Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Design validation
Answer:
Validation means the confirmation, with objective evidence, that the requirements for a specific intended use have been fulfilled. Can your company show, for example, the results of tests that demonstrate validation?
Another approach is to consider that your organization only performs a final verification to put the products on a catalog and that validation is done with the customer, after the customization and final customer approval. Normally, I use customer final approval as a sign of validation.
The following material will provide you information about design validation:
- ISO 9001 –
ISO9 001 Design Verification vs Design Validation
- https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cross border transfer
Answer:
First of all I would like to mention that cross border transfer refers to the situation where personal data is stored or accessed from outside the EEA. So in your case if the data is stored in UK but it can be accessed from the US than it is definitely a cross border data transfer. -
Quality policy and quality objectives
Answer:
How does your organization wins its most desirable customers? What do they value the most? Are there relevant interested parties that help you win businesses? What do they value the most? The answers to these questions help you assess the strategic orientation of your organization.
When I work with the top management of an organization I follow this recipe:
Who we are and what is our business (for example, our business is not what we manufacture but the results that our customers get);
To whom do we work;
In what kind of challenges do we need to be the best;
And include the two commitments of the standard (continual improvement and meeting customer and regulatory requirements)
For example:
"Company name" is an industrial company specialized in comfort footwear.
We serve customers who need a supply of comfort footwear for professional uses.
In order to better serve our customers, we believe that we must seek to continuously improve:
Our ability to develop, to be able to respond quickly to requests for samples;
A language of product that differentiates us and supports the promise of comfort;
The ace card of being a manufacturer and being able to be faster and more flexible in production;
The fulfillment of our commitments.
Considering this example of quality policy, quality objectives can be:
Average time to finish a sample request;
Ratio of success of samples to target customers;
Ratio of complying with agreed delivery dates;
Ratio of complaints
Internal defects rate (number of defect per 1000 produced pairs)
Look how objectives allow you to monitor the promises made in the quality policy.
The following material will provide you information about quality policy and objectives:
- ISO 9001 – How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Using DPIA
2. Is a separate DPIA required each time this occurs? The spreadsheet provided as a template doesn't seem to speak to these events
Answers:
1. According to EU GDPR article 35 – “ Data protection impact assessment” (https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/) a DPIA is required if you are processing “personal data relating to criminal convictions and offences”. Although the EU GDPR also mentions that the processing activity would need to be on a “large scale” I would strongly advise you to perform an DPIA for background checking prior to employment.
2. You don’t need a DPIA each time you do a background check you can just mention the background checking as processing activity and this would cover all the cases you do a background check provided that you process the same data in a similar way. -
Publishing Privacy Policy
Answer:
Based on your description bellow it does not make sense to publish the Privacy Policy on your website unless you use the website to collect data for example CVs for recruitment purposes or get data subjects to set up an account.
In the case above you just need to publish the Privacy Policy on your intranet for example.
Regarding DSARS these should come from the data subjects for which you are acting as controllers so you need to provide this information only to them. For example, in case of requests from your employees you can provide the information on your intranet. However, bear in mind that also former employees have these rights so the informat ion should be available to them as well so Intranet might not be sufficient in this case.
You can find out more about Data Subject Access Requests from our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Antivirus protection
Answer:
The antivirus protects data only as regards to certain types of threats usually external threats and this is hardly enough to prove that you are keeping the data safe.
The EU GDPR in article 32 - Security of processing (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) mentions “pseudonymisation and encryption of personal data” as examples of measures that can be taken to protect the data.
However, is up to the controllers and processors to establish “appropriate technical and organizational measures” based on the types and categories of personal data they are processing as well as the purpose of the processing (obviously a Bank would nee to have more strict security measures than an online shop selling flowers). In our folder 8_Security of Processing in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ ).
You can also check out our article “How cybersecurity solutions can help with GDPR compliance” https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/ -
Risk assessment and SOA
When I look at the SOA, it lists all of the Appendix A controls. My question is if the identified number of category 3 and 4 risks is low, then logically there will be a high number of SOA controls that do not apply and I would need to say “NO” in the Applicability column in the SOA table.
Answer: Your assumption is partially correct. If you have a low number of risks considered unacceptable, and that will require the implementation of security controls to be treated, then there is a great chance that for most controls in the SoA you will state them as non applicable. But you should note that controls may be required because of legal requirements (e.g., a law or contract), or because Top management decid ed for their implementation (by considering them as "good practice").
By the way, included in the toolkit you bought you have access to a video tutorial that can help you understand and fill the risk assessment and risk treatment templates.
This article will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This material will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment questions
Answer: The risk assessment report presents a brief explanation about the risk assessment methodology, the identified risks and those risks evaluated as unacceptable by the organization. The risk treatment report presents a brief explanation about the risk treatment methodology, and the treatments chosen to all risks the organization considered unacceptable, as well as to those the organization decided to treat based on other reasons (e.g., because of legal requirements or because it considers the treatment as a best practice).
Generally, the risk assessment and risk treatment reports are presented as a single document.
The statement of applicability presents a summary of which controls are necessary, the justification for their inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
These articles will provide you further explanation about Risk Assessment, Risk Treatme nt and SOA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - Does ISO 27001 specify the form of scope?
Answer: ISO 27001 does not specify the form of the scope, only the minimal information that must be considered in its definition:
- external and internal related issues related to the understanding of the organization and its context;
- the requirements of relevant interested parties; and
- interfaces and dependencies between the organization and other organizations.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead auditor and lead implementer
Kindly describe me more in details for both.
Answer: Let's start with the differences:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).
So, the decision about which one to take will depend on your professional purposes. If you plan to work on an information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification.
These articles will provide you further explanation about ISO 27001 personnel certificat ions:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Risks and opportunities and organizational knowledge
If you already have FMEA, you covered the risks for the main processes. All you need to do now is to identify risks for the rest of the internal (organizational structure, culture, competence of the employees, etc.) and external (legal requirements, competition, etc.) context and the opportunities. The easiest way to do this is to arrange a brainstorming session with the key people in the organization and make a list of risks and opportunities and to define actions to address them. All this information can be recorded in the same document and this can be sufficient evidence that you identified the risks and opportunities and planned actions to address them.
For more information, see: How to address risks and opportunities in ISO 9001
2) Organizational knowledge – what documents to support this clause 7.1.6?
This clause does not require any documented information, so you don't need to produce any additional procedures and records regarding it. Organizational knowledge is to some extent already documented through the organization's procedures and work instructions and the organization itself can decide to what level the knowledge of the organization should be documented.
For more information, see: How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
These materials will also help you regarding your questions:
- Book Discover ISO 9001:2015 through practical examples https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/