Search results

IT Security Policy too narrow

I’m assuming that you did not complete the Risk Register / Statement of Applicability in Conformio.

Considering that, to complete the IT Security policy according to the ISO 27001 standard, you need to perform the Risk Assessment and Risk Treatment, using the Risk Register Module. After you complete the assessment, Conformio will automatically generate the SoA indicating which controls need to be applied to your IT Security policy.

Then you need to start the Wizard and answer the required questions (these are based on the results of risk assessment, i.e., the controls that need to be considered for the IT Security policy).

This way all the relevant controls will be covered in the IT Security Policy, and section 2 of the policy will refer to all controls that are included.

Flammability requirements

Flammability is a specification for the product. In the PPAP process, you will need to perform flammability tests while producing samples according to customer requests.

There is no expectation in the IATF standard as the number of tests.

After the product approval, if there is no special customer requirement, it may be necessary to look at the annual product inspections and layout inspections.

Scope definition

The ISMS scope should be determined considering the information you want to protect, not the relation between the entities of a holding company (this specific issue about entities involved in the certification needs to be aligned with your certification body).

Regarding policies, since the entities have different natures, it would be better to draft different policies, according to the specific risk profile of each entity, as well as other specific issues.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Existence of data processing

According to the definition in Article 4 GDPR – Definitions,  "personal data" means any information relating to an identified or identifiable natural person. The usernames, although some of them are emails and some of them are not, they do lead to the identification of natural persons. They are considered pseudonymized personal data. According to the definition in the same Article 4 GDPR, "pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

So storing this list of usernames is considered processing of personal data, also according to the definition in Article 4 GDPR, where ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data.

Please also consult these links:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/

In which case Canadian company needs EU representative? 

Article 27 – Representatives of controllers or processors not established in the Union states that if a data controller or data processor is not established in the European Union, and GDPR applies to it, then it must designate in writing a representative in the Union, established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are. Basically, if the Canadian company offers goods or services to people in the EU or if it monitors behavior of people in the EU, GDPR applies to it and must designate a representative in the Union.

Part of our EU GDPR Documentation Toolkit, we have a template for an Agreement for the appointment of an EU representative under article 27 GDPR, which can also be purchased separately.

Please also consult these links:

• Article 3 GDPR - Territorial scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Article 27 GDPR - Representatives of controllers or processors not established in the Union: https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/
• EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• Agreement for the Appointment of an EU Representative: https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/

Questions about sending resume, cover letter and contact info overseas.

1. I presume this [information supplied that will be used regarding an employment contract] is on a need-to-know basis similar to how personnel records would be handled here in the United States, am I right?

2. To do with an application for employment, are there any other parts of the GDPR that I should read?

3. Are there other Articles of the GDPR that I will be bound by?

4. Art. 88 Item 3 gives the date 25 May 2018, so am I reading the most up-to-date version of GDPR?

Please also consult these links:

• Article 2 GDPR – Material scope: https://advisera.com/eugdpracademy/gdpr/material-scope/
• Article 3 GDPR – Territorial scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Article 5 GDPR – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 25 GDPR – Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• European Data Protection Board’s opinion 2/2017 on data processing at work - wp249: https://ec.europa.eu/newsroom/article29/items/610169
• Advisera EU GDPR Foundations Course (FREE): https://advisera.com/training/eu-gdpr-foundations-course/
• Introduction to the EU General Data Protection Regulation (GDPR): https://advisera.com/eugdpracademy/what-is-eugdpr/
• A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

Is technical file of device mandatory to put on device on market?

Yes, you understand it right. 

27001 audits

I’m assuming that:

• the ISMS scope covers only the company’s head office and the sub-sites only interact with the ISMS scope (they are not part of it)
• you are referring to an internal audit, not to a certification audit.

Considering that, when the scope is only the head office, you do not need to audit the sub-sites.

In this case, the sub-sites can be audited as part of the supplier monitoring process, which is a completely separated process.

At most, during the audit of the head office, you can ask for the audit reports from the sub-sites, to check if audits were performed and if treatment of raised non-conformities is being followed up, but you do not need to enter in further detail.

This article will provide you with further explanation about auditing:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit

These materials will also help you regarding auditing: