Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming a certified Lead Auditor
Answer:
Not knowing your previous knowledge about ISO 9001:2015 and about quality audits, I would recommend you attend a course about ISO 9001:2015 and a course on internal audits. Then, you should network with your contacts in order to practice some internal auditing as external auditor. After some audits, if you feel at ease and if you have any idea about a particular certification body that you want to work with you can contact them as ask their requirements. Sometimes they want or prefer auditors with a particular training reconnaissance, like IRCA certification.
The following material will provide you information about internal audits:
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ e/
ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Scope definition and project planning
Answer: I'm assuming you are referring to SoA (Statement of Applicability). Considering that, it is possible that applicable controls in SoA are already implemented when the SoA is developed, but this is very unusual. In such situations you can use the risk treatment plan as an improvement tool to enhance the performance or efficiency of controls as needed.
2. As ISMS scope can be vary, how we forecast or plan the ISO27K's project timeline?
Answer: Once defined, the ISMS scope will probably not change, but to have an expectation about project budget and timeline you need to finish the risk treatment. Only after that you will know the timing and resources for the ISMS implementation.
These materials will provide you further explanation about Planning an implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 Gap Analysis T ool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
3. If ISMS scope is only information that contained on paper, can computing system that printing the paper put out of scope?
Answer: Information security is about protection of information regardless where it is, so if the information you want to protect is either on paper and on computing systems, then both must be included in the ISMS scope.
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27031 and ISO 27036
For this reason we were also analyzing the implementation of additional ISOs. In particular, we are considering the 4 parts that make up the ISO 27036, specialized in supply chain security, and the ISO 27031 for the BC always in relation to this supply-chain.
As expressed and similarly to what you have already supplied, I wanted to ask you if there is a convenient integration of documentation for ISO 27036 and ISO 27031.
Answer: ISO 27036 (Information security for supplier relationships) and ISO 27031 (Guidelines for information and communication technology readiness for business continuity) provide detailed information regarding implementation of controls from sections A.15 (Supplier relationships) and A.17 (Information security aspec ts of business continuity management) of ISO 27001 Annex A. So to integrate these standards to your implementation you just have to include the details you want in the templates related to these sections (you can find the information about which template covers which section in the List of Document file that comes with your toolkit).
Normally it is very difficult to implement several standards at the same time. I suggest you to start with 27001, and once this one is finished expand the implementation with other mentioned standards.
This article will provide you further explanation about ISO 27031:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
Vital interests and public interest
Answer:
Vital interests and public interest don`t think they fit best as lawful basis for processing. Vital interest is can be used when the processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies and not sure this applies in your case.
Public interest can be used when he processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law and again this is most likely not your case.
The two legal basis above are quite limitative to be used and only if the life of the data subject is being threatened and I am not sure a software falls into that category.
Usually in your case the preferred legal basis would be either consent which needs to be explicit or contract obligation if the patient enters into a clinical trial contract with the Partner. -
MDM
Employees are using their private devices for work purpose.
My question is if it is legal to use google's MDM solution on private phones in regards to GDPR? If not, could you please provide advise on how to approach this? What options do we have?
Answer:
You can use such monitoring software based on legitimate interest and this is lawful provided that:
The employee is properly informed on the amount of processing as well as the purpose ( art. 12 of the EU GDPR - “Transparent information, communication and modalities for the exercise of the rights of the data subject” (https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/)
The monitoring is strictly limited to the company communications. Usua lly sandboxing technology software is used to distinguish between private and company storage.
To learn more about the EU GDPR check out our “EU GDPR Foundations course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
OH&S risk assessment
Answer:
There are two main sources of OH&S risks:
1. risks emerging from OH&S hazards, legal and other requirements and effectiveness of existing controls;
2. risks related to establishment, implementation, operation and maintenance of the OH&SMS
For example, you can have a low awareness among employees regarding the hazards and this can lead to not applying operational controls and there is a higher risk of OH&S incidents due to the low awareness. This can be perceived as a risk from the internal context of the organization and as an action to address this risk, the organization can plan and develop awareness raising sessions for employees in order to ensure the operational controls are applied properly.
For more information, see: What are the new requirements for risks and opportunities according to ISO 45001? https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ -
Cleaning of laboratory instruments
Answer:
The standard has requirements for maintenance of the infrastructure (clause 6.3) and laboratory instruments can fit into this category as a process equipment (clause 6.3 b)). This clause requires organization to document requirements for maintenance activities (in your case cleaning) including the interval of performing these activities and records of the maintenance activities.
This means that you should have some record of the cleaning activities. This record can contain information on the date of the cleaning, person who performed the cleaning and optionally the type of the cleaning activities. Depending on the type of instruments you have and frequency of cleaning, you can have either separate record for each instrument or you can have one record for group of instruments.
Here you can download free preview of our Record of Infrastructure Maintenance https://advisera.com/13485academy/documentation/record-of-infrastructure-maintenance-iso-13485-2016/ -
Lista de verificación en auditoria interna
Respuesta:
La lista de preguntas debe hacerse para garantizar que:
- los procesos, productos y servicios provistos externamente se ajustan a los requisitos
- la organización aplica controles a los procesos, servicios o productos provistos externamente
- la organización determina y aplica criterios para la evaluación, selección, seguimiento del desempeño y reevaluación de proveedores externos
- la organización retiene información documentada de estas actividades
- la organización se comunica correctamente con los proveedores externos
Aquí puede descargar una vista previa gratuita de nuestra - Lista de verificación de auditoria interna: https://advisera.com/9001academy/es/documentation/lista-de-verificacion-para-auditoria-interna/
Para obtener más información acerca de la auditoría interna, puede ver este artículo: Lista de verificación de la au ditoría ISO 9001: https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
También puede asistir a este curso en línea gratuito: curso de auditor interno ISO 9001: 2015: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/ -
Data breaches
Answer:
Article 4 – Definitions of the EU GDPR (https://advisera.com/gdpr/definitions/) defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” so this definitely includes the account number as we ll as credit card number.
As regards to data breaches, notifying data breaches was not required under the old directive but is now under the EU GDPR under certain circumstances that relate to the likelihood of the breach affecting the rights and freedom of the data subjects. So, unless there is no risk to the data subject a controller can choose not to notify a breach. However, if we are talking about financial data is most likely that there would be a risk for the affected data subjects thus the breach would need to be reported.
To learn more about data breaches check out our webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/) -
Scope definition
Answer: Regarding section 2.4 of the ISMS scope document, you do not have to state each asset of IT infrastructure separately. It is sufficient to state the type of assets as you mentioned. It is also important to include the networks involved (e.g., Organization's LAN, or data center sub-network).
Included in the template there are comments with examples you can use to define your ISMS scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/