Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Acciones correctivas
He recibido esta pregunta: ¿A toda acción correctiva se le tiene que realizar la técnica de análisis de causa raíz, me refiero a que si un hallazgo, se podría decir no es muy grave es necesario que se documente es técnica? Mi respuesta: El tema de las acciones correctivas es tan relevante en esta nueva norma como en la anterior versión y de hecho, el análisis de la causa raíz sigue siendo la parte más importante del proceso de la acción correctiva. En caso de haber identificado que un problema es realmente serio, más que una simple no conformidad, entonces es necesario llevar a cabo una acción correctiva para evitar que el problema vuelva a surgir de nuevo. Para ello es necesario aplicar un proceso sistemático que nos asegure que no vamos a olvidarnos de nada por el camino, y éste es el análisis de la causa raíz. En esta técnica es fundamental que no sólo tratemos de forma superficial el problema sino que hagamos un análisis más exhaustivo para encontrar la verdadera causa raíz. Si un problema es suficientemente grande como para invertir tanto tiempo como recursos en crear una acción correctiva, entonces es suficientemente importante como para garantizar que el problema se corrige de forma adecuada y se mantiene corregido. Para obtener más información puede leer los siguientes artículos (sólo disponibles en inglés): - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/ - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/ Además los siguientes recursos pueden ser de utilidad en la implantación de la norma ISO 9001:2015: - Libro "Preparación para el proyecto de implementación: Una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de fundamentos ISO 9001 https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE
Answer:
Most likely is a typo, the document is meant to be a procedure. The document is more focused than a policy and goes more in depth as regards to cross border data transfers. -
Company data vs. personal data
Answer:
Indeed if you only deal with company data this would be out of the scope of the EU GDPR. However, consider that EU GDPR will be applicable in to your processing activities concerning your own employees for which you are a data controller.
So, even if your main business activities deals exclusively with B2B there might customers there might be some other processing activities that are subject to the EU GDPR.
To learn more about what is considered personal data see this free online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Risk assessment
Answer: The documents you bought do not include the Risk Assessment and Risk Treatment Methodology, the process you have to define to guide you on performing the risk assessment and rtisk treatment.
To understand the risk assessment process I suggest you to read the following material:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
At this link you can see a preview of the template for the Risk Assessment and Risk Treatment Methodology: https://advisera.com/27001academy/documentation/ris k-assessment-and-risk-treatment-methodology/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Performing audits
The question was if the auditor must check if the controls are applied by collecting evidence like making sure that the backup is done and the process is working rather than just asking how it’s done or just reviewing the process / procedure document. Or looking for AV logs, alerts, and evidence of how the alerts are handled rather than just checking the system has an AV and there is a process for monitoring and handling the alerts. Basically checking the effectiveness of the applied controls by checking evidence and gathering samples. Also if there are any ISO relevant documents that talks about this topic.
Answer: The collection of evidences that confirms that the controls are being applied and working properly and according to what was planned is the core of an audit, so the auditor must complement its evaluation of polices and procedures and interviews with personnel with verification of samples of reco rds defined by each process.
Regarding related ISO standards, I suggest you to take a look at ISO 19011, the ISO standard about performing management systems audits. You can find this standard at this link: https://www.iso.org/standard/50675.html
These articles will provide you further explanation about audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
EU GDPR obligations
Answer:
My understanding from your question is that you are a processor and your healthcare customer are the controllers.
Under the EU GDPR the processors have the following obligations:
1. To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
2. To ensure certain minimum provisions in contracts with controllers – art. 28(3) https://advisera.com/eugdpracademy/gdpr/processor/ ;
3. Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) https://advisera.com/eugdpracademy/gdpr/processor/ ;
4. Only to process personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/ ;
5. To keep a record of processing carried out on behalf of a controller – art.30 https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
6. To co-operate with the supervisory authorities – art. 31 https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/ ;
7. To implement appropriate security measures – art. 32 https://advisera.com/eugdpracademy/gdpr/security-of-processing/ ;
8. To notify the controller of any personal data breach without undue delay – art.33 (2) https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ;
9. To comply with the rules on transfers of personal data outside of the Union – art. 44 https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
10. All of these requirements as well technical and organizational measures an be found in our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
In terms of security measures you should apply all necessary security measures to protect the personal data considering the fact that you are processing health related data which is considered special category of data, and a good starting point is the use of ISO27001 as best practice. Our EU GDPR Toolkit has a folder containing a collection of security policies that would come in handy as well.
Don`t forget about setting up a data breach management process because you would need to notify the controllers in case of a data breach.
You might find these materials helpful for your EU GDPR implementation tasks:
- Article: “Does ISO 27001 implementation satisfy EU GDPR requirements?” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/;
- Article: “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Certification of internal auditors
Answer:
There is no general requirement for any kind of certification to conduct Internal Quality Audit training in-house. The only valid requirements are the ones demanded by your particular client of your training. Normally training clients require evidence of training as auditor, not necessarily IRCA certification, and evidence of experience. In some countries they also require a professional trainer certificate.
The following materials will provide you details about training internal auditors:
- Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
Certification process
Answer: The proper approach to be considered should take into account your internal expertise, available resources and time to become certified. The following material will help you identify the proper approach to your organization: 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
Regarding the adoption of our toolkits, included in the price you can send documents for us to review for no additional cost (the quantity of documents you can send will depend on the type of the toolkit you buy). For an overview of our toolkit, please access this link: https://advisera.com/27001academy/product-tour/
For training and awareness, our site pro vides blog posts, papers and other content free of charge.
To have a better idea about the costs of implementation, please read this paper: How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
2. What are the recommended trainings for staff when implementing 27001? What are the costs of such training and are they available online considering that we are based in Nigeria?
Answer: For staff implementing ISO 27001 you should consider at least an ISO 27001 interpretation course. For other personnel you should consider trainings about backup, access control, anti virus, etc. For more information, please consult the following material:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 How to perform training & awareness for ISO 27001 and ISO 22301
Regarding costs, you should consult training providers to identify costs. About Advisera's courses, they are free of charge to attend (you only have to pay for the certificate). To see courses provided by Advisera, please access this link: https://advisera.com/training/ -
GDPR: Right to be forgotten and backups
What is your take and solution to this problem? What formulations could I include in our GDPR policies, and in which documents (policies, notices, schedules etc) in the toolkit should I include formulations in order to be compliant?
Answer:
Let begin with some considerations about the right to be forgotten as set up in EU GDPR “article 17 Right to erasure (‘right to be forgotten’)” https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
You must comply with an erasure request where:
- the data subject ha s objected to the processing and (other than in relation to objections to direct marketing) there are no overriding legitimate interests to justify that processing;
- the personal data is no longer needed for the purpose for which it was collected or processed;
- the individual withdraws consent and there are no other grounds for the processing;
- the personal data is unlawfully processed ;
- there is a legal obligation under Union or Member State law to erase the personal data; or
- personal data was processed in connection with an online service offered to a child.
You do not need to comply if the processing is:
- necessary for rights of freedom of expression or information;
- for compliance with a legal obligation under Union or Member State law;
- in the public interest or carried out by an official authority;
- for public interest in the area of public health;
- for archiving or research; or
- for legal claims.
So before considering erasing the data, you should perform an assessment based on the information provided above.
However, if you find yourself in the situation where the erasure request is valid you need to comply with it or prove that you did your best to comply regardless if the data is stored locally or elsewhere.
You can learn more about data subject rights by going through our article “8 data subject rights according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/