Search results

ISO 27001 Enquiry

For your organization to be compliant with ISO 27001 when handling off-premises systems managed by third parties (being they ISO 27001 certified or not), your organization needs to:

• identify relevant risks and applicable legal requirements these suppliers must comply to
• communicate such risks and legal requirements to the suppliers.

Based on the risks and legal requirements, your organization and the supplier will define applicable security controls to best fulfill them. Normally the agreed controls will be enforced by means of contracts or service agreements.

These articles will provide you with a further explanation of supplier security management:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

GDPR Query

If your vendor is a Data Processor and you are a Data Controller, you are accountable for how personal data is being processed. Storage of personal data in the US is considered to be a personal data transfer, and it must use a transfer mechanism as they are defined in Chapter V GDPR - Transfers of personal data to third countries or international organizations. Since we are talking about a transfer to the US, not only the vendor needs to sign an SCC or a DPA (only if the vendor is subject to GDPR, according to Art 3 GDPR – Territorial Scope, but even then an SCC must be signed between the vendor and Amazon US), it also needs to make sure that personal data is protected from access by US authorities using FISA (Foreign Intelligence Surveillance Act ) 702 legislation (a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. electronic service providers), using additional technical and organizational measures such as BYOK (Bring Your Own Key - encrypted content on US servers, the key stored on EU servers).

In conclusion, if the vendor refuses to take the necessary technical and organizational measures to demonstrate GDPR compliance (including the signing of DPA/SCC and additional technical/organizational measures), as a Data Controller you should change the vendor.

Please consult these links as well:

• Article 3 GDPR – Territorial Scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• EDPB’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf 

Data Protection Addendum and Standard contractual clauses

Questions about Conformio

1 - Of the items listed as mandatory for 27001, do they all have to be in place at stage 1 or is it okay to have a select listing completed and others WIP?

All items listed as mandatory need to be implemented by the time the certification audit starts.

2 - Also, could you give me an indication of the costs involved with Conformio please? Does Conformio only cover 27001 or does it cover other standards as well? I am currently responsible for the compliance and regulatory affairs of 2 companies whom I have taken through ISO13485, and I manage and maintain both their QMS arrangements, audits, NC’s, suppliers etc.

Currently, Conformio is covering only ISO 27001 standard. To see to costs and the content of different Conformio plans, click here: https://advisera.com/conformio/

3 - I am currently seeking to add 27001 certification for both and have a project team in place to identify where the existing QMS requires additional items to be ready for 27001 – currently doing risk threat analysis and controls id to enable completion Statement of Applicability – I will be using the same compliance company as we do for 13485 and have provisionally booked stage 1 for September – additionally, one business creates non-medical digital assets in addition to medical devices, so am seeking 9001 there also. Pretty full on as you can imagine.

BSI are constantly mailing me pushing their Compliance navigator tool, but I think we are too small (70 people between both) and would use too little to justify the costs they’re quoting – is Conformio a similar tool?

Currently, Conformio is not designed to work with multiple standards, and in cases like yours we recommend you take a look at our documentation toolkits:

• https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• https://advisera.com/9001academy/iso-9001-documentation-toolkit/
• https://advisera.com/13485academy/iso-13485-documentation-toolkit/

They are designed for companies a size like yours, and since these standards share many common requirements, you can use them to implement ISO 27001, ISO 9001, and ISO 13485 together.

For further information, see:

• How to implement integrated management systems https://advisera.com/blog/2015/10/05/how-to-implement-integrated-management-systems/

4 - Also, would you have or have knowledge of anywhere that I might be able to find a regulatory roadmap for medical devices across different regions? ( Seems to be a bit of a minefield and each country seems to have regulations relating to clinical risk management etc in place which must be met in addition to MDR etc).

The following materials will help you regarding the comparison between ISO 13485 and medical device regulations:

• List of worldwide regulations that require implementation of ISO 13485 https://advisera.com/13485academy/blog/2021/03/09/list-of-worldwide-regulations-that-require-implementation-of-iso-13485/
• FDA vs. EU MDR Technical Documentation Matrix https://info.advisera.com/13485academy/free-download/fda-vs-eu-mdr-technical-documentation-matrix

Minimum standards required for SME

If there is no customer-specific requirement, the IATF 16949:2016 standard expects to have a minimum ISO 9001:2015 certificate. 

DR/BCP career

Hi. am looking for the most economical way to introduce standards that allow SME's to play an active role in  the automotive sector. The barriers to entry are high and together with ISO and other standard requirements, it puts it out of reach for the average SME to gain a foot in the door at even 1st and 2nd levels. Please advise. 

Question on Stakeholder Requirements for ISMS ISO 27001:2013

1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS?

Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security?

Currently my providers are:

Microsoft (Azure + Office 365)

Amazon (cloud services)

Google (Corporate email)

Zoom (Videoconference)

Spamexperts (SMTP Relay)

Turbo SMTP (SMTP Relay)

Sophos (Antivirus licenses)

A Provider of the data center of my private cloud

An Internet access Provider in my physical Office.

A Software Development Provider.

A Provider of maintenance and support of User equipment

A maintenance and support provider for my virtual servers

A Provider that provides information security consulting services

With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online.

Please note that both situations can exist, i.e., there can be requirements set by you that the supplier needs to meet, and requirements set by the supplier that you need to meet (this is especially true when working with cloud services).

2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement?

A cloud provider can define a requirement that only a specific role in your organization is authorized to approve change requests in the infrastructure provided to you (e.g., only the IT Manager can approve such change requests.

Another example is that some cloud services providers require access control responsibilities to be shared between the provider and the organization (for example, the provider has responsibilities for setting systems parameters, while the organization has responsibilities for users’ access management). 

3 - What considerations should I take into account regarding these suppliers in my ISMS?

To ensure proper security regarding suppliers, you need to consider the result of your risk assessment and applicable legal requirements you need to fulfill (for example, compliance with HIPAA and GDPR demands that security controls are also implemented by suppliers and their supply chains).

For further information, see:

•  6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

ISO Control 15.2.2 Extended Support Request

Since control A.15.2.2 Managing changes to supplier services does not require a documented procedure, the specifics for evidence you may consider are:

• emails exchanged during contract negotiations questioning third parties about relationship changes, or reviewed assessments related to such changes
• the history of change requests records
• communications to schedule teams about changes in exchanged data
• history of assessment review

ISO 27001 Clause 9.2

ISO 27001 does not prescribe how to name the function which performs internal audit, only that requirements for internal audit are fulfilled.

So, if you can comply with requirements from clause 9.2, then you can perform the internal audit job for ISO 27001. The requirements are:
- audits must be performed at planned intervals
- there must be an audit programme, defining frequency, methods, responsibilities, planning requirements and reporting
- there must be defined audit criteria and audit scope for each audit
- auditors must not have conflict of interest with the audited scope (e.g., auditors cannot audit their own work)
- auditors must have experience with performing audit and have knowledge of ISO 27001
- audit results must be recorded and communicated to relevant management

For further information, see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

IATF Internal Auditor Certificate Validity (Expiry Date)

İşin gerçeği sertifika için geçerlilik tarihi dayanağının ne olduğuna emin değilim.

Normalde değişiklik eğtimleri tamamlanmış ise, iç denetçi sertifikasının güncellenmesine gerek yok. 

Sertifikayı veren kuruluşa bir sorsanız iyi olur,  neden böyle bir tarih koymuşlar acaba, dayanakları nedir?