Search results

Position Description Question

ISO 27001 does not prescribe how to define information security roles and responsibilities, so organizations are free to define them as best fit their needs, i.e., either as roles and responsibilities included in an existing Position Description that performs some information security activities (e.g., the Network Engineer) or as roles and responsibilities in a new Position Description on which information security is the core activities (e.g., the Chief Information Security Officer). 

Considering your example, in small and midsized businesses, a Network Engineer can perform information security activities (e.g., backup), then roles and responsibilities can be included in this Position Description. In bigger companies, it may be required that you have a specific role to perform a backup, so a Backup Engineer may be a required Position Description.

This article will provide you with further explanation about documenting roles and responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

• Necessity to include specific user

  In case he is providing only sporadic consultation about the documents and does not have specific roles and/or activities to perform regarding your ISMS documentation, he does not need to be included as a user in Conformio.

  Regarding ISO 27001, as consultant, you only need to ensure that any relevant performed action or made decision involving this person is recorded. In this case you have two alternatives:
  1 – include this person as user in Conformio, so you can use Conformio to assign, track and record activities assigned to him (e.g., ask him to review a document).
  2 – in case he is not a Conformio’s user, you need to send documents you want him to review and update to Conformio his answers (e.g., an email, a meeting minute, etc.).

  Please note that you do not need to define any role in the ISMS documents to have this consultant as Conformio’s user (in this case he will only be common user).

• HR as asset and risk owner of SA

  Clear explanation!

• ISO 9001:2015 Clause 6.2.2.

  An organization sets quality objectives. For each objective, you need to determine:

  • What needs to be done to change the organization's practices in order to be able to achieve the objectives;
  • What resources will be required
  • Who will be responsible for achieving each objective
  • What timeframe to achieve the objective
  • How will you know that the objective has been achieved? What is the target, what are the success criteria to evaluate if an objective was actually achieved? 

  Does it make sense for you now?

  The following material will provide you with more information:

  • How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/blog/2016/05/24/define-key-performance-indicators-qms-based-iso-9001/
  • How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
  • Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Asset inventory

    Control A.8.1.1 does not prescribe how to define assets, so for assets that share the same threats and vulnerabilities, they can be defined with a single asset, as in your example “expert employees”, it is not necessary to define them individually. The same goes for the “employee computers” example.

    For more information on asset inventory, see:

    • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Potential risks and opportunities associated with a road construction firm

    With your question I am assuming you are talking about the new requirements on Other Risks and Other Opportunities rather than OH&S Risks and OH&S Opportunities which are associated with Hazards identified in the organization. These new requirements ask you to think of other strategic-level risks that could impact your ability to prevent injury and ill health in the workplace, as well as other opportunities to improve the performance of the OHSMS.

    Unfortunately, this will be very unique to your specific organization and not just generic to road construction, so I can not just provide you with a listing. For instance, a strategic risk could include finding out a supplier was going out of business which might affect your access to safety equipment, and a strategic opportunity could include a supplier developing a new machine that could positively impact safety in your organization. It is these strategic-level risks and opportunities that you need to include in your planning for the OHSMS.

    For more information on risks and opportunities in the ISO 45001 standard, see the articles:

    • What are the new requirements for risks and opportunities according to ISO 45001? https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/
    • The basics of ISO 45001 hazards, risks, and opportunities https://advisera.com/45001academy/blog/2021/02/22/the-basics-of-iso-45001-hazards-risks-and-opportunities/

    • Privacy Notice Webinar - EU GDPR Premium Kit questions

      1. Tudor Galos mentioned using a four column table in a privacy notice. I didn’t get the column details quickly enough. Were they “category of data subject”, “personal data to be processed”, “purpose”, “legal basis”?

      This was a recommendation on customizing the Privacy Notice template in your Privacy Notices template. The columns I recommended for the association between personal data categories & purposes were “Personal Data Categories”, “Purpose of processing”, “Legal Basis”.

      2. TG also referred to the kit containing granular privacy notice. Did he just mean that you provide different ones for e.g. employees, supplier employees, web users etc?

      Yes, I was referring to the privacy notices you have in EU GDPR Premium Documentation Toolkit. In general, if you have a specific processing operation, different than the ones you had until now, you might choose to write a new privacy notice to inform the affected data subjects.

      3. Our privacy notice should give the supervisory authority a data subject can complain to. We are based in the UK so obviously we give the ICO for UK residents. We process the personal data of EU residents, mainly from Germany, France and Spain. We have appointed an EU Representative with an address in Germany as that is where the majority of the data subjects are. Which EU supervisory authority should be put in the privacy notice?

      For people in the EU you could provide the details of the EU Representative and of the relevant data protection authority in Germany, from the region your EU Representative is established.

      4. When dealing with a corporate client or supplier, we may well be given the personal data – usually contact details – of other staff members. How do deal with notifying them that we have their details. Commercially, it would be a bit odd if every time we emailed them direct. I could see us upsetting clients!

      If you are dealing with a corporate client or supplier, for the business relationship interactions – invoicing, emails with key updates, support, etc – you are both data controllers. If your client/supplier is giving you details of other staff members, they are responsible for the processing and they should make sure that they inform their staff about this processing (transfer of information to you).

      Please also consult these resources:

      • Article 13 GDPR – Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
      • Article 14 GDPR – Information to be provided where personal data have not been obtained from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
      • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
      • European Data Protection Board Guidelines on Transparency under Regulation 2016/679 (wp260rev.01): https://ec.europa.eu/newsroom/article29/items/622227

    • Do we need ISO 13485?

      According to the MDR 2017/745, Annex VIII Classification rules, Rule 16 covers the disinfectant and states the following: 
      All devices intended specifically to be used for disinfecting or sterilizing medical devices are classified as class IIa, unless they are disinfecting solutions or washer-disinfectors intended specifically to be used for disinfecting invasive devices, as the end point of processing, in which case they are classified as class IIb.
       
      So, if your cleaning chemicals are used to disinfect those devices (mentioned in rule 16), they are either class IIa or class IIb. This means that you need to have certified your cleaning chemicals according to the MDR and your quality management system according to the ISO 13485:2016. 

    • Career in GRC domain.

      Governance, Risk, and Compliance is not our field of work, but considering information security aspects related to GRC you should consider these certifications:

    • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
    • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISM S against ISO 27001 requirements and want to become certification auditors (and this provides more confidence to an organization for being certified).

    These articles will provide you with a further explanation of ISO 27001 personnel certifications:

    • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

    For courses related to these certifications, please see:

    • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
    • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

    • ISO 27001 Management Review : Fulfillment of the security objectives

      Thanks a lot for your recommendation. Fortunately i've got the advisera toolkit so will be able to see what is in the template shared :).