Search results

Standard Forms

By ISO 27002 12.1.2 I’m assuming you mean control A.12.1.2 Change management from ISO 27001 Annex A.

Considering that, please note that Conformio already does cover this control through Change Management Policy or Security Procedures for IT Department.

One of these documents will become available for customization once you state control A.12.1.2 as applicable in the Statement of Applicability document.

ISO 27001 does not prescribe the contents of change records, so organizations can develop them as they see fit.

To see an example, I suggest you take a look at the free demo of our Request for Change and Change Record at this link: https://advisera.com/20000academy/documentation/request-for-change-and-change-record/ , but remember that such register is not really needed for ISO 27001 compliance.

For further information see:
How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

GDPR Questions

1: Advisera docs Footer and Change record – do we have to keep the Advisera wording on all docs?

No, they can be customized to match your templates or any other form that you may consider necessary.

2: Client data – How long can we keep data? 6 years +1 from collection date or when client has left then 6+1

It depends. Storage of data is considered the processing of personal data. So if you choose to store data for 6 years +1 from the collection date, you should have a legal ground for storing. It can be legitimate interest (for eg to protect your organization in court) or legal obligation (Fiscal law, labor law, etc).

3: Confirm BtoB data is still governed the same way as BtoC – PII

Yes, personal data is any information related to an identified or identifiable data subject, it doesn’t matter if B2B or B2C.

4: Back Ups on Tape Drives and SAR requests – where do we stand?

If you receive a Subject Access Request – SAR -  according to art 15 GDPR you should disclose a copy of all personal data that you are processing. If there is data on the backup, it should be in production as well anyway, so you shouldn’t do anything special besides mentioning the backup storage time for the data.

5: If a client asks to see our policies can\should we hand them over? Incident log, do we have to show that if asked?

If you act as a Data Processor, the Data Controller has the right to check all you technical and organizational measures needed to demonstrate GDPR Compliance. The Data Controller is accountable for how it chooses its Data Processors. You might choose not to share policies and procedures, especially if they contain confidential information, but you should find a way to demonstrate to your client that you took all necessary technical and organizational measures needed to demonstrate GDPR Compliance. For incident logs, I recommend sharing only the non-confidential information.

6: Clarify medical data in ***, we don’t collect it, but customer could upload it, what are the implications for us as Processor?"

The Data Controller is accountable for how it processes personal data, including uploading of medical data. As a Processor, you must make sure that you are respecting the Controller’s instructions, that you don’t process that medical data for other purposes, and that you protect that data.

Conformio - Managing Records kept on the basis of any document

I’m assuming you are referring to the IT Security Policy.

We’re sorry, but currently it is not possible to define multiple users to be responsible for this record in the document wizard.

As a workaround, you can upload a complementary document to this policy defining the additional roles you want to have the right to store such records.

Incident Response Plan

I’m assuming you are referring to a template from ISO 27001 and ISO 22301 Documentation Toolkit.

Considering that, for some of the incident response plans defined in this toolkit (e.g., Evacuation of the building, Fire, Earthquake, Threat letter, and Threat call / bomb threat) you can use the ISO 45001 documentation if such documentation covers the same topics.

Advisera ISO toolkit ISO27017 ISO27018

Reference to controls defined by ISO 27017 and ISO 27018 in each document can be found in section 2 Reference documents, and in comments related to ISO 27017 and ISO 27018 texts that can be customized by the customers (e.g., which are the responsibilities for PII controllers).

Included in the toolkit there is a List of documents file that shows which clauses from these standards are covered by each template. 

Please note that, for certification purposes, such a degree of granularity in identifying information related to these standards is not required (this is not required even for ISO 27001).  

For further information, see:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

ISMS scope

Please note that the decision about including or excluding controls needs to be based on the results of risk assessment and applicable legal requirements, and it seems neither of you took these into consideration.

So, our recommendation for your team is to see first which risks and legal requirements are relevant to your scope, and based on them identify which controls are applicable.

For further information, see:

• Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section16

ISO 27001 Enquiry

For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:

• identify relevant risks and applicable legal requirements these suppliers must comply to
• communicate such risks and legal requirements to the suppliers.

Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.

These articles will provide you with a further explanation of supplier security management:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

GDPR Query

If your vendor is a Data Processor and you are a Data Controller, you are accountable for how personal data is being processed. Storage of personal data in the US is considered to be a personal data transfer, and it must use a transfer mechanism as they are defined in Chapter V GDPR - Transfers of personal data to third countries or international organizations. Since we are talking about a transfer to the US, not only the vendor needs to sign an SCC or a DPA (only if the vendor is subject to GDPR, according to Art 3 GDPR – Territorial Scope, but even then an SCC must be signed between the vendor and Amazon US), it also needs to make sure that personal data is protected from access by US authorities using FISA (Foreign Intelligence Surveillance Act ) 702 legislation (a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. electronic service providers), using additional technical and organizational measures such as BYOK (Bring Your Own Key - encrypted content on US servers, the key stored on EU servers).

In conclusion, if the vendor refuses to take the necessary technical and organizational measures to demonstrate GDPR compliance (including the signing of DPA/SCC and additional technical/organizational measures), as a Data Controller you should change the vendor.

Please consult these links as well:

• Article 3 GDPR – Territorial Scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• EDPB’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf 

Data Protection Addendum and Standard contractual clauses

Questions about Conformio

1 - Of the items listed as mandatory for 27001, do they all have to be in place at stage 1 or is it okay to have a select listing completed and others WIP?

All items listed as mandatory need to be implemented by the time the certification audit starts.

2 - Also, could you give me an indication of the costs involved with Conformio please? Does Conformio only cover 27001 or does it cover other standards as well? I am currently responsible for the compliance and regulatory affairs of 2 companies whom I have taken through ISO13485, and I manage and maintain both their QMS arrangements, audits, NC’s, suppliers etc.

Currently, Conformio is covering only ISO 27001 standard. To see to costs and the content of different Conformio plans, click here: https://advisera.com/conformio/

3 - I am currently seeking to add 27001 certification for both and have a project team in place to identify where the existing QMS requires additional items to be ready for 27001 – currently doing risk threat analysis and controls id to enable completion Statement of Applicability – I will be using the same compliance company as we do for 13485 and have provisionally booked stage 1 for September – additionally, one business creates non-medical digital assets in addition to medical devices, so am seeking 9001 there also. Pretty full on as you can imagine.

BSI are constantly mailing me pushing their Compliance navigator tool, but I think we are too small (70 people between both) and would use too little to justify the costs they’re quoting – is Conformio a similar tool?

Currently, Conformio is not designed to work with multiple standards, and in cases like yours we recommend you take a look at our documentation toolkits:

• https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• https://advisera.com/9001academy/iso-9001-documentation-toolkit/
• https://advisera.com/13485academy/iso-13485-documentation-toolkit/

They are designed for companies a size like yours, and since these standards share many common requirements, you can use them to implement ISO 27001, ISO 9001, and ISO 13485 together.

For further information, see:

• How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/

4 - Also, would you have or have knowledge of anywhere that I might be able to find a regulatory roadmap for medical devices across different regions? ( Seems to be a bit of a minefield and each country seems to have regulations relating to clinical risk management etc in place which must be met in addition to MDR etc).

The following materials will help you regarding the comparison between ISO 13485 and medical device regulations:

• List of worldwide regulations that require implementation of ISO 13485 https://advisera.com/13485academy/blog/2021/03/09/list-of-worldwide-regulations-that-require-implementation-of-iso-13485/
• FDA vs. EU MDR Technical Documentation Matrix https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix