Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Toolkit questions

    1 - First one: why the implementation tool kit did not contain the folder for A5 and folder for A18 in the folder 08 for annex a

    Answer: Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A.

    Regarding documents that cover controls from section A.18, they can be found here:
    - documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
    - control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

    Included in the toolkit you bought, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

    2 - Second question:  while I browse your website, I found the document named checklist of ISO 27001 mandatory documentation I confused AND I have a question regarding this document regarding the documentation I SHOULD deliver to the certification auditor My question is do I have to submit this document to the certification auditor ?

    Answer: I’m assuming you are referring to the whitepaper Checklist of mandatory documentation required by ISO 27001:2013.

    Considering that, there is no need to submit this Checklist of ISO 27001 mandatory documentation documents, the documents included in the toolkit are all you need to present during a certification audit.  

    For further information, see:
    - Checklist of Mandatory Documentation Required by ISO 27001 https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 

    3 - Third question: what is the difference between this document and the implementation toolkit, Which contain folders from 00 to 12

    Answer: The whitepaper only provides a brief explanation about the documents included in the toolkit, while the toolkit provides templates for real policies and procedures.

  • Security Management System

    Please note that included with the toolkit you bought you have access to video tutorials that can help you with the risk assessment and risk treatment steps. These videos show you some real examples on how to combine assets, threats, and vulnerabilities.

    For further information about the risk management process, see:
    - ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

    These materials will also help you regarding risk management: 
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand]  https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

  • Assets management

    I’m assuming that by management of assets you mean the process to of developing, operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner. 

    Considering that, please note that according to ISO 27001 it is not mandatory to document an asset management procedure.

    Only rules applicable to users regarding the use of assets need to be documented, when control A.8.1.3 - Acceptable use of assets - is stated as applicable in the Statement of Applicability. The template which covers control A.8.1.3 is the IT Security Policy, which can be found in the folder 08 Annex A Security Controls >> A.8 Asset Management

    To see an example of an asset management process according to ISO 20000, which is not mandatory for ISO 27001, please see:
    - Asset Management Process (ISO 20000) https://advisera.com/20000academy/documentation/asset-management-process/

    For further information, see:
    - Asset management according to ISO 27001: How to handle an asset register / asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • ISO 17025 lab certification

    There is no specific period of time that is required; however the laboratory must have sufficient data and information available for assessment. This is needed to provide evidence of effective implementation, monitoring, and improvement. It will therefore depend on how much management, testing or calibration data is available as evidence, say after three months. This is typical period for most laboratories.

    You need to have monitored all the activities that are inputs for management review and completed at least one management review. This need not be on a fully implemented system for all activities, for example you may not yet have enough customer feedback. What is important is that you would have a process in place which is being followed and that actions are being taken to provide evidence.

    On the technical side, participation in external proficiency testing / interlaboratory comparison is often the activity that delays the process. You need evidence of participating in at least one round for each test you are being accredited for and you have to have evaluated the laboratory’s performance and taken corrective action if required. Another examples are that there must be sufficient data on maintenance of equipment, and trends for method quality control.

    For more information have a look at the available Free webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar

  • Questions about CCTV in GDPR

    1. Is it correct if I mention in DPIA two data collection reasons for the CCTV: facility intrusion detection and labor discipline?

    Mentioning those two data collection requests is correct, but this is not going to be enough. The DPIA must review all the risks to the freedoms and rights of the data subject, per article 35 GDPR - Data protection impact assessment, and it must address each risk with relevant technical and organizational measures in order to address all of them. In the case of the CCTV system, labor discipline can be seen as intrusive in many EU countries. Individuals have the right to private life even if they are at the job, per article 8 in the European Convention of Human Rights - Right to respect for private and family life, home, and correspondence. Facility intrusion detection can be a suitable purpose for processing personal data, however, certain measures need to be implemented in order to respect the freedoms and rights of data subjects, such as limited CCTV coverage (entrance, corridors, etc), limited access to CCTV feed, deletion timeframes, legitimate interest assessments/ Data Protection Impact Assessments, prior employee consultation, prior employee notification and so on. In many countries, 24/7 CCTV systems were found to be intrusive to the private lives of employees. In Germany, a Data Protection Authority issued a 10.4 million EUR GDPR fine for a retailer that installed a 24/7 CCTV system,  even if the purpose was just theft prevention/ location security.

    Please also consult these links:

    2. What is the size of the CCTV sign inside the office and outside premises should be?

    You need to make sure that the sign is big enough to be seen and that the information present on the sign is sufficient. Per article 13 GDPR - Information to be provided where personal data are collected from the data subject – a data subject must be notified regarding the processing of personal data. Namely, the data subject must understand who is the data controller, what personal data categories are being processed, with what purpose and legal ground, whom the data is being shared with and why, data exports outside European Economic Area, and for how long the data is being stored and what rights the data subject has and how can they be exercised. Thus, all measures need to be taken in order to make sure that the data subject is being informed. Some best practices include multi-layered privacy notices, such as CCTV signs, containing some basic information about the data controller (or joint data controllers), storage timelines, purposes, etc, and a QR code and/or a link to the full privacy notice where everything is detailed (including how the data subject can exercise the rights to access/rectification/deletion/restriction/export of personal data, and how he/she can object to the processing if it is based on legitimate interest).  

    Please also consult these links:

    3. There is CCTV in the office with no automated processing. Sometimes there are kids visiting the office. Do I need to mention about the kids' data in recordings?"

    The privacy notice should be generic, but it must detail ways in which data subjects can exercise their rights. The issue with kids visiting the office is not about mentioning their data in the recordings but making sure that the kids understand how their personal data is being processed. Article 12 GDPR clearly states that: “The controller shall take appropriate measures to provide any information referred to in Articles 13 […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. Consider that children might not know how to read so you might choose to inform them in a different way (animations, videos, audio information, etc), making sure they understand how their personal data is being processed.  

    I recommend performing a thorough DPIA in order to see whether this processing is not too intrusive. At ADVISERA we have a full EU GDPR Premium Toolkit that also contains a DPIA methodology and privacy notice templates that you can use.

    Please also consult these links:

  • QMS requirements

    “ Implications of not conforming with QMS requirements”

    means that personnel must be aware of the consequence of deviating from standard procedures and processes. This starts with having an understanding of the processes they are involved with, and the associated quality risks. This involves understanding the reason certain standard procedures are in place, and why the laboratory has adopted their quality policies and set specific quality objectives. Personnel will then understand the identified risks and risk treatments (controls to reduce the risk) that are in place, and that the deviating from procedures and authorisations is a nonconformance. This results in a possible undesired outcome to quality. The implication is a nonconforming event that needs resources to investigate, where corrective actions could be costly. Work may need to be repeated, which could result in loss of reputation, customer confidence or income.

  • Data Subject Access Request

    The right to access is a fundamental right of the data subject. As stated in Article 15 GDPR - Right of access by the data subject – paragraph 3: “The controller shall provide a copy of the personal data undergoing processing”. However, paragraph 4 states that “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others”. So you should redact out personal data of other data subjects (including usernames, pseudonyms, etc), intellectual-property protected data, and confidential data (including customer names, customer financial info, discounts, financial offerings, invoices, contracts, etc).

    Advisera’s EU GDPR Premium Toolkit might help you in this endeavor because part of the toolkit we have a template for a Data Subject Access Request Procedure as well as templates for disclosure forms.

     

    Please visit these links for more details:

  • Production Part Approval Process

    It can fit in the Design and development process, but also in the verification of supplied products. 

  • Single Registration Number for MDR

    Single registration number is a number that each business entity has to get from the EUDAMED or local competent authority. A single registration number has to be asked for a manufacturer, importer, and EU representative. Distributors do not need to be registered in the EUDAMED. It is covered in Article 31 of the MDR 2017/745. 

    For more information, see:

    Considering the codes, there are specified codes for medical devices. MDR has a code that is called European medical device nomenclature covered in Article 26 of the MDR. More details regarding this nomenclature you can find on the following links:

Page 88-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +