Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
NPS form - GDPR Rules
If the purpose of processing is the same as that the email was given, you can use the emails. You need to evaluate if your clients can reasonably think that he/she is going to receive those surveys. If the answer is not, you will need consent, otherwise, you can send the NPS survey.
-
How does German law GDPR apply to online surveys?
EU GDPR is a general regulation that applies all across Europe. However, EU Member States German Data Protection law has implemented the EU GDPR in some specific fields, like employment, health data, children data, consumer protection, etc. You need to consider the purpose of processing and how you will process those data. Are you asking for information about a particular category of personal data? I.e., is the survey on political opinions or sexual orientation?
You need also to consider if the data collected are anonymized, if they are transferred and if there is any personal profiling or automatic decision.
All these elements will have an impact on how the GDPR will apply to the online survey.
Here you can find more information about German data protection law, GDPR, and the data processing
- EU GDPR vs. German Bundesdatenschutzgesetz – Similarities and Differences: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-vs-german-bundesdatenschutzgesetz-similarities-and-differences/
- Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
- Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//
-
Section about intended use
Intended use is covered in the Technical file Integrated and both in the Clinical evaluation plan and Clinical evaluation report.
-
Relation between ISO 27001 and the IS strategy
Please note that the standard itself states in its introduction that adopting an information security management system (ISMS) is a strategic decision for an organization.
Considering that, using ISO 27001 to implement an ISMS, can be seen as an unfolding of the Information Security (IS) strategy, i.e., as a tactical element (because an ISMS can be implemented using other frameworks like NIST Cyber Security Framework - CSF).
These articles will provide you a further explanation about ISO 27001 application:
- Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Wordage to make the below (EU GDPR) into the UK GDPR equivalent
The wording to be used is the UK General Data Protection Regulation (UK GDPR). It is enforced by the Data Protection Act 2018.
The name is similar because it comes from the EU Withdrawal Act 2018 which allowed the UK Government to retain EU legislation making some adjustments to adapt to the domestic legal system, so they changed any reference to the EU with reference to the UK.
-
ISO 27001, ISO 20000, ISO 9001 question
1. Is there a possibility to integrate ISO 9001 with 20000 or this is not recommendable? If this is not recommendable, how will the usage of the three management systems according to the three standards (9001, 20000, 27001) be facilitated?
ISO 27001, ISO 20000, and ISO 9001 share some common requirements that can be fulfilled by the same documents with minor adjustments (this makes integration highly recommendable), like document control procedure, internal audit, and management review. For requirements specific to each standard, you will need to develop specific documents.
There is no specific procedure for such integration, but broadly speaking you can follow the steps to implement ISO 27001 and use the following material to identify when common requirements can be integrated:
- ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix
- ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix
For further information, see:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
2. What outcomes could be expected within the certification process provided that we have developed the systems in compliance with the applicable standards:
a. One integrated management system?
b. Separate systems for each of the three standards?
c. One system for 27001 and one system integrating 9001 and 20000, each of them with different scope?
Please note that this answer will depend on your chosen certification body because some of them are able to perform integrated systems certification audits.
Considering that, you need to contact your chosen certification body so you can clarify this information with them.
This article will provide you a further explanation about certification audit:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding certification audit:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
-
Describing assessment of confidentiality
1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.
Please note that ISO 27001 does not prescribe any approach for risk assessment so organizations can choose the method that better suits their needs.
Considering that, if your chosen method complies with the requirements of clause 6.1.2 (Information security risk assessment) it is acceptable by standard’s requirements.
In your case, if you assess threats and weaknesses in terms of loss of confidentiality, integrity, and availability of information, then your approach is compliant with this requirement of the standard.
In case you are looking for a reference for information security risk assessment and treatment, you can consider ISO 27005, the ISO standard for information security risk management.
To see how a risk assessment and treatment methodology compliant with ISO 27001 looks like, please access the free demo of this template: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
This article will provide you a further explanation about risk assessment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding information security risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?
Please note that ISO 27001 does not require Business Impact Analysis to be performed. ISO 27001 core processes are risk assessment and risk treatment. Business Impact Analysis is a requirement for ISO 22301, the ISO standard for the management of business continuity.
For further information, see:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
-
Interested parties, external and internal
ISO 27001 main clauses do not require organizational context and interested parties to be documented, only that they are taken into account when defining the ISMS framework.
However, in case you find control A.18.1.1 (Identification of applicable legislation and contractual requirements) applicable to your ISMS, you need to document requirements, and for practical purposes, it is best to document requirements together with their respective interested parties.
To see how a list of ISMS requirements compliant with ISO 27001 looks like, see the free demo of this List of Legal, Regulatory, Contractual and Other Requirements template: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/
This article will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These articles will provide you a further explanation about organizational context and interested parties:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding organizational context and interested parties:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Assessing maturity level of ISO/IEC 27001 implementation
Although there is no specific model for assessing the maturity level of ISO/IEC 27001 implementation, some models you can use with minor adaptations are:
- COBIT
- CMMi
- OPM3
- SSE-CMM
- ISO/IEC 15504
This article will provide you a further explanation about the use of maturity levels:
- Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
ISO 14001 legal cadastre
Setting up a database of compliance obligations may differ from country to country because legal and regulatory information may be more or less accessible in terms of easiness and completeness.
Start with your environmental assessment to determine environmental aspects and impacts. Then, you have to search the list of legislation applicable to your organization concerning each environmental aspect and impact. In my country, I use the services of an organization that sends me an email every day informing if there are changes in legislation at local, national and European Union level. Through them, I have access to all the environmental legislation of my country. I know organizations that have a similar service from their sector association, or some legal service from lawyers’ firms. Other organizations keep the information updated by searching frequently if any new or revised law was published.
You can find more information below:
- How to create an ISO 14001 list of legal and regulatory requirements - https://advisera.com/14001academy/blog/2019/11/04/iso-14001-legislation-checklist-how-to-create-it/
- Demystification of legal requirements in ISO 14001 - https://advisera.com/14001academy/blog/2014/10/01/demystification-legal-requirements-iso-14001/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/