Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions on Retention Policies
1: Categories of recipients – maybe a dumb question but would this be the people that receive the data. For example, for a quantitative 13 minute survey where a third party is collecting the data. The recipients would be Ypulse employees? Because categories of data subjects would be Survey Panelists, and processor is the third party.
No. In this case, categories of recipients mean the other data controllers, joint data controllers, or data processors that receive personal data. Related to the example you provided, recipients would be the hosting company where the data would be stored, third-party partners that collect the data, and other third parties that need to process the personal data.2: Also, another silly question, but I believe the lawful basis for processing is Legitimate Interests. Although, we do provide marketing research services to companies via Presentations and PPTs that we deliver, and we provide consulting services based on the research we conduct. And we do have a contract/ SOW designed with our clients. Can you confirm this would still be Legitimate interest or if this would be more considered ‘contract’, as legitimate interest?
The lawful basis for processing in the example you provided should be either consent, if the participants are not remunerated for answering the survey, or the necessity to perform contractual clauses, if participants are remunerated for answering the survey (because there would be a contract in place between your company and the participants). In the case of legitimate interest, people should expect the processing to occur, and my opinion is that in this case, because you are doing quantitative research, it would be quite difficult to argue this legal ground for processing personal data.3: I am also not clear on what to add under this column: Data Protection Act 2018 Schedule 1 Condition for processing. I am not really sure what to add for this column. Can you advise on this one.
Data Protection Act 2018 Schedule 1 is related to processing special categories of personal data – like health, criminal convictions, etc. This column should be filled only if you process such categories of personal data, and in this case, you should identify what would be the condition of processing, namely Employment, Social Security, Social Protection, Health, Social Care, etc.For example, for Quan surveys?Or for when we are communicating with clients – this would be legitimate interest again?Or when we conduct qualitative surveys as well.
Please also consult these links:
- Article 9 GDPR – Processing of special categories of personal data: https://advisera.com/gdpr/processing-of-special-categories-of-personal-data/
- EU GDPR Glossary of Terms: https://advisera.com/articles/eu-gdpr-glossary/
-
Who should write mandatory documents in organization?
Nice
-
Retention for SIEM
The identification of such times will depend on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts), considering each country you want to cover.
As a tip, you could define an initial time retention period (e.g., 1 year) and see if this would fit your business and legal needs, and adjust it in a case by case basis.
For further information, see:
- Logging according to ISO 27001 A.8.15 https://advisera.com/27001academy/logging-according-to-iso-27001/
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
-
Data leakage prevention
Unfortunately, such a template is not available. ISO 27001 does not require a specific document for data loss prevention, and it is not a commonly used document.
For the development of such a document, we suggest you consider the following topics:
- definition of responsibilities for data leakage prevention
- definition of steps for data leakage prevention
- definition of which type of information requires the application of data leakage prevention measures
- definition of technologies to be implemented for data leakage prevention
- definition of acceptable behavior for users regarding Internet use
Considering this suggestion, you can use the highlighted sections mentioned in the documents in the first answer to start your document.
-
Internal auditor selection
It means that you can hire an external auditor. But also, it means that no matter that you are a small company, you can audit each other. So, you do not need to have one internal auditor, but all of you can audit each other's work.
-
MDR classification
For the classification rules and help with the classification please see the following guidance:
- MDCG 2021-24 - Guidance on classification of medical devices https://health.ec.europa.eu/latest-updates/mdcg-2021-24-guidance-classification-medical-devices-2021-10-04_en
-
Drug-device combination product development and manufacturing
Each manufacturer of medical devices must be in compliance with ISO 13485 no matter the type and class of medical device. But, since MDR 2017/745 has additional requirements for quality management system, please look into the ISO 13485:2016/A11:2021.
-
Question about gap analysis
Please note that the standard does not require a gap analysis between two versions of the standard to be performed.
For analysis between these two versions, we suggest you these documents:
- ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
- Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/
- Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
This tool can also help you:
- ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/
-
Surveillance audit
You can continue with the surveillance audit according to the ISO 27001:2013 standard by 10 August 2023.
But please note that you need to make the transition to the 2022 revision of the standard by October 31, 2025.
For further information, see:
- ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/
-
Handling accidents
According to ISO 27001, the following controls are related to incident management:
- A.5.7 Threat intelligence
- A.5.24 Information security incident management planning and preparation
- A.5.25 Assessment and decision on information security events
- A.5.26 Response to information security incidents
- A.5.27 Learning from information security incidents
- A.5.28 Collection of evidence
- A.6.8 Information security event reporting
Please note that ISO 27001 does not prescribe details on how to manage incidents, only objectives that need to be achieved. For detailed guidance, you should look for ISO 27002, a non-mandatory supporting standard that provides explanations on the implementation of ISO 27001 Annex A controls.
To see how a document describing incident handling compliant with ISO 27001 looks like, please take a look at this demo: https://advisera.com/27001academy/documentation/incident-management-procedure/
For further information, see:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
Please note that, even though this article is about old 2013 revision of ISO 27001, the principles in the article are still valid.