Search results

A.18.1.1 Identification of applicable legislation and contractual requirements

1 - To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document?

In the Information Security Policy, you can only state the commitment to fulfill legal requirements and refer to the document where the relevant legislative statutory, regulatory, and contractual requirements are listed.

You also need to implement your security policies and procedures, which will satisfy the identified legislative, statutory, regulatory, and contractual requirements.

These articles will provide you with further explanation:

• What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
• Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/

2 - I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privilege" they would not share anything more than that first statement to reference?

Please note that while this statement may work for most situations, due to business or legal needs you may need to share part or the whole information with third parties (e.g., in case a supplier needs a better understanding of a security clause, or if legal authority demands it). In such cases, you should evaluate if the value of sharing the information overwhelms the risks. In this case, you should consider presenting only the minimum information required and add an NDA.

This article can provide related information:

• 3 reasons why ISO 27001 helps to protect confidential information in law firms https://advisera.com/27001academy/blog/2019/10/15/iso-27001-for-law-firms-3-ways-to-maintain-confidentiality/

• GDPR applicability

  Article 3 – Territorial scope – states in paragraph 2 that “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” . So, if the company offers goods and services to people in the EU (actually positioned in the EU), GDPR applies to the company. If the company offers goods and services to people in non-EU countries, and the company is not in the EU, GDPR doesn’t apply to them (even if EU citizens reside in the services countries).

  Please also consult these links:

  • Article 3 GDPR – Territorial Scope https://advisera.com/eugdpracademy/gdpr/territorial-scope/
  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
  • Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en

• ITMS Process

  There is no „one size fits all“ approach. However, ITIL encompasses everything you need, at least for the beginning.

  Here are the articles to help you while starting the implementation:

  • „Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
  • „Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

  Additionally, use the ITIL4 approach by following the value. That will help you focus on necessary and avoid overhead.

• Data Processing Questions

  Regarding the Records of Processing Activities (ROPA), we have a template in our EU GDPR Toolkit that you purchased, you just fill in there details related to processing operations. For example, if you offer SaaS services, you just need to fill in exactly the processing operations that are part of the services offered, without mentioning all the customers. The role of the ROPA is to have a view related to all the processing operations in the organization, done for the Controller role or for the Processor role. Third parties need to be mentioned explicitly only when they perform different processing operations as suppliers (such as externalized backup services, or hosting services).

  For more details please consult these resources:

  • Article 30 – Records of processing activities: https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
  • Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
  • Inventory of Processing Activities: https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/

• ISO 9001 to Software companies

  ISO 9001 Internal Auditor Course is applicable to people, internal auditors of quality management systems (QMS). If a software company has a QMS, ISO 9001 Internal Auditor Course will prepare internal auditors to audit the company’s QMS.

  The following material will provide you with information about audits:

  • ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Questions regarding Technical files 13485/MDR

  1: Do we need a Technical File for outsourced products that are manufactured elsewhere?

  You need to have a technical file for products that you are placing on the market. If products that are manufactured elsewhere are part of your final device, yes you need to have all necessary documentation from that outsourced product in your technical file.

  2: Do we need a Technical File for products that we relabel?

  Again, the question is who places the product on the market. If by putting the label you state that you are a manufacturer, in that case, you need to have the whole technical file. If with putting the label you state that you are a distributor, in that case, you do not have proper Technical documentation, rather medical device file according to the ISO 13485, requirement 4.2.3 which will then contain the EC certificate, instructions for use, information on installation/service and the like, depending on the type of product.

  3: Do we need a Technical File for products that we do not adapt or manufacture ourselves but that we buy and resell (as part of one of our products)?

  I believe that I have answered this in the previous two answers. If something else needs to be clarified, feel free to contact us.

• Management Review

  ISO 45001 is an international standard, intended to be used by any organization, in any industry, anywhere in the world. As such, it is written to be flexible in nature, giving requirements that describe what needs to be, but not how to do it. So, the standard will not give details such as who does and does not need to be included in a management review; only that a management review needs to happen, certain data needs to be reviewed, and records need to be kept. In this case, not all organizations would have access to a doctor for this review, so the standard will not identify this as a requirement.

  So, it is up to your organization to determine who needs to be included in your management review. If you do have a doctor on site they may be a valuable asset to this process, but ISO 45001 does not require that a doctor take part.

  You can learn a bit more about how management review works in the article:

  • How to perform management review in ISO 45001 https://advisera.com/45001academy/blog/2018/11/15/how-to-perform-management-review-in-iso-45001/

  • Email Marketing GDPR

    You could contact B2B leads using your legitimate interest to foster a mutually beneficial business, according to Art 6 GDPR (Lawfulness of processing), paragraph 1 (f). I recommend performing a Legitimate Interest Assessment to determine whether the purpose is correct (identify the legitimate interest), whether the processing is necessary (evaluate other means that might be less invasive), and the balancing test (consider the individual’s interests, such as not wanting to be contacted). If you go through the Legitimate Interest Assessment and decide to contact your B2B leads, please make sure you add a disclaimer at the end of the email to allow them to opt out from further communication.    

    Please consult these resources as well:

    • Article 6 GDPR – Lawfulness of processing https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
    • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
    • How do we apply legitimate interests in practice? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

  • Risk Assessment Question

    You should always approach risk assessment with professional skepticism.

    For the impact, you need to take the worst-case scenario, i.e., what is the worst impact that can happen if the risk materializes. For likelihood, you have to assess how strong are the current safeguards in place, and how reliable this person is.

    These articles will provide you with further explanation:

    • Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
    • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

    • Air Traffic Control Technology

      It is correct that AS9100 Rev D includes all of ISO 9001:2015, with additional requirements for aerospace organizations. What this means is that if a company is certified to AS9100, they are also certified to ISO 9001 in the same certification because they meet all requirements. In fact, most certification bodies I have seen will list both standards on the certificate.

      As to the question if you should include AS9100 as a supplier requirement, this is completely determined by what you need to meet your customer and legal requirements. If you do not have a requirement from them to use only AS9100 certified suppliers for your Air Traffic Control products I would hesitate to make this a requirement of your suppliers as some of them may not comply with AS9100. If you wanted to include certification to ISO 9001 or AS9100 to make it clear that either is acceptable, this would be my recommended approach.

      You can learn a bit more about the differences in the standards in the article:

      • ISO 9001 vs. AS9100 https://advisera.com/9001academy/blog/2014/09/09/iso-9001-vs-as9100/