Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question regarding Data Breach Response Team

    A data breach is defined in Art 4 GDPR – Definitions – as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. According to Article 33 GDPR - Notification of a personal data breach to the supervisory authority – the data breach should be reported to the Supervisory Authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. When you assess the risks related to the rights and freedoms of data subjects, you need to ask what could happen to the data subject if the compromised data would be exposed.

    If an email account is compromised, there are significant risks for conversations to be exposed, for email addresses to be exposed, attacked, or abused. All these risks need to be assessed and documented before deciding to report them to the authority. Anyway, the supervisory authority is requesting each data controller that reports a data breach to give all the details related to the data breach, including likely consequences for the affected data subjects.

    In the EU GDPR Premium Documentation Toolkit, in directory 12 – Personal Data Breaches – there are two templates to help you: a procedure for Data Breach Response and Notification and a Data Breach Notification Form to the Supervisory Authority. If you fill in all the details in these two documents, you will know better whether to report the incident to the supervisory authority or not.

    Please consult also these resources:

  • ISO 27002 changes

    Please note that ISMS audits are based on ISO 27001, not on ISO 27002. 

    Considering that, until changes made in the new ISO 27002 are incorporated in ISO 27001 Annex A, ISMS audits can be based on the valid version of ISO 27001 standard.

    This article will provide you a further explanation about new ISO 27002:

    - 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • Undocumented Controls

    Please note that by “All required ISO 27001 documents” we mean that our ISO 27001 Documentation Toolkit covers all mandatory documents and some documents that are not mandatory. The controls you listed do not need to be documented according to the standard, and in our opinion, it would be an overhead to document each and every one of them in a small company. 

    Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork; for larger companies that require more documents, we recommend getting some other solution.

    This article will also help you: 

  • Continuous responsibilities

    Please note that “continuous responsibilities” refers to tasks without a specific deadline (i.e., they must be performed while the ISMS is being used) that must be performed on demand.

    Considering that, you should consider such tasks as done for a specific demand when you generate the related evidence that it was performed.

    For example, the task “Identify all legal, regulatory, contractual, and other requirements related to interested parties that can affect or be affected by information security management.”, is considered “done” when you update the Register of Requirements module.

  • Task Link Issue

    Please note that regardless of whether you use the wizard to review or approve the document or not at the time of receiving the document review task, the checkpoint for the definition of the date of the next review is the date of approval of the document.

    This means that the tasks are created every x months (depending on what you have defined as the update frequency in the properties tab) from the date of approval.

    For example, if you have approved the document on March 1, 2021, and the update frequency is 6 months, then a new review task will be created every 6 months from March 1, regardless if you proceed with the review through the wizard or not.

  • Document Set

    The Advisera GDPR toolkit includes all the necessary documents needed for you to complete your GDPR-compliance journey. Since you are processing special categories of personal data (health data), I recommend performing a Data Protection Impact Assessment, per Article 35. As part of the Advisera GDPR Toolkit, there is a DPIA Methodology document that can help you. Also, you need to consider informing the data subjects affected by these transfers. As part of the GDPR Toolkit, there are templates for Privacy Notices.

    As an American company, you need to check whether you are subject to FISA 702 US Regulation. If yes, you need to take additional measures in order to protect EU data, according to Chapter V in GDPR - TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS. The best transfer mechanism to use in this case is the EU Standard Contractual Clauses, per art Article 46 – Transfers subject to appropriate safeguards, but you need to take additional measures such as encryption of data-at-rest and in-transit, with a key stored on a server in EU.

    The risks would be clearly reduced if you have full storage of data on EU servers managed by an EU organization.

    Please also consult these resources:

  • Risks registered is not effectives

    Thanks for the tips and points to enhance risks registered , however 140 risks is huge no to maintained the risks regardless the treatment, i'm expecting something around 20 risks max to be easly maintainted especiallty the main dimensions for security control under CIA , in addition ISO is not need inssist to include asset on risks handling, 

     

     

  • ISMS

    1. Within the document of the scope of the ISMS in point 3.3 Networks and IT infrastructure, should the network segments, IT Infrastructure (routers, switches, etc.) be fully detailed or is it enough to place a graphic of our diagram network?

    A general description of networks and IT infrastructure, like a diagram network, is enough to include in the ISMS scope document.

    For further information, see:

    2. In the ISMS implementation project plan Doc, point 3.1 Project objective, can the date that is set as a limit be changed as the ISMS implementation progresses, or should that date not be changed once? what has been defined?

    The information in the Project Plan document, such as the implementation date deadline, can be changed as the ISMS implementation progresses. You only need to ensure to get proper approvals and communicate with people affected by the changes.

    3. In the ISMS Implementation Project Plan Doc, point 3.4.2 Project Manager, can two or more people be designated as project manager, or can it only be one person?

    For small projects, only a single project manager should be considered as the main alternative (in many cases there won’t be enough work to justify designating more than one project manager). When more than one is designated, you need to make clear their responsibilities and authorities, to avoid overlap.

    For further information, see:

    4. In the ISMS implementation project plan Doc, point 4 Management of saved records, within the table is only the project plan document detailed or should all the documents that are of the ISMS be detailed (e.g. scope document , security policy, etc.)?

    In section 4 of the Project Plan document, you need to include only the documents related to the management of the project, not the project’s deliverables. Project progress reports are examples of records related to this section.

  • Audit questions for purchasing department

    Purchasing name has been changed to ‘’Control of externally provided processes, products, and services’’ in ISO 9001:2015 and IATF 16949:2016 standards.

    Therefore, standard item 8.4 and all 8.4 items show the purchasing process. You should prepare your questions for the purchasing process, including all items of 8.4.

  • ISO 22301 - 4.2.2

    To see a procedure that covers the identification of requirements compliant with ISO 22301, please take a look at this demo: Procedure for Identification of Requirements https://advisera.com/27001academy/documentation/procedure-for-identification-of-requirements/

    The purpose of this document is to define the process of identification of interested parties, as well as statutory, regulatory, contractual, and other requirements related to information security and business continuity, and responsibilities for their fulfillment.

    This article will provide you a further explanation about the identification of requirements (the same concepts apply to ISO 22301):
Page 104-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +