Search results

Determining necessary security measures

1- From the role of DPO in a Spanish company (provider of Head Hunting and Personnel Search services) that has begun its adaptation to GDPR, how should the actions to be taken be planned in an orderly manner to determine the necessary security measures? , which guarantee the rights of users (candidates who apply for Internet searches and through forms/questionnaires to be completed on the institutional website of the Spanish company) and also the security of the information of their personal data (sensitive because they have health data)?

We have an EU GDPR Documentation Toolkit which is structured in a simple and intuitive way to help you drive your GDPR-Compliance project. You can start with the Project Plan, in the first Directory, and gather all the necessary information to fill in all the required documents. The toolkit also contains privacy notices templates that you can use to inform the candidates about how you process their personal data. Moreover, you also have Live Expert Support, should you require it. 

On our website we also have resources that you can use, please consult these links as well:

• 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
• A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements
• EU GDPR Document Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

2. Would there be a document or article published on the Internet that has a mapping between what is required by GDPR and what is recommended by good practices: ISO 27001, ISO 27701, ISO 27002, ISO 27018?

We have a free webinar – How to integrate GDPR with ISO 27001 – which we offer for free, you can listen to the recording or join the next time it will be live. Also, we have some free resources on our website, please consult these links as well:

• How an ISO 27001 expert can become a GDPR data protection officer: https://advisera.com/27001academy/blog/2020/01/20/iso-27001-practitioner-becoming-a-gdpr-data-protection-officer/
• What is EU GDPR and how can ISO 27001 help?: https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
• Relationship between ISO 27701, ISO 27001, and ISO 27002: https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
• How to integrate GDPR with ISO 27001: https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

Labeling of medical device accessories

The standard that talks about symbols for medical products is ISO 15223-1:2021. There is no laser symbol specifically in it, but it says that the manufacturer is responsible for conducting a risk analysis based on which he will assess what information he must provide to the user. In your risk analysis, the danger of laser beams must be covered, so it is logical that such a symbol exists on the product.

Supplier Security Policy

I’m assuming you are referring to the text “, as well as audit the supplier or partner at least once a year.” in section 3.5 of the Supplier Security Policy.

Considering that this text means that, as you need to audit your processes, you also need to audit suppliers and partners to ensure they have implemented the security controls you agreed with them, and if the controls are performing properly.

Please note that such audits are required only if control A.15.2.1 - Monitoring and review of supplier services is stated as applicable in the Statement of Applicability.

Additionally, there are different types of audits, some more thorough (e.g., a comprehensive local audit), others simpler (e.g., verification of applied security clauses), and you should consider criteria such as the criticality of the supplier, results of previous audits and incidents history to decide which audit approach to apply.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

Internal Audit Questions

1. On the first management review meeting should we discuss about the Internal Audit  

Results of performed internal audits are mandatory inputs to be discussed in the management review.

For further information, see:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

2. Should the project manager gather all pieces of information during the project implementation

The project manager is responsible to ensure that information needed for the ISMS implementation is identified and gathered by the information owners (e.g., department heads, process owners, users, etc.).

Please note that the project manager has a coordinator role regarding tasks to be performed in the ISMS implementation project.

For further information, see:

• RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

ISO security framework or standard for IoT

I’m assuming that by CSA you mean Cloud Security Alliance.

Considering that, ISO has three specific standards related to IoT:

• ISO/IEC 21823-2:2020 Internet of things (IoT) — Interoperability for IoT systems — Part 2: Transport interoperability
• ISO/IEC TR 30164:2020 Internet of things (IoT) — Edge computing
• ISO/IEC TR 30166:2020 Internet of things (IoT) — Industrial IoT

They do not define a security framework for IoT, but security requirements that need to be considered (e.g., Security and privacy, by ISO/IEC TR 30164:2020, and Security requirements by ISO/IEC 21823-2:2020), and ISO 27001 can be used to implement the security framework to fulfill such requirements.

These articles will provide you with further explanation about ISO 27001 and how to work with security controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

• A.18.1.1 Identification of applicable legislation and contractual requirements

  1 - To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document?

  In the Information Security Policy, you can only state the commitment to fulfill legal requirements and refer to the document where the relevant legislative statutory, regulatory, and contractual requirements are listed.

  You also need to implement your security policies and procedures, which will satisfy the identified legislative, statutory, regulatory, and contractual requirements.

  These articles will provide you with further explanation:

  • What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
  • Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

  2 - I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privilege" they would not share anything more than that first statement to reference?

  Please note that while this statement may work for most situations, due to business or legal needs you may need to share part or the whole information with third parties (e.g., in case a supplier needs a better understanding of a security clause, or if legal authority demands it). In such cases, you should evaluate if the value of sharing the information overwhelms the risks. In this case, you should consider presenting only the minimum information required and add an NDA.

  This article can provide related information:

  • 3 reasons why ISO 27001 helps to protect confidential information in law firms https://advisera.com/27001academy/blog/2019/10/15/iso-27001-for-law-firms-3-ways-to-maintain-confidentiality/

  • GDPR applicability

    Article 3 – Territorial scope – states in paragraph 2 that “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” . So, if the company offers goods and services to people in the EU (actually positioned in the EU), GDPR applies to the company. If the company offers goods and services to people in non-EU countries, and the company is not in the EU, GDPR doesn’t apply to them (even if EU citizens reside in the services countries).

    Please also consult these links:

    • Article 3 GDPR – Territorial Scope https://advisera.com/eugdpracademy/gdpr/territorial-scope/
    • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
    • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
    • Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en

  • ITMS Process

    There is no „one size fits all“ approach. However, ITIL encompasses everything you need, at least for the beginning.

    Here are the articles to help you while starting the implementation:

    • „Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
    • „Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

    Additionally, use the ITIL4 approach by following the value. That will help you focus on necessary and avoid overhead.

  • Data Processing Questions

    Regarding the Records of Processing Activities (ROPA), we have a template in our EU GDPR Toolkit that you purchased, you just fill in there details related to processing operations. For example, if you offer SaaS services, you just need to fill in exactly the processing operations that are part of the services offered, without mentioning all the customers. The role of the ROPA is to have a view related to all the processing operations in the organization, done for the Controller role or for the Processor role. Third parties need to be mentioned explicitly only when they perform different processing operations as suppliers (such as externalized backup services, or hosting services).

    For more details please consult these resources:

    • Article 30 – Records of processing activities: https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
    • Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
    • Inventory of Processing Activities: https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/

  • ISO 9001 to Software companies

    ISO 9001 Internal Auditor Course is applicable to people, internal auditors of quality management systems (QMS). If a software company has a QMS, ISO 9001 Internal Auditor Course will prepare internal auditors to audit the company’s QMS.

    The following material will provide you with information about audits:

    • ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
    • Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/