Search results

GDPR implementation

There are many methodologies in order to drive a GDPR-compliance project. At Advisera, we have an EU GDPR Toolkit containing 39 document templates – all documents required by GDPR, plus commonly used non-mandatory documents – which can help you drive your GDPR-compliance project, as the toolkit is designed in a structured way, allowing you to start the project while filling the documents in the first directory, Preparations for the Project. This directory contains a Readiness Assessment Template and a Project Plan Template, which can be filled using our step-by-step indications in the comments from the documents. Then you can start filling the templates available in all the directories in the toolkit. The toolkit also provides you access to video tutorials, email support, expert review of a document, one hour of live one-on-one online consultations with a GDPR expert, and many other benefits.

We can also help you with free GDPR training (at the end you can purchase a certification), free articles, and free webinars.

Please also consult these resources:

• EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
• EU GDPR Data Protection Officer Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/
• 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
• List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

ISO 13485 Internal Auditor

One solution is that all of you are educated for internal auditors and audit each other. Another solution is to hire an external company that will provide the internal audit for you. It can be a consultant company that knows the ISO 13485 (you need proof of that), or a person who is an auditor for other notify bodies and with whom you will have a contract that he/she is your internal auditor.   

Special Interest Groups

Examples of special interest groups are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group.

This article will provide you with further explanation about special interest groups:

• Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms

SOA Based ISMS Manual

If I understood correctly, you’ve sent the SoA-based ISMS Manual.

Considering that, first is important to note that an SoA compliant with ISO 27001 must contain the following information:

• All applied controls
• Justification for inclusions
• Implementation status
• justification for exclusions of controls from Annex A

In case any of this information is missing, the SoA document will not be accepted by an auditor.

As for the 2nd level document (the SoA Based ISMS Manual), we do not recommend such an approach to our customers, because this kind of document requires a great effort to be written but is of very limited use for employees in the company. Instead, you should focus on writing the security policies and procedures (included in your toolkit) that describe how to implement and maintain security in your company.

For further information about an ISMS manual, please see:

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

• Position Description Question

  ISO 27001 does not prescribe how to define information security roles and responsibilities, so organizations are free to define them as best fit their needs, i.e., either as roles and responsibilities included in an existing Position Description that performs some information security activities (e.g., the Network Engineer) or as roles and responsibilities in a new Position Description on which information security is the core activities (e.g., the Chief Information Security Officer). 

  Considering your example, in small and midsized businesses, a Network Engineer can perform information security activities (e.g., backup), then roles and responsibilities can be included in this Position Description. In bigger companies, it may be required that you have a specific role to perform a backup, so a Backup Engineer may be a required Position Description.

  This article will provide you with further explanation about documenting roles and responsibilities:

  • How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

  • Necessity to include specific user

    In case he is providing only sporadic consultation about the documents and does not have specific roles and/or activities to perform regarding your ISMS documentation, he does not need to be included as a user in Conformio.

    Regarding ISO 27001, as consultant, you only need to ensure that any relevant performed action or made decision involving this person is recorded. In this case you have two alternatives:
    1 – include this person as user in Conformio, so you can use Conformio to assign, track and record activities assigned to him (e.g., ask him to review a document).
    2 – in case he is not a Conformio’s user, you need to send documents you want him to review and update to Conformio his answers (e.g., an email, a meeting minute, etc.).

    Please note that you do not need to define any role in the ISMS documents to have this consultant as Conformio’s user (in this case he will only be common user).

  • HR as asset and risk owner of SA

    Clear explanation!

  • ISO 9001:2015 Clause 6.2.2.

    An organization sets quality objectives. For each objective, you need to determine:

    • What needs to be done to change the organization's practices in order to be able to achieve the objectives;
    • What resources will be required
    • Who will be responsible for achieving each objective
    • What timeframe to achieve the objective
    • How will you know that the objective has been achieved? What is the target, what are the success criteria to evaluate if an objective was actually achieved? 

    Does it make sense for you now?

    The following material will provide you with more information:

    • How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/blog/2016/05/24/define-key-performance-indicators-qms-based-iso-9001/
    • How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
    • Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
    • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

    • Asset inventory

      Control A.8.1.1 does not prescribe how to define assets, so for assets that share the same threats and vulnerabilities, they can be defined with a single asset, as in your example “expert employees”, it is not necessary to define them individually. The same goes for the “employee computers” example.

      For more information on asset inventory, see:

      • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/