Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11288 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR for the banking sector
Answer:
There are no specific DSGVO (EU GDPR) for the banking sector alone, the GDPR is meant to be applicable across industries as long as personal data is being processes. The same is applicable for software development.
Generally when you are developing a software banking solution this solution would have to be compliant with the “privacy by design” and “privacy by default” principles as provided by article 25 of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/).
In terms of security measures article 32 of the EU GDPR provides some some security measures you should be considering (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) but there are high level measures so companies are free to take whatever security measures they see fit. Y ou can always use ISO 27001 as a good starting point for your security requirements. For more insight on ISO27001 and EU GDPR you can check our article “ How does 27001 implementation satisfy EU GDPR requirements at: https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
Another thing you should consider, if your software is front facing the data subjects, it is the notices you would have to present to the data subjects. Guidance on the notices can be found in folder 2 “Personal data policy framework” in our EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Don`t forget also local banking sector specific requirements that might be applicable for banking software especially in terms of security. -
Risk assessment and BIA
A risk assessment was done for our company recently. The follow through from here is un-clear.
Also, how to calculate the Risk rating for the critical services?
Answer: The information from risk assessment can be used to prioritize which activities to focus first in your BIA, by indicating which business processes are under greater risk, saving time and effort to perform the initial BIA.
For rating critical services considering the results of a risk assessment you can consider the value of the risks, or the number of risks, associated to a specific service. For example, you can have a service with two high risks associated to it and other with ten medium risks associated to it. Considering your context, in terms of risks maybe the second service is more critical.
This article will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ -
BCP and DRP tests
https://www.theverge.com/users/custom_write -
AS9100D Operational Risk Management
Response:
With AS9100 Rev D the requirements of clause 8.1.1 are identical to the requirements of AS9100 Rev C Clause 7.1.2. The only difference is that the clause has been changed from being about "risk management" to being about "operational risk management". The reason for this is to separate it from the new requirement (from ISO 9001:2015), clause 6.1, on actions to address risks and opportunities. This new clause deals with identifying and addressing the risks for the QMS (not necessarily risk management, but risk assessment) where as the requirement you ask about is risk manag ement for the operational processes of the organisation only (for example, what risks are there in the product design, the tight delivery schedule, the assembly process, etc). In truth, this has not changed from before.
So in short, if the process you had in place before was acceptable, then it should remain acceptable now. The only difference in thinking is that now all of operations applies to products and services, so if there is a service you provide the customer (such as turning the customer drawing into computer files for your machines) then the risks from these services need to also be included in the operational risk management.
If you need to know more about the operational risk management process see this article: https://advisera.com/9100academy/blog/2017/05/15/5-key-elements-of-risk-management-in-as9100-rev-d/ -
Improving an information security program
Answer: Considering that your audit was based on ISO 27001, the first thing you should do is consider the results of your audit against the results of your risk assessment (if you did not performed a risk assessment, this is a good moment to do that). By doing that you can identify and prioritize which controls to work first based on the quantity or relevance of the risks affected by them.
Once you have identified which controls to treat first, you should:
- define objectives to be achieved (based on already existent goals or on new defined goals);
- analyse the situation of each control, to identify what should be done (eliminate root causes for the problems, or implement potential improvements)
- define action plans to establish resources, deadlines and respon sible for each action that will be implemented.
This article will provide you further explanation about implementing improvements:
-Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding implementing improvements:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Risk registry
Answer:
There is no requirement from ISO 9001:2015 to keep documented information about risks. So, you are quite free about how to do it, if you want to do it. For example, you can keep a risk registry for quality and for process objectives. In columns, for each objective, you list determined risks, you classify each risk, you decide what action will be taken and you define the date of evaluation of its effectiveness. If you do this in your computer you can add new risks whenever you decide it and you can update your classification and actions.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Updating NCRs in the OASIS database
NCR DetailsStatus: Auditor assigned to Supplier Representative for follow-up.
NCR #: 7 and 6 others that I am not sure how to answer
The answer:
For the OASIS database each company needs to be assigned a login and password in order to access the database, and this will need to be setup by your certification body. It is best to follow up with the certification body auditors, because it may be that the responses only need to go to them and not to be submitted by you to the OASIS database itself. The auditors will be able to guide you on how to respond, either to them or to the OASIS database. Best of luck with your NCR responses. -
Issues or risks
Answer:
Internal and external issues are factors and conditions that can have an effect on an organization’s approach to its products, services and investments and interested parties. For example, demography (an external issue) or defects level (an internal issue) act like inputs that influence top management decisions like setting a particular objective.
That particular objective is an expected result. Risks are the effects of uncertainty on an expected result. What can block us from attaining a particular expected result?
The following material will provide you information about internal and external issues and risks and opportunities:
ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
ISO 9001 - How to address risks and opportunities in ISO 9001 - https://advisera.c om/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Who verifies the implementation of controls?
Answer: It is primarily part of the management of the company to make sure that everyone knows how to handle mobile devices, and of course it is the internal and external auditor job to check if this is really true.
Regarding the word "policy" - besides a written document, it can also be in a verbal form, or a policy can be a part of an IT policy embedded in some software. Therefore you are right, only when the standards says "shall be documented" then the document needs to be written. See also: Explanat ion of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/