Search results

GDPR Scope and applicability

As per article 3 GDPR, Territorial scope, GDPR applies to non-EU organizations that either offer goods or services to data subjects in the Union or that monitor their behavior as far as their behavior takes place within the Union. In your case, however, from your input, you don’t offer goods and services to people in the EU, you offer services to organizations in the EU. In this case, you should act as a Data Processor for personal data that you process on behalf of your customers. However, as per Chapter V GDPR - Transfers of personal data to third countries or international organizations and per European Data Protection Board’s Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, there is a transfer of personal data between your EU customers and your US company. So, per Article 44 – General principle for transfers and per Article 46 – Transfers subject to appropriate safeguards, you should use an appropriate legal mechanism for the compliant personal data transfer between EU and US. You might choose to use Standard Contractual Clauses (SCCs) templates, the latest version issued by European Commission, but you must take into consideration that after the European Union Court of Justice Schrems II decision, you should make sure that the transferred personal data has the same level of protection as it is offered under GDPR, by taking the right technical and organizational measures needed to protect the data.

Part of our EU GDPR Toolkit, we have a Cross Border Personal Data Transfer Procedure template and the EU SCCs with comments that help you fill in the template. 

Please also consult these links:

• Article 3 GDPR - Territorial scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• Article 44 GDPR - General principle for transfers: https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
• Article 46 GDPR - Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en
• EU GDPR Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

ISMS Scope Extension

First is important to note that the steps you mentioned are related to information security risk management and before you need to perform first the evaluation of organizational context from the finance dept. point of view, so you can identify business and legal requirements that may impact this new element of your scope.  

The best course of action is for you to follow the implementation steps explained in a previous answer, only to ensure you do not forget any step. In case you identify that a step does not rise changes in your ISMS (e.g., review of organization structure), you can simply skip it.

Regarding step 3, please note that only part of Annex A controls is technical (for example, controls from section A.6.1 Internal organization are administrative controls).

Considering that, the main role of the risk owner is to ensure that risks are properly managed. This person does not need to define all the controls by himself. He can count on the support of experts from his own area (e.g., a process key user), or from other areas (e.g., IT department) to help him define which controls to apply.

For further information, see:

• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

Regarding step 4, you do not need another SoA. Since you are extending the certification scope, a single SoA is sufficient.

The difference between QMS and TQM

It is difficult for me to provide you with what you are searching for, “clarification”.

Why do I say that? Because I don’t have an ISO 9000 definition of what is TQM. Sure the internet is full of definitions, but I would like to work with an authoritative one.

Some authors say that QMS has a wider scope than TQM and others say the exact opposite. In my opinion, and this is just my opinion, TQM and a QMS seek to achieve the same kind of result. However, TQM focuses much more on improvement projects aimed at continually improving performance and customer satisfaction.

Auditing suppliers - ISO 27001/Data Protection

Hello.

One "lighter" audit you can perform is to check if the supplier is ISO27001-certified, if they have a SOC2 audit report to read through and penetration test reports as a way of evaluating their security posture and to see if they fulfill your security requirements. In SOC2 audit reports usually list any deficiencies identified, the fact that the supplier is ISO27001-certified means that they have passed both an internal audit and external audit, with no Major Non-Conformity which is a good sign in itself, penetration test reports can show what sort of vulnerabilities were identified and you can ask the supplier how and when they addressed these vulnerabilities.

This "lighter" audit is a valid option especially in the case when you have signed standard agreements with SaaS-based or cloud providers that don't give you the option of signing a tailored agreement with your specific security clauses and so restrict you from performing onsite or remote audits.

If they don't have anything, then unfortunately, the only thing you can resort to are Information Security Questionnaires that they need to fill out and read their replies. Since anything written can potentially be a lie unless you verify it, you can also request samples of evidence for any claims they have in terms of control and evaluate this.

If they don't even provide that, then maybe you should flag this supplier as risky and bring it up to management whether arrangements and plan to replace the supplier with another supplier should be considered.

KPIs to measure results

I don’t know if I understood your question correctly.

You have a set of KPIs. You monitor and measure performance according to those KPIs. Periodically, your organization analyzes and evaluates performance to make conclusions and take decisions.

Establish a frequency for those activities and record them.

My only concern is that those KPIs may be such high level that they do not include all process indicators. Your organization should monitor process performance.

Please check this free webinar on demand

• Free webinar Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar-on-demand/

• How to show impartiality in the QMS?

  In this case you will be focussing on internal issues, personal relationships, or other conflicts of interest between operations and quality activities. Ion these situations, impartiality can be safeguarded by establishing clear measurable quality objectives and a commitment as operations manager that decisions will not be taken which could impact the quality objectives. Use independent internal auditors to ensure fair unbiased decisions are evident. For example not taking on more work that the laboratory can cope with, nor putting unfair pressure on laboratory personnel to rush results by taking shortcuts. Any identified risks must be addressed and resolved.

  For more information, have a look at the advice answers

  Compliance with the ISO/IEC 17025:2017 requirement for Impartiality - https://community.advisera.com/topic/compliance-with-the-isoiec-170252017-requirement-for-impartiality/ 
  Procedure for impartiality - https://community.advisera.com/topic/procedure-for-impartiality/
  The ISO 17025 document template: Registry of Key Risks and Opportunities, is available for purchase -https://advisera.com/17025academy/documentation/registry-of-key-risks-and-opportunities/

   

• CONSULTA DE PROCEDIMIENTOS DEL SGC ISO 9001:2015

  No, it is not mandatory to have a flowchart in a procedure. It is up to each organization to decide the composition of a procedure.

• In house food laboratory accreditation

  As an internal QC laboratory, you need to consider the needs of production, as your “client” when you review the client requests. Reporting can be simplified, as agreed. This is as long as the internal user has accurate, valid information to make a decision on.

  Regarding the quality policy for an ISO 17025 laboratory, it needs to specifically address safeguarding impartiality, competency and consistent valid results.

  For impartiality look at risks due to shared resources, reporting structures where QC personnel may report to the production manager and possible undue pressure on the QC lab to speed up release of results. Look at the article How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ 

• CCTV retention time

  ISO 27001 does not prescribe retention times for records.

  To identify the required retention time, you need to consider the results of the risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

  In case there are no relevant risks or legal requirements defining for how long to keep records such as CCTV images, the organization can adopt the retention time that best fulfills its needs.

  For further information see:

  • Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/