Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 20000 Service Desk

    I don't know your current state of service desk (related to the level of digitalization), but in general digital transformation:

    1.    Enables you to do things differently (or do different things) compared to the state before digital transformation. That will, I assume, require a significant change in some of the activities

    2.    Is achieved by digitizing, robotizing, and use of some other form of automation.

    3.    Requires a change in leadership style – e.g. servant leadership, challenging own assumptions related to the way they work, fostering experimentation and safety culture among the workforce, etc.

     

    So, these are some characteristics of digital transformation. Apply them to the specifics of your organization.

    Digital transformation offers many opportunities, but it also brings some risks. Risk should be managed proactively since digital transformation involves technological shifts which carry risks.

    Governance is also an important element that needs to be adjusted, e.g. responsiveness and flexibility.

     

    So, digital transformation requires a shift in almost every area of the business. 

  • Risk Register Team work question

    The information about these controls can be located as follow:

    • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4): security roles and responsibilities are defined alongside all documents implemented for the ISMS. You can see a summary of this information by accessing the “Responsibility Matrix” link in the left side panel of Conformio Screen.
    • Inventory of assets: Conformio enables you to draw up the list of assets during the risk assessment process by suggesting a checklist of potential assets you can find in your company. The inventory of assets is part of the Risk Register Module
    • Acceptable use of assets (clause A.8.1.3): this control is implemented by means of the IT Security Policy
    • Access Control Policy: this control is implemented by means of the Access Control Policy
    • Operating Procedures for IT department: this control is implemented by means of the Security Procedures for the IT Department
    • Secure system engineering principles (clause A.14.2.5): this control is implemented by means of the Secure Development Policy
    • Supplier Security Policy: this control is implemented by means of the Supplier Security Policy
    • Incident Management Procedure: this control is implemented by means of the Incident Register
    • Business continuity procedures (clause A.17.1.2): this control is implemented by means of the Disaster Recovery Plan document
    • Legal, regulatory, and contractual requirements: this control is implemented by means of the Register of Requirements module

    Approved documents can be found by accessing the “Documents” link in the left side panel of Conformio Screen.

    Please note that the documents “IT Security Policy”, “Access Control Policy”, "Security Procedures for IT Departments", "Secure Development Policy", "Supplier Security Policy" and "Disaster Recovery Plan" are added after completion of the Statement of Applicability step, as justification for the controls they are related to. Please take a look at the following help video for more information: https://vimeo.com/showcase/6734609/video/472957258

  • ISO 27001 A.8. 1.1 Asset Inventory

    The equipment’s serial number is a common practice adopted for a unique identifier.

    ISO 27001 does not prescribe information to be used to track an asset, so organizations can define the information they see best fits their needs.

    This article will provide you with a further explanation of asset management:

  • Mandatory docs

    This information can be located as follow:

    • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4): security roles and responsibilities are defined alongside all documents implemented for the ISMS. You can see a summary of this information by accessing the “Responsibility Matrix” link in the left side panel of Conformio Screen.
    • Acceptable use of assets (clause A.8.1.3): this control is implemented by means of the IT Security Policy
    • Secure system engineering principles (clause A.14.2.5): this control is implemented by means of the Secure Development Policy
    • Business continuity procedures (clause A.17.1.2): this control is implemented by means of the Disaster Recovery Plan document
    • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3): logs are generated and stored in the information systems the organization configures them (these records need to be uploaded manually to Conformio if you want to access them through the platform). Security events can be found in the Incident Register Module.

  • GDPR applicability

    So if we are a non-EU based organization and offer products/services (not SAAS) to a few EU based companies (not all customers in EU) would GDPR apply to us ? Especially if we maintain EU-customer information like email, address and phone number? We are not collecting customer data based on any controller instructions, we have their data because they take subscriptions of our products/services. The only data we retain are email id, phonenumbers and physical addresses.

    Article 3 GDPR - Territorial scope states the following: “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union”. So in this case GDPR applies to you.

    Many US-based companies find GDPR compliance a little difficult to handle. Advisera's EU GDPR Documentation Toolkit can help you comply with GDPR as a U.S. company - it has all the necessary documents for controllers and processors, as well as support from our GDPR experts.

    Please also visit these links:

  • MDR vs CFR 21

    There are some differences between documentation. You can find it in the following article:

    For any other questions, do not hesitate to contact us. 

  • Direct part marking for reusable devices class I

    In Annex VI of the MDR 2017/745, PART C is stated that 

    "Devices that are reusable shall bear a UDI carrier on the device itself. The UDI carrier for reusable devices that require cleaning, disinfection, sterilisation or refurbishing between patient uses shall be permanent and readable after each process performed to make the device ready for the subsequent use throughout the intended lifetime of the device. The requirement of this Section shall not apply to devices in the following circumstances: (a) any type of direct marking would interfere with the safety or performance of the device; (b) the device cannot be directly marked because it is not technologically feasible."

    So it means, that UDI must be on the device if it is technically possible, otherwise all other information can be separately prepared. 

  • Using ISO 9001 policies for ISO 27001

    You can use the same documents you developed for ISO 9001 that are also required by ISO 27001, you only need to ensure that the documents are updated according to the results of the information security risk assessment and applicable information security legal requirements (e.g., laws, regulations, and contracts).

    These articles will provide you with a further explanation about integrating management systems:
Page 90-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +