Search results

Sampling and testing

I assume you are referring to accreditation ? There is no mandatory requirement to include sampling. It depends on the purpose of the test, i.e what the result is being used for. Certain test results that confirm a pass of a regulatory specification will require sampling to a specific plan. This may however be performed by another party. Many contract laboratories are not involved with sampling. In that case their scope of work excludes sampling. If the laboratory has no control over the sampling, then a statement must be put on the report that the results represent the sample received, not the source

If the laboratory is not responsible for sampling however uses a standard test method which includes sampling, then effectively they are performing a modified standard method. This might impact on the method validation studies. Reference to the method on the Schedule of accrediiton needs to indicate it was modified. 

Difference between application of this ISO for calibration labs and testing labs

As calibration laboratories provide service to testing laboratories to calibrate equipment, they have specific requirements in terms of their own equipment performance, measurement uncertainty and metrological traceability of their methods to national and international standards. They also have specific report requirements. Depending on the type of calibration performed, for example Volume or Humidity, calibration laboratories have to meet specific requirements of the accreditation body for that program. This involves submitting measurement of uncertainty budgets and calculations of method capability. Personnel responsible for releasing results in a calibration laboratory may also need to have a particular qualification or certification.

For more information on ISO 17025, have a look at the ISO 17025 toolkit and available toolkit documents. They are available for preview or purchase at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

If you need more information on measurement uncertainty, see the Q&A https://community.advisera.com/topic/toolkit-content-39/

Standard Forms

By ISO 27002 12.1.2 I’m assuming you mean control A.12.1.2 Change management from ISO 27001 Annex A.

Considering that, please note that Conformio already does cover this control through Change Management Policy or Security Procedures for IT Department.

One of these documents will become available for customization once you state control A.12.1.2 as applicable in the Statement of Applicability document.

ISO 27001 does not prescribe the contents of change records, so organizations can develop them as they see fit.

To see an example, I suggest you take a look at the free demo of our Request for Change and Change Record at this link: https://advisera.com/20000academy/documentation/request-for-change-and-change-record/ , but remember that such register is not really needed for ISO 27001 compliance.

For further information see:
How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

GDPR Questions

1: Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?

No, they can be customized to match your templates or any other form that you may consider necessary.

2: Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1

It depends. Storage of data is considered the processing of personal data. So if you choose to store data for 6 years +1 from the collection date, you should have a legal ground for storing. It can be legitimate interest (for eg to protect your organization in court) or legal obligation (Fiscal law, labor law, etc).

3: Confirm BtoB data is still governed the same way as BtoC – PII

Yes, personal data is any information related to an identified or identifiable data subject, it doesn’t matter if B2B or B2C.

4: Back Ups on Tape Drives and SAR requests – where do we stand?

If you receive a Subject Access Request – SAR -  according to art 15 GDPR you should disclose a copy of all personal data that you are processing. If there is data on the backup, it should be in production as well anyway, so you shouldn’t do anything special besides mentioning the backup storage time for the data.

5: If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?

If you act as a Data Processor, the Data Controller has the right to check all you technical and organizational measures needed to demonstrate GDPR Compliance. The Data Controller is accountable for how it chooses its Data Processors. You might choose not to share policies and procedures, especially if they contain confidential information, but you should find a way to demonstrate to your client that you took all necessary technical and organizational measures needed to demonstrate GDPR Compliance. For incident logs, I recommend sharing only the non-confidential information.

6: Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?"

The Data Controller is accountable for how it processes personal data, including uploading of medical data. As a Processor, you must make sure that you are respecting the Controller’s instructions, that you don’t process that medical data for other purposes, and that you protect that data.

Conformio - Managing Records kept on the basis of any document

I’m assuming you are referring to the IT Security Policy.

We’re sorry, but currently it is not possible to define multiple users to be responsible for this record in the document wizard.

As a workaround, you can upload a complementary document to this policy defining the additional roles you want to have the right to store such records.

Incident Response Plan

I’m assuming you are referring to a template from ISO 27001 and ISO 22301 Documentation Toolkit.

Considering that, for some of the incident response plans defined in this toolkit (e.g., Evacuation of the building, Fire, Earthquake, Threat letter, and Threat call / bomb threat) you can use the ISO 45001 documentation if such documentation covers the same topics.

Advisera ISO toolkit ISO27017 ISO27018

Reference to controls defined by ISO 27017 and ISO 27018 in each document can be found in section 2 Reference documents, and in comments related to ISO 27017 and ISO 27018 texts that can be customized by the customers (e.g., which are the responsibilities for PII controllers).

Included in the toolkit there is a List of documents file that shows which clauses from these standards are covered by each template. 

Please note that, for certification purposes, such a degree of granularity in identifying information related to these standards is not required (this is not required even for ISO 27001).  

For further information, see:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

ISMS scope

Please note that the decision about including or excluding controls needs to be based on the results of risk assessment and applicable legal requirements, and it seems neither of you took these into consideration.

So, our recommendation for your team is to see first which risks and legal requirements are relevant to your scope, and based on them identify which controls are applicable.

For further information, see:

• Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section16

ISO 27001 Enquiry

For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:

• identify relevant risks and applicable legal requirements these suppliers must comply to
• communicate such risks and legal requirements to the suppliers.

Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.

These articles will provide you with a further explanation of supplier security management:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

GDPR Query

If your vendor is a Data Processor and you are a Data Controller, you are accountable for how personal data is being processed. Storage of personal data in the US is considered to be a personal data transfer, and it must use a transfer mechanism as they are defined in Chapter V GDPR - Transfers of personal data to third countries or international organizations. Since we are talking about a transfer to the US, not only the vendor needs to sign an SCC or a DPA (only if the vendor is subject to GDPR, according to Art 3 GDPR – Territorial Scope, but even then an SCC must be signed between the vendor and Amazon US), it also needs to make sure that personal data is protected from access by US authorities using FISA (Foreign Intelligence Surveillance Act ) 702 legislation (a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. electronic service providers), using additional technical and organizational measures such as BYOK (Bring Your Own Key - encrypted content on US servers, the key stored on EU servers).

In conclusion, if the vendor refuses to take the necessary technical and organizational measures to demonstrate GDPR compliance (including the signing of DPA/SCC and additional technical/organizational measures), as a Data Controller you should change the vendor.

Please consult these links as well:

• Article 3 GDPR – Territorial Scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• EDPB’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf