Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements

    Here is a practical example of how to fill the List of Legal, Official, Contractual and Other Requirements template:

    Consider that, a customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC is restricted to customer personnel only. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

    Interested party: Customer Jon
    Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
    Document: Service level agreement
    Person responsible for compliance: System ABC administrator
    Deadline: when system ABC is made available for customer use
    Besides Service Level Agreements, you should consider laws and regulations applicable to the locations where you operate the same way described in the example (i.e., identifying interested party, requirement, document, etc.). For the identification of specific requirements for your organization we recommend you seek expert legal advice. 

    Regarding the example for the ISMS scope, it can be defined in terms of information, location or process to be protected, and here are some examples:

    • The ISMS scope is the customer and Research and Development data of organization ABC.
    • The ISMS scope is the Headquarters of organization ABC.
    • The ISMS scope is the software and development process of organization ABC.

    By the way, included in your toolkit you have access to a video tutorial that can help you develop the scope, with real data examples.

  • IEC 62366-1 question

    No, this standard ISO 62366-1 is applicable for all types of medical devices. 

  • Guidance for dealing with "old" devices

    Your guidance is MDR itself. It means that if you are a class I device, that from 26th May 2021. you need to be in compliance with the MDR, The only excuse for that is the implementation of the UDI number, which must be applied until May 2025, as stated in Article 123 Entry into force and date of application.  

    For more information, see:
     
    EU MDR Article 123 Entry into force and date of application https://advisera.com/13485academy/mdr/entry-into-force-and-date-of-application/

     

  • Erasure request refusal

    1. Hello, I have contacted a company that manages a messaging app I used in the past to request information about exercising my right to erasure (Article 17(1) GDPR), since they say they're GDPR compliant. In particular, my question to them was about having my messages/posts (private and public) deleted when they close my account. They say they would refuse to delete these messages, since they argue that would interfere with other users' right to free expression and information (Article 17(3)(a)), as there would be gaps in the conversations potentially leading to misinterpretations or the lack of important context.

    My questions to you are:

    Are the messages and posts I sent through the app considered personal data under GDPR to the extent that the app would have to delete them under request?

    The right to be forgotten or the right to erasure is not an absolute right, it depends on the data controller’s retention schedule which must be based on one of the six legal grounds for processing personal data (storage is a data processing operation).

    Related to your question, yes, messages and posts that you submitted through the app are considered to be personal data.

    You can find more details at this link:

    2. Is the exception in Article 17(3)(a) a valid ground for refusing this request in this case?

    In my opinion, Art 17 (3) (a), that specifies that right to be forgotten does not apply when exercising freedom of expression is not a valid ground for refusing your request in this case, is not a valid ground for refusing your request in this case. This article should be invoked only when the processing of personal data is done solely for journalistic purposes, or for the purposes of academic, artistic, or literary expression. The data controller could take technical and organizational measures to fulfill your request, such as anonymizing your identifiers – name, surname, username, nickname, etc. For example, they could change your username to something like anonymous_user and modify all your posts/comments and answers to your posts/comments. If they cannot do this, it would mean that the data controller is in breach of Art 25 GDPR, Data protection by design and by default, which states that “the controller shall, […], implement appropriate technical and organizational measures, […], in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

    You can find more details at these links:

    To learn more about the right to be forgotten, see this free online training: GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/  

  • Identifying Assets

    This is a valid approach, but you need to be careful to not make your asset register unnecessarily complex.

    For example, a data loss risk is applicable to all these assets, and with your approach, you will need to create this risk for each asset.

    In this case, you may use an asset called “customer data” and include this data loss risk only once and use the specific assets only to specific risks (e.g., SQL injection risk is applicable only to “Customer data in SQL database”).

    This will prevent a risk to be repeated only because it also applies to multiple forms that information can be.

    This article will provide you with a further explanation about the asset register:

  • IR35 compliance and ISO 27001

    I’m assuming you are referring to the UK legislation to combat tax avoidance by workers, and the firms hiring them.

    We are not legal experts, so you should seek local expert advice for a more definitive answer, but provided the contractors only need to follow rules related to information security applicable to all contractors (either they are a personal services company or not), and do not need to follow other rules applied to your own employees (e.g., defined working hours), you may be able to classify them as not employees.

    Some conditions you should consider to evaluate IR35 applicability are:

    • Control: what degree of control does the client have over what, how, when, and where the worker completes the work (the less control the client has the less applicable is IR35)
    • Substitution: is personal service by the worker required, or can the worker send a substitute in their place? (in case substitution is possible less applicable is IR35)

  • Grouping of Assets in Risk Assessment Table

    Both approaches are accepted by the standard. As a tip for planning on how to group assets, you should consider assets that share similar risks.

    For example, you can have development PCs, Sales PCs, etc. In case all desktops share the same risks, you can use your PC's Office x” approach.

    This article will provide you with a further explanation about the register of assets:

  • A.15 Control section

    I’m assuming that by Y2005 and Y.2013 you are referring to versions 2005 and 2013 of ISO 27001.

    Considering that, there is no official explanation for this change, but most probably the change was made to make the application of the control clearer.

    ISO generally uses the term “third party” for an entity that is independent of the organization, like customers, suppliers, business partners, government, etc.

    Since the controls from ISO 27001 Annex A are related to suppliers, it makes more sense to change the section name to reflect this situation.

    This article will provide you a further explanation about supplier security management:

    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Naming of ISO 27001 Annex

    ISO 27001 Annex A is directly related in numbering to ISO 27002 (a non-mandatory standard which provides guidance for implementation of Annex A controls), and sections 1 to 4 in ISO 27002 do not cover controls:

    0 Introduction

    1 Scope

    2 Normative references

    3 Terms and definitions

    4 Structure of this standard

    From section 5 onwards, the section title is the same from the respective ISO 27001 Annex A section. For example, both ISO 27001 Annex A.5 section and ISO 27002 section 5 are titled A.5 “Information security policies”

    This article will provide you a further explanation about ISO 27001 and ISO 27002:

    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • GDPR and drones

    Yes, GDPR applies to drones usage when drones record images of people. If this recording is for scientific research, according to article 89 (2) GDPR you might qualify for a derogation from GDPR requirements, related to processing for scientific research. However, recital 156 requires you to make sure you implemented the necessary controls to ensure data minimization and data pseudonymization or even anonymization of personal data once the purpose of processing is fulfilled.

    Find more details about GDPR requirements at the following links:
Page 121-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +