Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Performing audits


    The question was if the auditor must check if the controls are applied by collecting evidence like making sure that the backup is done and the process is working rather than just asking how it’s done or just reviewing the process / procedure document. Or looking for AV logs, alerts, and evidence of how the alerts are handled rather than just checking the system has an AV and there is a process for monitoring and handling the alerts. Basically checking the effectiveness of the applied controls by checking evidence and gathering samples. Also if there are any ISO relevant documents that talks about this topic.

    Answer: The collection of evidences that confirms that the controls are being applied and working properly and according to what was planned is the core of an audit, so the auditor must complement its evaluation of polices and procedures and interviews with personnel with verification of samples of reco rds defined by each process.

    Regarding related ISO standards, I suggest you to take a look at ISO 19011, the ISO standard about performing management systems audits. You can find this standard at this link: https://www.iso.org/standard/50675.html

    These articles will provide you further explanation about audits:
    - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

    These materials will also help you regarding audits:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • EU GDPR obligations


    Answer:

    My understanding from your question is that you are a processor and your healthcare customer are the controllers.

    Under the EU GDPR the processors have the following obligations:

    1. To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
    2. To ensure certain minimum provisions in contracts with controllers – art. 28(3) https://advisera.com/eugdpracademy/gdpr/processor/ ;
    3. Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) https://advisera.com/eugdpracademy/gdpr/processor/ ;
    4. Only to process personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/ ;
    5. To keep a record of processing carried out on behalf of a controller – art.30 https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
    6. To co-operate with the supervisory authorities – art. 31 https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/ ;
    7. To implement appropriate security measures – art. 32 https://advisera.com/eugdpracademy/gdpr/security-of-processing/ ;
    8. To notify the controller of any personal data breach without undue delay – art.33 (2) https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ;
    9. To comply with the rules on transfers of personal data outside of the Union – art. 44 https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
    10. All of these requirements as well technical and organizational measures an be found in our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

    In terms of security measures you should apply all necessary security measures to protect the personal data considering the fact that you are processing health related data which is considered special category of data, and a good starting point is the use of ISO27001 as best practice. Our EU GDPR Toolkit has a folder containing a collection of security policies that would come in handy as well.

    Don`t forget about setting up a data breach management process because you would need to notify the controllers in case of a data breach.

    You might find these materials helpful for your EU GDPR implementation tasks:
    - Article: “Does ISO 27001 implementation satisfy EU GDPR requirements?” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/;
    - Article: “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Certification of internal auditors


    Answer:

    There is no general requirement for any kind of certification to conduct Internal Quality Audit training in-house. The only valid requirements are the ones demanded by your particular client of your training. Normally training clients require evidence of training as auditor, not necessarily IRCA certification, and evidence of experience. In some countries they also require a professional trainer certificate.

    The following materials will provide you details about training internal auditors:

    - Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/

    - [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/

  • Certification process


    Answer: The proper approach to be considered should take into account your internal expertise, available resources and time to become certified. The following material will help you identify the proper approach to your organization: 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

    Regarding the adoption of our toolkits, included in the price you can send documents for us to review for no additional cost (the quantity of documents you can send will depend on the type of the toolkit you buy). For an overview of our toolkit, please access this link: https://advisera.com/27001academy/product-tour/

    For training and awareness, our site pro vides blog posts, papers and other content free of charge.

    To have a better idea about the costs of implementation, please read this paper: How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

    2. What are the recommended trainings for staff when implementing 27001? What are the costs of such training and are they available online considering that we are based in Nigeria?

    Answer: For staff implementing ISO 27001 you should consider at least an ISO 27001 interpretation course. For other personnel you should consider trainings about backup, access control, anti virus, etc. For more information, please consult the following material:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
    - How to perform training & awareness for ISO 27001 and ISO 22301 How to perform training & awareness for ISO 27001 and ISO 22301

    Regarding costs, you should consult training providers to identify costs. About Advisera's courses, they are free of charge to attend (you only have to pay for the certificate). To see courses provided by Advisera, please access this link: https://advisera.com/training/

  • GDPR: Right to be forgotten and backups


    What is your take and solution to this problem? What formulations could I include in our GDPR policies, and in which documents (policies, notices, schedules etc) in the toolkit should I include formulations in order to be compliant?

    Answer:

    Let begin with some considerations about the right to be forgotten as set up in EU GDPR “article 17 Right to erasure (‘right to be forgotten’)” https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/

    You must comply with an erasure request where:
    - the data subject ha s objected to the processing and (other than in relation to objections to direct marketing) there are no overriding legitimate interests to justify that processing;
    - the personal data is no longer needed for the purpose for which it was collected or processed;
    - the individual withdraws consent and there are no other grounds for the processing;
    - the personal data is unlawfully processed ;
    - there is a legal obligation under Union or Member State law to erase the personal data; or
    - personal data was processed in connection with an online service offered to a child.

    You do not need to comply if the processing is:
    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

    So before considering erasing the data, you should perform an assessment based on the information provided above.

    However, if you find yourself in the situation where the erasure request is valid you need to comply with it or prove that you did your best to comply regardless if the data is stored locally or elsewhere.

    You can learn more about data subject rights by going through our article “8 data subject rights according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/

  • Certificaciones de una proveedor cloud


    Respuesta: Generalmente te diría que si, porque la mayoría de proveedores cloud que conozco tienen una infraestructura IT segura, aunque te recomiendo que busques proveedores que cumplan con estándares como por ejemplo ISO 27017 que es para servicios cloud, o ISO 27018 que es para la protección de la privacidad en la nube. También es importante considerar certificaciones como CSA, CCM, o inclusive ISO 27001 o ISO 20000. Por tanto, te recomiendo servicios que sean gestionados por proveedores con estos estándares, porque pueden darte una seguridad o una confianza de que tu información está a salvo en la nube. Este artículo te puede resultar interesante “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    Y también este otro “ISO 27001 vs. ISO 27018 - Standard for protectin g privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Privacy Statement


    Answer:

    As required by EU GDPR article 13 “Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) you need to provide to the data subject with “Identity and the contact details of the controller” regardless if the controller is an individual or a legal entity. As for a controller which is owned by a Holding company you just need to specify the details for the controller.

    Regarding your next query, if you are not collecting or processing personal data there is there is no requirement in the EU GDPR that you provide such information.

    You might find our webinar on ” Privacy Notices Under the EU GDPR” (https: //advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) useful for your tasks ahead.

  • Training manuals and QMS documents


    Answer:

    Those training manuals are useful now because of the implementation of a new database. Will they still be useful in the future to train, to integrate new workers? If the answer is no, the training manuals will be of short time usefulness and I would not include them in the QMS documents. If the answer is yes, I start to see them as a kind of work instructions to be used in the future by whoever has doubts about the database operation, and in that case I would include them as QMS documents.

    The following materials will provide you details about work instructions:

    - Article - How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/

    - [free course] ISO 9001:2015 Foundations Course - https://tr aining.advisera.com/course/iso-90012015-foundations-course/

    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Starting with the documentation


    Answer:

    You can always start filling in the EU GDPR Readiness Assessment Questionnaire which will give you an overview of your current compliance status. The EU GDPR Readiness Assessment Questionnaire can be found in folder 1 of the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ Alternatively, you can use our EU GDPR Readiness Assessment Tool which you can find at https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/

    After performing the Assessment and setting up your project plan and project team you can start working through the documents in the order in which they are presented in the Toolkit. Make sure that you also consult the “List_of_documents_EU_GDPR_Documentation_Toolkit” so you can see which are the mandatory documents that you need to have (although we encourage our customers to consider all documents and not only the mandatory ones).

    There are al so several materials available on Advisera website that you might find useful in your future tasks:
    - Article: “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/);
    - Webinar: “How to use a Documentation Toolkit for the implementation of EU GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-eu-gdpr-free-webinar-on-demand/)

  • Division of tasks


    Notwithstanding the workload, do you think this is feasible or are there any potential conflicts of interest here?

    Answer: A single person to manage such scope (considering the different systems, number of personnel and multiple offices), may compromise the systems effectiveness, because not only the common aspects of the systems (e.g., control of documents, internal audit, processes and controls monitoring, etc.), but the specific activities required by each system (risk assessment, business impact analysis, and processes monitoring), and support required by employees can easily overload a single person time and capacity.

    You should consider at least another person to assume part of the tasks.
Page 797-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +