Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Documents review criteria
Answer: ISO 27001 does not prescribe which criteria to use to define conditions for document review, so you can use only the review "if necessary" conditions. However, it is a good practice to define a time frame, so you can ensure that documents are reviewed before events that have a time frame defined (e.g., you have to define a time frame for the management review and this review has inputs that can lead to the need of documentation review).
This material will also help you regarding document management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Security policy
Answer:
The requirement you refer to is meant to be complied with the data processor that is processing personal data on your behalf so, any of your processors would need to have at least a security policy in place to protect personal data. Of course a supplier can have a whole security framework in place with a multitude of documents.
As for you own security setup you can find a couple of security related policies in folder 8 of our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ , from which you can choose which is most relevant in terms of your business activities. I can also warmly recommend ISO 27001 as a good example of a security framework.
You can find out more about ISO 2700 1 and the EU GDPR in our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” here : https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/” -
Legal grounds
Answer:
There are six legal grounds for processing which can be found a article 7 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/). These six legal grounds are:
- Consent - The individual has given consent to the processing for one or more specific purposes;
- Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
- Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
- Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person . This is typically limited to processing needed for medical emergencies;
- Public functions (public interest) - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
- Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition.
You can also check out or article “Is Consent needed? Six Legal Basis to Process Data According to GDPR” on https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ -
Internal audit findings
Answer:
ISO 20000 contains many required records ,documents or other information. So, it's hard to generalize. In e.g. Incident Management or Change Management processes - you will look for tickets related to incidents i.e. changes. Same for Problem Management. Availability or Capacity Management will require measurements - so you'll look for measurement files.
Further on, Configuration Management requires CMDB. So, you need to check whether it exists, in which form, does it fulfill standard's requirements...etc. CIs need to have recorded incidents and changes...so, these are all items you need to check.
Also, see these articles to learn more:
"ISO 20000 internal audit – What is it and why is it important?" https://advisera.com/20000academy/blog/2016/06/07/iso-20000-internal-audit-what-is-it-and-why-is-it-important/
"What is the purpose of the internal audit report in ISO 20000?" https://advisera.com/20000academy/blog/2017/03/07/what-is-the-purpose-of-the-internal-audit-report-in-iso-20000/ -
Cláusula 7.4 de la ISO 22301
Pregunta: He estado trabajado con la documentación que me enviaron, sobre todo con la del BIA, pero ahora necesito abordar el tema de la comunicación cláusula 7.4 de la norma, tienen documentos para este punto, no lo he podido identificar en el pack de documentos. Respuesta: Puedes cubrir todas las cuestiones relativas a las comunicaciones con el Plan de Respuesta a Incidentes, el Plan de Continuidad de Negocio, y el Plan de Recuperación. Por tanto, básicamente no tenemos un documento específico para la cláusula 7.4 de la ISO 22031, pero puedes usar los documentos que he mencionado para cubrir con los requerimientos de esta cláusula. -
Implementation of knowledge management?
Answer:
You should determine the knowledge that your organization needs to operate their processes and make products and services according to requirements.
You should maintain this knowledge and make it available as needed, for example, when new people are contracted.
Consider your current knowledge when making changes, and determine how you will gain additional or updated knowledge if necessary for the changing needs.
The following material will provide you information about knowledge management:
ISO 9001 – How to manage knowledge of the organization according to ISO 9001 - - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Implementation of risk management
Answer:
There are no mandatory documents required by ISO 9001:2015 to evidence implementation of Risk Management.
So, you are free to decide how to perform and evidence Risk Management. Normally, organizations create a non-mandatory procedure for addressing risks and opportunities, and generate a Risk Registry to keep a list of updated determined risks and opportunities, their evaluation according to action need; the actions performed and the evaluation of their effectiveness.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
List of mandatory docum ents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Management system scope change
Answer:
Will the acquired company be merged with your organization with the same brand(s) and logo? If yes, your organization is changing the scope of the management system with a new geography/site. In that case your company should contact the Certification Body to inform them about the change.
The following material will provide you information about the management scope:
ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
How do I get consultancy work?
Thanks. All very good advice and I will follow it up. -
EU GDPR for the banking sector
Answer:
There are no specific DSGVO (EU GDPR) for the banking sector alone, the GDPR is meant to be applicable across industries as long as personal data is being processes. The same is applicable for software development.
Generally when you are developing a software banking solution this solution would have to be compliant with the “privacy by design” and “privacy by default” principles as provided by article 25 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/).
In terms of security measures article 32 of the EU GDPR provides some some security measures you should be considering (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) but there are high level measures so companies are free to take whatever security measures they see fit. Y ou can always use ISO 27001 as a good starting point for your security requirements. For more insight on ISO27001 and EU GDPR you can check our article “ How does 27001 implementation satisfy EU GDPR requirements at: https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
Another thing you should consider, if your software is front facing the data subjects, it is the notices you would have to present to the data subjects. Guidance on the notices can be found in folder 2 “Personal data policy framework” in our EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Don`t forget also local banking sector specific requirements that might be applicable for banking software especially in terms of security.