ISO Quality Services Ltd – January 2018 Newsletter

8 Jan, 2018

Happy New Year everybody and welcome to the January 2018 edition of the ISO Quality Services Ltd Newsletter! This month’s edition is focused on Information Security & GDPR!

What’s in this issue?

Innovate and Save – Free Seminar hosted by ISO Quality Services Ltd and Haines Watts

Are you ready for GDPR?

Creating a great Information Security Policy

Internal Auditor Training

Offsite Servers Video Case Study

Be a part of our online community

Refer a friend

Innovate and Save

Free Seminar hosted by ISO Quality Services Ltd and Haines Watts

Are you ready for GDPR?

Steps to take to ensure you are compliant.

With GDPR coming up this May, ensure that your business is compliant with these 12 checks.

1. Raise Awareness

Decision makers and key people in the organisation need to be aware that the law is changing to GDPR, and they will need to understand what impact this will have.

2. Information Held

An information audit needs to be conducted, including information on personal data held in the organisation, where it came from, and who it is shared with.

3. Communicating Privacy

Carry out a review of your privacy notices and governance, identify gaps and plan how to prepare for the changes required by implementing GDPR.

4. Individual Rights

Make sure procedures cover all individuals’ rights, including deleting personal data, providing data electronically and in a commonly used format.

5. Subject Access Requests

Update procedures and have a plan for handling requests within the new timeframe and provide any additional information.

6. Legalities of processing Personal Data

Understand the different data processing types the organisation performs and identify the legal basis for carrying it out and document it appropriately.

7. Consent

The way the organisation seeks, obtains and determines consent needs to be reviewed and changes made if necessary.

8. Protecting Children’s Data

Systems should be designed and developed that can be used to verify ages, and can seek parental/guardian consent for a data processing activity.

9. Data Breaches

Procedures need to be in place to detect, report and investigate a personal data breach to both the customer and the regulator.

10. Data Protection by Design

Privacy Impact Assessments/Control Frameworks need to be developed with guidance from the regulator. Processes need to be developed and have governance for their use.

11. Data Protection Officers

Data Protection Officers should be appointed, or a similar role to take responsibility of data protection compliance. The organisation will need to decide where this role fits best.

12. International Work

If the organisation works internationally, which data protection authority is most appropriate needs to be decided and consider where processors and controllers are located.

Creating a great Information Security Policy

Including an Information Security Policy in your company documentation is an essential step to take if you want to build on your information security. As a necessity for the ISO 27001 Information Security standard, companies are required to have a detailed up to date policy in place, and it is best practice to ensure that you include the following:

Relevance

It goes without saying, any company policy should be relevant to the company. A small company would not be able to copy a policy from a global company, as it would not be relevant to how they operate. The best way to ensure your policy is relevant is by outlining how your company operates first, and meet these points when planning your policy.

Objective Setting Framework

A key part of ISO 27001 is setting objectives for the company to achieve in regards to their information security. Your policy should include the framework to follow when establishing these objectives, defining how the objectives are proposed, approved and reviewed.

A common method used in the objective setting process is the PDCA cycle (Plan, Do, Check, Act). You would set your objectives in the Plan section, identify which stage you would class your objectives as achieved in the Do section, start measurement of your objectives in the Check section, and finally make improvements and amendments in the Act section.

Commitment

Not only do your staff need to be committed to following your Information Security Policy, but also your management team need to state their commitment. This is usually done by including a statement in the policy expressing the commitment from management in regards to fulfilling the requirements of the policy and continually improving the Information Security Management System.

Scope

You can make reference to the scope of your Information Security Management System in your policy, so that it is clear what information your management system is protecting. This will cover all resources that hold information within your company and local network, just because a device may be out of the office does not mean it is out of the scope. As a part of ISO 27001, the auditor will check your scope to ensure that all elements of the management system are working within the scope, so you need to ensure that this includes all the relevant information.

Responsibilities

With an efficient management system also comes staff responsibilities, and these should be outlined in your policy so that everyone is clear on their roles. The staff member who is responsible for the day-to-day operations should be identified, as well as who is responsible on an executive level. This will be useful in the event of any incidents or when you need to conduct internal audits.

Measurement

The process for measuring your information security objectives can also be detailed in your policy. This would typically include who is responsible for measuring whether the objectives have been achieved, as well as who the results would be reported to and how often.

Regularly reviewed

To keep the policy relevant and up to date, it would have to be subject to regular reviews. There would typically be a designated member of staff who would review this and make amendments if necessary. If you don’t keep your policy up to date then it can soon fall behind and become irrelevant.

An ISO 27001 Information Security Management System is a systematic and pro-active approach to effectively managing risks to the security of your company’s confidential information. You can find out more about ISO 27001 by visiting our page here. Alternatively, you can speak to a member of our team on 01905 670303 or admin@isoqsltd.com.

Internal Auditor Training

Thursday 8th – 9th February 2018

9.30am – 4.30pm

Worcester

 

No quality management system can achieve its potential unless it is constantly monitored and audited. An audit is a review (or a check) of the Management System and its compulsory elements. It is a snapshot of the activities that a company undertakes that prove compliance to the standard at the time of the audit. This interactive 2 day training course will teach you the tools and techniques of the internal auditor.

How to conduct an effective audit and how to use these to achieve continual business process improvement and will assist your staff in identifying any gaps that may challenge the effectiveness of your quality management system.

Course Content

• Brief overview on the management system to be audited
• What is the purpose of an audit?
• How should an audit be approached?
• Maximise the benefits of monitoring so that the procedures are regularly being controlled.
• Find and rectify negative trends and maximise positive trends.
• A practical auditing exercise is undertaken by the delegate on the business, which will be marked.

There will also be a chance for a question and answer session, a live audit and a test to certify the auditors with a Certification awarded for successful completion.

Find out more information about the course and book your place here.

Offsite Servers – ISO 9001 & ISO 27001

Video Case Study

Hear from our client, Offsite Servers, about their experience obtaining the ISO 9001 Quality Management and ISO 27001 Information Security Management Standards.

Be a part of our Online Community

If you haven’t joined already – what are you waiting for?

ISO news, training updates and offers, meet the ISO QSL team and connect with other like-minded individuals.

Visit our LinkedIn Page: ISO QSL LinkedIn Company page

Visit our Twitter Page: @ISOQSL

Are you a client of ours? Would you recommend our services to your clients/suppliers… why not refer a friend?

Take your pick of a £50 donation to Midlands Air Ambulance, a case of wine or a £50 Marks & Spencer’s Voucher!

(To qualify for this you must refer a successful lead.)

To offer your referrals please contact – info@isoqsltd.com or 01905 670303.