8 Jan, 2018
Happy New Year everybody and welcome to the January 2018 edition of the ISO Quality Services Ltd Newsletter! This month’s edition is focused on Information Security & GDPR!
Free Seminar hosted by ISO Quality Services Ltd and Haines Watts
Steps to take to ensure you are compliant.
With GDPR coming up this May, ensure that your business is compliant with these 12 checks.
Decision makers and key people in the organisation need to be aware that the law is changing to GDPR, and they will need to understand what impact this will have.
An information audit needs to be conducted, including information on personal data held in the organisation, where it came from, and who it is shared with.
Carry out a review of your privacy notices and governance, identify gaps and plan how to prepare for the changes required by implementing GDPR.
Make sure procedures cover all individuals’ rights, including deleting personal data, providing data electronically and in a commonly used format.
Update procedures and have a plan for handling requests within the new timeframe and provide any additional information.
Understand the different data processing types the organisation performs and identify the legal basis for carrying it out and document it appropriately.
The way the organisation seeks, obtains and determines consent needs to be reviewed and changes made if necessary.
Systems should be designed and developed that can be used to verify ages, and can seek parental/guardian consent for a data processing activity.
Procedures need to be in place to detect, report and investigate a personal data breach to both the customer and the regulator.
Privacy Impact Assessments/Control Frameworks need to be developed with guidance from the regulator. Processes need to be developed and have governance for their use.
Data Protection Officers should be appointed, or a similar role to take responsibility of data protection compliance. The organisation will need to decide where this role fits best.
If the organisation works internationally, which data protection authority is most appropriate needs to be decided and consider where processors and controllers are located.
Including an Information Security Policy in your company documentation is an essential step to take if you want to build on your information security. As a necessity for the ISO 27001 Information Security standard, companies are required to have a detailed up to date policy in place, and it is best practice to ensure that you include the following:
It goes without saying, any company policy should be relevant to the company. A small company would not be able to copy a policy from a global company, as it would not be relevant to how they operate. The best way to ensure your policy is relevant is by outlining how your company operates first, and meet these points when planning your policy.
A key part of ISO 27001 is setting objectives for the company to achieve in regards to their information security. Your policy should include the framework to follow when establishing these objectives, defining how the objectives are proposed, approved and reviewed.
A common method used in the objective setting process is the PDCA cycle (Plan, Do, Check, Act). You would set your objectives in the Plan section, identify which stage you would class your objectives as achieved in the Do section, start measurement of your objectives in the Check section, and finally make improvements and amendments in the Act section.
Not only do your staff need to be committed to following your Information Security Policy, but also your management team need to state their commitment. This is usually done by including a statement in the policy expressing the commitment from management in regards to fulfilling the requirements of the policy and continually improving the Information Security Management System.
You can make reference to the scope of your Information Security Management System in your policy, so that it is clear what information your management system is protecting. This will cover all resources that hold information within your company and local network, just because a device may be out of the office does not mean it is out of the scope. As a part of ISO 27001, the auditor will check your scope to ensure that all elements of the management system are working within the scope, so you need to ensure that this includes all the relevant information.
With an efficient management system also comes staff responsibilities, and these should be outlined in your policy so that everyone is clear on their roles. The staff member who is responsible for the day-to-day operations should be identified, as well as who is responsible on an executive level. This will be useful in the event of any incidents or when you need to conduct internal audits.
The process for measuring your information security objectives can also be detailed in your policy. This would typically include who is responsible for measuring whether the objectives have been achieved, as well as who the results would be reported to and how often.
To keep the policy relevant and up to date, it would have to be subject to regular reviews. There would typically be a designated member of staff who would review this and make amendments if necessary. If you don’t keep your policy up to date then it can soon fall behind and become irrelevant.
An ISO 27001 Information Security Management System is a systematic and pro-active approach to effectively managing risks to the security of your company’s confidential information. You can find out more about ISO 27001 by visiting our page here. Alternatively, you can speak to a member of our team on 01905 670303 or email@example.com.
Thursday 8th – 9th February 2018
9.30am – 4.30pm
No quality management system can achieve its potential unless it is constantly monitored and audited. An audit is a review (or a check) of the Management System and its compulsory elements. It is a snapshot of the activities that a company undertakes that prove compliance to the standard at the time of the audit. This interactive 2 day training course will teach you the tools and techniques of the internal auditor.
How to conduct an effective audit and how to use these to achieve continual business process improvement and will assist your staff in identifying any gaps that may challenge the effectiveness of your quality management system.
There will also be a chance for a question and answer session, a live audit and a test to certify the auditors with a Certification awarded for successful completion.
Find out more information about the course and book your place here.
If you haven’t joined already – what are you waiting for?
ISO news, training updates and offers, meet the ISO QSL team and connect with other like-minded individuals.
Visit our LinkedIn Page: ISO QSL LinkedIn Company page
Visit our Twitter Page: @ISOQSL
Take your pick of a £50 donation to Midlands Air Ambulance, a case of wine or a £50 Marks & Spencer’s Voucher!
(To qualify for this you must refer a successful lead.)
To offer your referrals please contact – firstname.lastname@example.org or 01905 670303.
ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.
Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.