No, there is no such direct requirement according to ISO 13485 and MDSAP. Considering the Health Canada regulation, I really do not have information regarding that regulation.