Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Preparation of the ISO27k Lead Auditor Exam
1. Could you share any Case Study or role play exercises.
Answer: It's our policy not to provide specific answers or materials related to exams.
2. Is this session required technical skills such as the controls to answer correctly ?
Answer: For the Lead Auditor course and exam there is no need for deep knowledge about the controls to answer the questions, although basic knowledge will make easier for you to develop your answers.
3. Do we have to memorize the Annex A controls for the exam?
Answer: There is no need to memorize specific information for the exam (you can consult the standard during the exam), but it is important you understand and memorize the general structure of the standard, because this will let you find what you want faster (e.g., if the question is about leadership, then you can go directly to section 5 of the standard).
4. In the webinar, you mentioned that we should think of 5 to 6 findings. Do you mean we ju st arbitrarily think some security findings or there will be a case study to ask you for any security findings and describe the non-conformities?
Answer: In the exam there will be case studies for you to read and evaluate if they contain or not non-conformities (5 to 6 findings are the general quantity you can expect). You should note that not all case studies will contain non conformities (one of the purposes of the exam is just this, evaluate your understanding and skill to identify situations that are non conformites and when they are not).
5. Lastly, do we have to study the ISMS Manual in the exam ?
Answer: ISO 27001 does not require an ISMS Manual, so this document will not be covered in the exam. -
Courses for consultants
Answer: For ISO management system consultants, the recommended courses are the Lead Auditor and Lead Implementer courses. For detailed information about ISO 27001 related courses I suggest you to read these links:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
We will launch such courses in ca 2 months. -
DPO and Data Management
2) in one trial CRO where I'm working is responsible for Data Management - so here it's clear for me that we are data processor. But I have other trial where the DM is done by third party, but we are checking at the sites patient's data against CRF data - does it mean that here we are also data processor ? it's not clear for me..in this situation..
3) is there any situation where CRO might have the status of joint data controller ? or CRO is always the data processor, even if not responsible for the data management?
Answers:
The DPO contact details should be provided to the patient when the patient consents to the trial and is presented with the Privacy Notice. Don`t forget that the EU GDPR requires that the consent needs to be informed so the consent for shoul d always be paired with the Privacy Notice.
In the General Data Protection Notice in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated section where the DPO contact details need to be filled in.
If the processing you do is based on the instructions of the DM then you are a processor. If you however do the processing based on your own judgement then you are a controller regardless if you receive the personal data from a third party.
If the CRO decides the scope and means of processing together with another party then we can assume that joint processing. Each situation needs to be assessed in order to establish the controller, processor, joint controller status.
You should not assume that you are either until you have assessed the particular situation.
To learn more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
List of documents - ISO 20000
Answer:
List of documents in ISO 20000 Documentation toolkit contains column with reference to particular clause in the standard. In such way you can easily identify which document relates to particular standards' clause (or vice-versa). This is useful while implementing ISO 20000 as well as during the certification audit.
List of document can be downloaded here https://advisera.com/wp-content/uploads//sites/6/2015/07/List_of_documents_ISO_20000_Documentation_Toolkit_EN.pdf -
GDPR - processor to controller
Answer:
EU GDPR article 28 – “Processor” https://advisera.com/eugdpracademy/gdpr/processor/ requires controllers to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Thus, is the controller that needs to be sure that it uses processors that are complying with the EU GDPR requirements not the other way around.
In the EU GDPR Documentation Toolkit you can find in folder 7 a “Processor GDPR Compliance Questionnaire” which can be used as a benchmark in assessing a processor’s compliance with the EU GDPR. This document can be used also to further build up a methodology for auditing your most important processors. -
Retention Policy
Answer:
The retention policy in the toolkit is meant to refer only to records containing personal data and is consistent with the requirements of EU GDPR article 5.1.(e) – “Principles relating to processing of personal data” https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ namely personal data cannot be kept for longer than is necessary for the purposes for which the personal data are processed.
The retention periods in the Inventory of processing activities is consistent with the requirements of EU GDPR article 30 – “Records of processing activities” https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/ My suggestion is to have the i nformation about retention periods in your Data Retention Policy ( Annex - Data Retention Schedule) since this policy will most likely be available to all employees as opposed to the Inventory of processing activity which is usually handled by the DPO or data protection responsible. -
Data Breach Register
Answer:
EU GDPR requires controllers to report personal data breaches “ without undue delay and, where feasible, not later than 72 hours after having become aware of it” to the Supervisory Authority if the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33 - Notification of a personal data breach to the supervisory authority https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/
However if a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Article 34 - Communication of a personal data breach to the data subject https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/
Controllers are not required to notify the data breach if the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.
So, is the controller that needs to assess the severity of the data breach and decide which action to take.
To find out more about how to asses the severity of personal data breaches you can consult our whitepaper “Assessing the severity of personal data breaches according to GDPR” https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr -
DPO Module 5: Basic Rules for DSAR
Answer:
The provisions of Article 12 of the GDPR offers the answer to your question. According to paragraph 3 “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.” https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/
You can find out more about the DSARs form our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Cláusula 7.4 de comunicación
La organización debe determinar las comunicaciones internas y externas pertinentes al sistema de gestión de la calidad, que incluyan:
a) qué comunicar: información relevante para el SGC;
b) cuándo comunicar: la Información debe ser comunicada de manera oportuna;
c) a quién comunicar: a quién sea necesario para generar un resultado;
d) cómo comunicar: qué medio de transmisión es el adecuado;
e) quién comunica: quién tiene la responsabilidad de transmitir la información.
La información que es pertinente para el SGC y debe comunicarse es la siguiente :
- Información relevante para la conformidad de los requisitos.
- Información relacionada con el cliente y sus requisitos.
- Información sobre cambios de los requisitos.
- Información para la toma de decisiones.
- Información para el cumplimiento de objetivos.
- Información sobre riesgos y oportunidades.
Así mismo, hay que tener en cuenta que la comunicación puede ser tanto interna o externa (por ej. con los proveedores), formal o informal, o pueden ser comunicaciones obligatorias o meramente informativas.
Para más información, estos materiales pueden ser de utilidad:
- Artículo "Requisitos de comunicación según ISO 9001:2015": https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
- Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo":https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/ -
Conocimientos de la organización
El término conocimiento de la organización se refiere al conocimiento necesario que el personal dentro de la organización posee para el funcionamiento de sus procesos y para lograr la conformidad de sus productos y/o servicios, no es el conocimiento que tengan de la organización en sí. Aunque la norma no requiere documentarlo, sin embargo, se recomienda que se establezca cómo mantener actualizado el conocimiento y cuál es el alcance del mismo.
Estos materiales pueden ser de utilidad:
- Artículo "Cómo gestionar el conocimiento de la organización según la ISO 9001" (disponible en inglés): https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- Libro "Preparación para la auditoria de certificación: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso Fundamentos de la ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/