Search results

GDPR intermediary

The professional, when using third-party tools, acts as a Data Controller and must make sure that it understands the fact that it needs to respect the relevant data protection legislation. If this legislation is GDPR, the professional must understand Calendly’s Terms and Conditions and determine whether Calendly is a Data Processor or a Data Controller, by assessing it’s level of autonomy in establishing the scope and means of personal data processing. Once the role is established, the professional needs to sign either a Data Processing Agreement, as requested by article 28 GDPR - Processor, a joint controller agreement as requested by article 26 GDPR – Joint controllers, or a controller to controller data processing agreement. Also, it should establish if the consent is the best legal ground for processing, or other legal grounds for processing should be established, per article 6 GDPR – Lawfulness of processing.

More details here:

• Article 6 GDPR – Lawfulness of processing: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Article 26 GDPR – Joint controllers: https://advisera.com/eugdpracademy/gdpr/joint-controllers/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

Is Conformio for us?

In the context of offices in different countries in case you need documents defining global information security rules (applicable to all offices) and documents defining local rules (according to local legal requirements and/or relevant risks), Conformio up to this moment does not have such feature. The Backup Policy and the Access Control Policy are possible examples.

In terms of the number of people, in case you need different people to approve the same document this feature is not available (you only can have multiple reviewers).

In any case, you can try Conformio for free for a 14-day period and test its features to see if it can fulfill your needs.

Question about ISO-27001

1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable?

If no actual work happens in this office, it wouldn’t make sense for the auditor, so probably this alternative wouldn’t be acceptable. The address should be related to a local where any activity related to the ISMS scope happens, or where the management responsible for the scope works.

2 - How does that compare to a rented room or desk in a co-working space?

I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte

The same applies. If some business or management activity takes place in the local it may be used as the address for the certification scope, but this shared scenario is more complex to protect than the rented office.

Additionally, please note that the space needs to be rented for the duration of the certification. If you change the location, this will need to be notified to the certification body, and if no activity is performed there, this may represent resources are not properly allocated.

ISO 27001 Risk Assessments

To be compliant with ISO 27001 information security risks cannot be identified randomly, they need to be identified according to the defined risk assessment and treatment methodology.

These articles will provide you with further explanation about the risk assessment process:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

These materials will also help you regarding risk management:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

EU GDPR & ISO 27001 Integrated Documentation Toolkit questions

1.We have completed the GDPR Assessment (file 1.1) and most of the answers are negative since we have just started working on the GDPR as well. It's mentioned in the file itself that "If you answered, “No,” to some questions, it will indicate where you need to focus your compliance efforts."

Does this mean that we have to first work on what is missing from the GDPR hence, turn the "no's" into "yes" and then proceed with the ISO documents (Requirements, ISMS Scope etc.)? Or is there a different process we should follow?

You can work both implementations at the same time, following the order of documents and folders as they are presented in the toolkit. The answers from the questionnaire will help you focus on the documents which cover the missing points from GDPR.

Included in the toolkit you have a List of documents file that shows you which documents cover which requirements from both ISO 27001 and GDPR.

For example, if you identify that GDPR article 28 needs to be treated, you need to consider that when working the Supplier Security Policy

2. Once we finish the first draft(s) of our ISMS scope, we would like you to review it as part of the package services we have purchased together with the documentation. Is there a certain procedure we should follow? Given the fact that the Scope is the baseline for implementing ISO, we believe that it would be wise to ensure that our ISMS scope is reasonable and meets all the necessary features.

For document review, you can simply sent the document through email to our support email: support@advisera.com

Merging IT Infrastructure and ISO 27001

To ensure your organization keeps compliant with ISO 27001 in this merging you should treat this merge as an implementation project with some adjustments:
1) reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the merged organizational context and requirements of interested parties;
2) review of risk assessment and treatment methodologies, to see which elements can be merged and which ones need to be kept separate;
3) review the risk assessment and define the updated risk treatment plan;
4) adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new merged context;
5) people training and awareness;
6) controls operation;
7) performance monitoring and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions, and opportunities for improvement.  

These articles will provide you with additional information:

• Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options
• ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

CE mark

Yes we have a procedure for a Post-market surveillance system. You can see its preview on the following link:

• Procedure for Post-Market Surveillance System https://advisera.com/13485academy/documentation/procedure-for-post-market-surveilance/

• Method validation

  I recommend you refer to, for example the FAO (Food and Agriculture Organization of the United Nations) Validation of Analytical Methods For Food Control available from https://www.fao.org/. Also refer to your accrediiton body's requirements for your programme.

• Responsibilities of an ISO 17025 lab about informing clients if its accreditation is in jeopardy

  It seems the situation refers to laboratory that was accredited and is able unable to keep accreditation for a method? In that case it is necessary to remove that activity from your scope. All accreditation bodies have all accreditation bodies have policies related to statements and claims that can be made regarding accreditation, and it is the responsibility of the laboratory to comply with those requirements.  The accreditation body must be informed. As ISO 17025 accreditation is an assurance to customers, it would be misleading not to inform them.

  There is however no regulation in 17025 that states that you must inform them.  Note what is required by 17025 is to comply with reporting requirements of clause 7.8,  so your statements and disclaimers on your report would need to change.

• Where do requirements in the area of 'Specifying mandatory safeguards' go?

  Please note that this 'Specifying mandatory safeguards' refers to the SoA document as a whole, so it will not appear in a specific control. The user needs to read the specific requirement of interest related to this area to understand which exact control(s) is(are) required to be implemented. You can use the “Description of the requirement” to identify specific controls to be applied in the ISMS.