Search results

Question about privacy notification

From the details you provided, most likely company A is a Data Controller and company B is a Data Processor for company A. However company B, for its own public website, is a Data Controller so that’s why they have a Privacy Notice. The Data Controller needs to take all technical and organizational measures to demonstrate compliance with GDPR, per Art 25 - Data protection by design and by default. That is why, according to Article 5.1.a – the principle of lawfulness, fairness and transparency – and to Article 13 – Information to be provided where personal data are collected from the data subject – company A is accountable for how it informs its own data subjects about the processing operations carried out by company B on its behalf. So company A should take, with the help of company B, all steps to make sure that the data subjects using the company B services purchased by company A, are informed. Also, according to Article 28 – Processor – company A needs to sign a Data Processing Addendum with company B, after they have performed a minimum due diligence on the supplier to make sure that company B offers the same level of protection for personal data as it is offered by company A.

At Advisera we have a great EU GDPR Premium Documentation Toolkit that can help you achieve compliance in this case. We have templates for Privacy Notice, Supplier Privacy Notice (that should be sent by Company A to Company B’s employees), Processor GDPR Compliance Questionnaire, Supplier Data Processing Agreement etc.

Please consult these links as well:

• EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/
• Article 5 GDPR - Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 13 GDPR - Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr-text/rights-of-the-data-subject/information-and-access-to-personal-data/
• Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/

Common challenges in accreditation process

If you are referring to the process of application and accreditation assessment, typical gaps include:

• Method Validations not extensive enough
• Internal auditing program not fully established
• Reporting of results not compliant
• Internal and External (PT Scheme) Quality checks not sufficient
• Ineffective handling of Nonconformances and corrective action.

These often arise due to organisational structure issues; where responsibilities and authorities are not clear and personnel do not understand the true intention of the QMS, purpose of ISO 17025, how the various activities link and how to take a risk based approach to decision making.

For more information have a look at the question and Answer Accreditation duration at https://community.advisera.com/topic/accreditation-duration/ and the 

Webinar What are the steps in the ISO 17025 accreditation process?  at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar

Audit Scope

The Audit scope covers the requirements, area (department), activity and depth of what your will be auditing.

Your Internal Audit Schedule must over the assigned period, cover all departments, activities and all test test methods for which you are seeking accreditation. .e are all the processes, documents and records of information in place  to ensure impartiality, competence and consistent operations.

Then for the Scope of each planned audit in that schedule , you plan

• Which department – e.g organic chemistry
• Which activity – Internal Quality Control (clause 7.7.1)
• What depth – all test methods that must comply with ISO 17025

The following will provide more information on Internal Audits:

How to perform an internal audit using ISO 19011 at https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/
The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report are available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/
Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
The Book - ISO internal audit: A plain English guide at https://advisera.com/books/iso-internal-audit-plain-english-guide/

Records of training, skills, experience and qualifications

These records are required for those who perform work that can impact information security performance, so they cover not only those involved in implementing ISO27001 Project, but also in the Information Security Management System, operation, maintenance, and improvement.  

This article will provide you with a further explanation of competencies:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

List of legal, regulatory, contractual requirements

In this case, the person "responsible for compliance" is the information owner, i.e, the person who authorizes the information described in the agreement to be available to the employee.

For example, if the agreement covers R&D information, then access to it is authorized, for example, by the R&D department head, so this person needs to ensure that the employee already has signed the confidentiality agreement before granting access to the information.

Conformio expert question

1. How to handle legal and contractual requirements and what clauses require this in the standard?

Legal and contractual requirements are handled through the Register of Requirements module. In the Wizard tab on the screen's left side, you will find A Help & Support tab where you can access help videos that will explain how to use this module.

Legal and contractual requirements are related to standard clause 4.2 Understanding the needs and expectations of interested parties, and Annex A control A.18.1.1 Identification of applicable legislation and contractual requirements.

2. Is it required that the person who is doing the Audit needs to have training in Internal Auditing and ISO 27001?

The standard requires that a person performing work that can impact information security has proper competence, by means of experience, training, or education.

Considering that, in case this person already has previous experience on ISO 27001 and ISO 27001 internal audits (e.g., this person has already performed internal audits before), he does not necessarily need to have formal training.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISO 27001 expert question

Please note that this need for certification will depend on your business objectives and applicable legal requirements (e.g., you need to comply with a law or regulation, or a contract with a customer demands such certification).

In a general way, if your focus is on customer satisfaction, you should look for ISO 9001 certification. In case your focus is on information security, then you should look for ISO 27001 certification. Additionally, you can work with an integrated management system, covering both ISO 9001 and ISO 27001.

These articles will provide you a further explanation about ISO 9001 and ISO 27001:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#benefits
- What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- Benefits of ISO 9001 implementation for small businesses https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/

HIPAA & ISO27001

Unfortunately, we do not have such a comprehensive document, but you can have information about SOC 2 and ISO 27001 overlap in this article:

• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

With the information in the articles included in the previous answer, you will be able to have this general overview.

ISO 9001 & Hazard Analysis

ISO 9001:2015 does not reference the use of Hazard Analysis. I only consider its use mandatory if prescribed in a contract or in other compliance obligations.

You can find more information below about risks.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

BIA process

From your question I’m understanding that in your scenario you have a specific business unit responsible for information security in the organization, and that you performed a BIA for each department in the organization.

Considering that, please note that a BIA will give you information about impact on business continuity specifically for the scope where it is applied (i.e., the BIA for a department will give you information about that specific department only).

So, to have information about business continuity impact on the information security department, you need to perform a BIA on this department. The BIA in each department needs to be performed using the same methodology, i.e. the same set of rules so that the results are comparable.

These articles will provide you a further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

These materials will also help you regarding BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/