Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
No Quality Manual?
Answer:
First, there is no mandatory requirement to keep documented information about clause 4.2. That means, organizations are free to decide how to handle that clause. An organization can decide to answer clause 4.2 in a top management meeting record for example.
Second, although the Quality Manual is no longer a mandatory document under ISO 9001:2015, that doesn’t mean that an organization shouldn’t keep a document, called Quality Manual, or Organization ID Card, or by any other name, reuniting important information about the organization such as: Who we are, What we do, to Whom and with Whom do we work, in What we believe, How do we do it
The following material will provide you information about ISO 9001:2015 and the Quality Manual:
ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/ ebase/the-future-of-the-quality-manual-in-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
SaaS providers and EU GDPR
Answer:
Regarding big SaaS suppliers as the ones you mentioned, all of them have either Privacy Policies or Terms and Conditions that you most likely agreed on when purchasing the services. These documents regulate the processing activities between you and the suppliers.
These documents will be updated for sure to meet the requirements of the EU GDPR at least when talking about suppliers like Microsoft.
Nevertheless, the obligations posed on processors such as the ones mentioned in article 28 of the EU GDPR ( processor must not appoint a sub-proc essor without the prior written consent of the controller, processors must implement appropriate technical and organisational security measures to protect personal data, etc.) would still be applicable even if they are not mentioned in a contract or any other legally binding document.
If they don’t comply with the above mentioned obligations they would be facing fines form the competent Supervisory Authorities. You could also bring them to court it they failed to fulfill their legal obligations as regards to EU GDPR compliance and you suffered a loss as a result.
Moving to the small SaaS providers, these regardless of their size, should be compliant with the EU GDPR (assuming the GDPR applies to them based on art. 3 of the EU GDPR). For these suppliers you would need to have a signed Data Processing Agreement (DPA). The Supplier Data Processing Agreement can be found under folder 7 of the EU GDPR Documentation Toolkit.
Depending on the types and categories of personal data processed by one of these suppliers a Due Diligence process might be necessary. For the Due Diligence process the Processor GDPR Compliance Questionnaire, which can be found under folder 7 of the EU GDPR Documentation Toolkit, can be used. -
Processing of publicly available personal data
Answer:
Regarding the processing of publically available personal data you would have to consider the fact that processing needs to be in line with the scope for which that data was made publically available by the data subject.
For example, you could get email addresses from LinkedIn and it would be fine to use those to contact the data subjects for recruitment purposes or to buildup a CV data base using the information fro m LinkedIn if you are a recruiting company.
However, if the email addresses were to be uses for marketing purposes this processing will most likely be unlawful unless you obtain the consent of the data subjects.
You could also check out this case law in Italy which you might find useful - https://europrivacy.info/2016/10/31/italiano-dati-personali-resi-manifestamente-pubblici-dallinteressato-e-uso-di-dati-pubblicati-su-social-network-prime-osservazioni-allart-9-co-2-lett-e-gdp/
The issue regarding Whois is still under debate but most likely changes would follow such as granting access to the information on domain holders only for law enforcement agencies. -
Interested parties
Answer: The way employees families should be considered will depend upon how they can impact, or be impacted by the organization's information security needs (you can determine that by identifying the organizational context as required by ISO 27001 clauses 4.1 and 4.2). Some examples may be:
- a family member using an employee's device (e.g., notebook, tablet, etc.) connected to organization's systems which may accidentally disclose sensitive information or install a malware
- a family member may be held hostage to force an employee to reveal organization's sensitive information
In both cases the organization may identify a real risk that should be mitigated and consider the implementation of proper controls.
These articles will provide you further explanation about context and interested parties identification:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://adv isera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding context and interested parties identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Firewall use requirements
Answer: I'm assuming that by the terms "Open source" and "License" you mean a firewall that is free of charge or paid .
Considering that, ISO 27001 is not prescriptive about how a firewall, or any other control, should be implemented, so organizations have freedom to choose the implementation that better fits its needs, provided that the solution is used in accordance with the license terms associated therewith (even open source firewall may have license terms that must be followed).
This article will provide you further explanation about using firewalls:
- How to use firewalls in ISO 27001 and ISO 27002 implementation https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/
This material will also he lp you regarding the use of firewalls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Risk based thinking and audits
Answer:
I don’t advise a change in audit procedures. I advise to continue to audit each department against to the requirements of all the clauses and internal documentation applicable. During the audit, you can check if important risks, based on actual performance, have been determined and acted upon. Risk based thinking is another way of promoting preventive actions in organizations.
The following material will provide you information about risk based thinking:
ISO 9001 – Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Applicability of EU GDPR
EU GDPR is applicable to the company I work for (in the UK - a subsidiary of the American organisation) as we store and process personally identifiable data for our staff, and EU GDPR will be applicable to the American Organisation's located in Germany and Italy.
As we are owned by an American Company, I am assuming that the American Company will need to be EU GDPR compliant as it owns companies operating in UK, Germany and Italy? Our company is a B2B company and sells products and services to other businesses, but stores personally identifiable data on behalf of it's staff that work for it.
Is EU GDPR applicable at the Corporate level?
If there was a breach at one of the companies operating in the EU, is the fine applicable to the Corporate annual turnover or the company that has breached?
Finally, if one of the companies is storing personally identifiable staff data on a Corporate database where the data is stored in the US - I'm guess ing that Corporate will have to be EU GDPR compliant as the data is stored outside the EU?
Answer:
The EU GDPR will be applicable to all companies established in the EU/EEA regardless where their parent companies are established. So any companies established in the EU/EEA will have to comply with the EU GDPR.
Regarding the EU parent Company, is not necessary to be compliant with the EU GDPR just because of the mere fact that it owns subsidiaries in the EU/EEA.
GDPR would be applicable to the if US based parent Company would be acting as controller that offers goods and services to, or monitor, individuals in the EU/EEA. Depending on the actual processing activities carried out by the US based parent Company the EU GDPR may or may not be applicable, an exact answer can be offered after a more in depth analyze of the relations between the US based parent Company and its EU/EEA subsidiaries.
If one of the subsidiaries within the EU/EEA were to suffer a data breach that might result in a fine, the worst case scenario means that the amount of the would be established based on the annual turnover of the “undertakings” which are as defined by reference to the competition law definition in Articles 101 and 102 of the Treaty of the Functioning of the European Union (TFEU). The TFEU sees undertakings as economic units, so potentially includes group companies. In other words is possible, at least in theory, that a global turnover of a group of companies to be considered when establishing the fine.
If the US based parent Company would just be storing personal data of EU/EEA employees and acts as a processor on behalf of the EU/EEA based subsidiaries, then the parent Company would have to provide appropriate safeguards for cross border transfers of personal data which could be for example: adherence to Privacy Shield or using “Model Contracts for the transfer of personal data to third countries” (Model Contracts).
The EU GDPR implementation Toolkit provides guidance on how to use the Model Contracts as safeguards for cross border transfers of personal data- see the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Revision Control of AS9100 Quality Manual
My Answer: The revision of a document is maintained with that document, so in your case your quality manual should go from Rev K to Rev L. This is not dependant on any outside information or documents that cause the change, so it in not relevant that AS9100 has changed to Rev D. The only reason you would create a Rev A document is if you deleted the current quality manual document and started with a new document number for your AS9100 Rev D quality manual. If you do this you may lose the link to the previous manual though, so it is not recommended.
If you want to know more see this blog article on configuration management: https://advisera.com/9100academy/blog/2017/05/08/understanding-configuration-management-in-as9100-rev-d/ -
Risk assessment on IaaS
Answer: The general approach will be the same, the main difference is being in the fact that during risk analysis you will have to consider situations that are specifically related to IaaS environment (e.g., geographic location of the provider, performance monitoring, tenants segregation, etc.). To support your risk treatment I suggest you to take a look at the ISO 27017, which offers recommendations and guidelines for the implementation of controls of ISO 27001 considering cloud environments.
These articles will provide you further explanation about ISO 27107 and cloud aspects to be considered:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- How to use ISO 27 017 to manage legal risks related to geographical location https://advisera.com/27001academy/blog/2016/09/19/how-to-use-iso27017-to-manage-legal-risks-related-to-geographical-location/
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- Network segregation in cloud environments according to ISO 27017 https://advisera.com/27001academy/blog/2016/09/26/network-segregation-in-cloud-environments-according-to-iso-27017/