Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 external audit for rest of employees

    In interviews with employees, the certification auditor will look if people are familiar with the documentation and use them while performing daily activities, i.e., check that the ISMS is working in the company.

    Considering that, the auditor will make questions about their degree of knowledge of, at least, the most important documents that apply to them: Information Security Policy, confidentiality clauses, acceptable use of assets, Access Control Policy, etc.

    Examples of possible questions are:

    • “Do you have access to the internal rules of the organization in relation to information security?”
    • “Can you show me some of the related policies?”
    • “Could you tell me what are the points that you consider most important in the policy?”

    For further information, see:

    Please note that when you say “the rest of *** employees (the ones who are not currently set up to be members of the ISMS in Conformio).”, for certification purposes you need to consider only those employees that are part of the ISMS scope (the auditor will not interview people outside the ISMS scope).

  • ISO 27001 toolkit

    Customers that bought the toolkit in the last twelve months from the release of the new ISO 27001 will receive the updated documents, as well as information about what has changed and guidance on what changes in other documents.

    For further information, see:

    About ISO 27017 and ISO 27018, apart from specific templates, we have a toolkit integrating these templates into an ISO 27001 ISMS: https://advisera.com/27001academy/iso-27001-iso-27017-iso-27018-cloud-documentation-toolkit/

    From this link, you can download a free demo of the documents for evaluation. Additionally, in the toolkit, you will find a "List of documents" file that shows which templates cover which clauses from ISO 27017 and ISO 27018.  

    These articles will provide you with a further explanation of ISO 27017 and ISO 27018:

  • Sampling and testing

    I assume you are referring to accreditation ? There is no mandatory requirement to include sampling. It depends on the purpose of the test, i.e what the result is being used for. Certain test results that confirm a pass of a regulatory specification will require sampling to a specific plan. This may however be performed by another party. Many contract laboratories are not involved with sampling. In that case their scope of work excludes sampling. If the laboratory has no control over the sampling, then a statement must be put on the report that the results represent the sample received, not the source

    If the laboratory is not responsible for sampling however uses a standard test method which includes sampling, then effectively they are performing a modified standard method. This might impact on the method validation studies. Reference to the method on the Schedule of accrediiton needs to indicate it was modified. 

  • Difference between application of this ISO for calibration labs and testing labs

    As calibration laboratories provide service to testing laboratories to calibrate equipment, they have specific requirements in terms of their own equipment performance, measurement uncertainty and metrological traceability of their methods to national and international standards. They also have specific report requirements. Depending on the type of calibration performed, for example Volume or Humidity, calibration laboratories have to meet specific requirements of the accreditation body for that program. This involves submitting measurement of uncertainty budgets and calculations of method capability. Personnel responsible for releasing results in a calibration laboratory may also need to have a particular qualification or certification.

    For more information on ISO 17025, have a look at the ISO 17025 toolkit and available toolkit documents. They are available for preview or purchase at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

    If you need more information on measurement uncertainty, see the Q&A https://community.advisera.com/topic/toolkit-content-39/

  • Standard Forms

    By ISO 27002 12.1.2 I’m assuming you mean control A.12.1.2 Change management from ISO 27001 Annex A.

    Considering that, please note that Conformio already does cover this control through Change Management Policy or Security Procedures for IT Department.

    One of these documents will become available for customization once you state control A.12.1.2 as applicable in the Statement of Applicability document.

    ISO 27001 does not prescribe the contents of change records, so organizations can develop them as they see fit.

    To see an example, I suggest you take a look at the free demo of our Request for Change and Change Record at this link: https://advisera.com/20000academy/documentation/request-for-change-and-change-record/ , but remember that such register is not really needed for ISO 27001 compliance.

    For further information see:
    How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • GDPR Questions

    1: Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?

    No, they can be customized to match your templates or any other form that you may consider necessary.

    2: Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1

    It depends. Storage of data is considered the processing of personal data. So if you choose to store data for 6 years +1 from the collection date, you should have a legal ground for storing. It can be legitimate interest (for eg to protect your organization in court) or legal obligation (Fiscal law, labor law, etc).

    3: Confirm BtoB data is still governed the same way as BtoC – PII

    Yes, personal data is any information related to an identified or identifiable data subject, it doesn’t matter if B2B or B2C.

    4: Back Ups on Tape Drives and SAR requests – where do we stand?

    If you receive a Subject Access Request – SAR -  according to art 15 GDPR you should disclose a copy of all personal data that you are processing. If there is data on the backup, it should be in production as well anyway, so you shouldn’t do anything special besides mentioning the backup storage time for the data.

    5: If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?

    If you act as a Data Processor, the Data Controller has the right to check all you technical and organizational measures needed to demonstrate GDPR Compliance. The Data Controller is accountable for how it chooses its Data Processors. You might choose not to share policies and procedures, especially if they contain confidential information, but you should find a way to demonstrate to your client that you took all necessary technical and organizational measures needed to demonstrate GDPR Compliance. For incident logs, I recommend sharing only the non-confidential information.

    6: Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?"

    The Data Controller is accountable for how it processes personal data, including uploading of medical data. As a Processor, you must make sure that you are respecting the Controller’s instructions, that you don’t process that medical data for other purposes, and that you protect that data.

  • Conformio - Managing Records kept on the basis of any document

    I’m assuming you are referring to the IT Security Policy.

    We’re sorry, but currently it is not possible to define multiple users to be responsible for this record in the document wizard.

    As a workaround, you can upload a complementary document to this policy defining the additional roles you want to have the right to store such records.

  • Incident Response Plan

    I’m assuming you are referring to a template from ISO 27001 and ISO 22301 Documentation Toolkit.

    Considering that, for some of the incident response plans defined in this toolkit (e.g., Evacuation of the building, Fire, Earthquake, Threat letter, and Threat call / bomb threat) you can use the ISO 45001 documentation if such documentation covers the same topics.

  • Advisera ISO toolkit ISO27017 ISO27018

    Reference to controls defined by ISO 27017 and ISO 27018 in each document can be found in section 2 Reference documents, and in comments related to ISO 27017 and ISO 27018 texts that can be customized by the customers (e.g., which are the responsibilities for PII controllers).

    Included in the toolkit there is a List of documents file that shows which clauses from these standards are covered by each template. 

    Please note that, for certification purposes, such a degree of granularity in identifying information related to these standards is not required (this is not required even for ISO 27001).  

    For further information, see:
    - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
    - ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • ISMS scope

    Please note that the decision about including or excluding controls needs to be based on the results of risk assessment and applicable legal requirements, and it seems neither of you took these into consideration.

    So, our recommendation for your team is to see first which risks and legal requirements are relevant to your scope, and based on them identify which controls are applicable.

    For further information, see:
Page 84-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +