Search results

Information Security Games & Quiz for Employee Awareness

Sure, you can use our Information Security Awareness videos that also have short quizzes, you can find them here: https://advisera.com/training/awareness-session/security-awareness-training/ 

If you want to track centrally how your employees are performing with quizzes, you will need a Company Account, you can open a free trial here: https://advisera.com/training/etraining-company-account/ 

Privacy notice & data retention

1. Do we need a special privacy notice for all kinds of contact sources (website, email, etc..) or is one enough?

If the personal data collected and the purpose for which it is used are the same you can have just one privacy notice. However, within the notice, you need to mention what are the sources from where you collect the personal data.

2. In the Data Retention Policy - are the retention periods defined within this document?

Retention periods are usually mentioned in local laws such as Tax Law or Labor Law. If you cannot find a retention period is local laws you can establish them yourself taking into account the data minimization principle.

3. In the Inventory of Processing Activities - are there some examples of those processing activities given, or is this maybe covered with the email support - for example, if we ask the expert to give advice for that?

The Inventory of Processing Activates in the GDPR Documentation Toolkit has some comments embedded to help you understand what you need to fill in. Also, there is also a guidance document included in the toolkit. If you decide to purchase the toolkit, depending on the version you buy, you get also some consultancy hours as well as documents reviewed by our experts. More details on the GDPR toolkits may be found at https://advisera.com/eugdpracademy/pricing/ Just click on “See details”.

4. What is the maximum amount of time to respond to data subject requests?

The standard response time to a request is one month however if the request is complex the deadline can be prolonged by 2 more months.

EU GDPR - DPO, DPIA & other questions

1. How does an organization establish if it needs a DPO or no?

 Appointing a DPO is mandatory if (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offenses referred to in Article 10 of the EU GDPR.

2. Does the DPO need to be an employee or it can be outsourced as well?

 Both options work. The DPO can be an employee or it can be outsourced. The most important thing is that it is independent and given adequate resources.

3. What would be the position of the DPO in the company organizational chart?

According to art. 37 of the GDPR the DPO should directly report to the highest management level of the controller or the processor. If you want to find out more about the tasks of the DPO check out this free webinar Role of the DPO according to EU GDPR (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).

4. What would be the job description applicable to the DPO?

Article 39 of the GDPR describes the main tasks of the DPO. However, you can find a more detailed Task description in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/).

5. Is there any easy way to establish the duration of a GDPR compliance project?

The duration is closely linked to the size of the company as well as the processing activities. We have developed a duration calculator that might give you an idea of the time needed.  You can it at https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/

6. What is the difference between a DPIA and a PIA?

They are basically the same thing. Before the GDPR it was used to be called Privacy Impact Assessment and after the GDPR it was called Data Protection Impact assessment. If you want to find out more about DPIAs check out this webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/).

7. When one needs to perform a DPIA?

A DPIA needs to be performed whenever a specific processing activity is considered as being a high risk to the rights and freedom if the individuals.

8. Are there any specific requirements in terms of encryption?

Encryption is just a method to protect the personal data and the GDPR does not impose a specific type of encryption however it does mention that it needs to be state of the art.

Internal Audit - Action Classification

During an audit, auditors observe reality, collect audit evidences that they compare with the audit criteria and raise audit findings.

An audit finding can be one of three types:

• Conformity 
• Non-conformity (minor or major)
• Improvement Opportunity

Some auditors include in their audit reports the conformities find, a match between reality and audit criteria.

When an audit evidence is an illustration that reality does not follow the audit criteria, we have a non-conformity. A non-conformity implies the need for action. When we have a minor non-conformity normally, the action requested is a correction. When we have a major non-conformity, the action requested is a corrective action. In this case we need to remove the cause of the non-conformity.

An improvement opportunity is a suggestion for action, there is no request, no obligation to act.

The following material will provide you more information about non-conformities and audits:

- Article - Major vs. minor nonconformities in the certification audit (here you can find a good description of the difference between the two types) - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
- Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- Free webinar on demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
 

Cost of the accreditation in terms of external assessment

The assessment fees are set by each accreditation body. Typically the costs will involve an application fee, an annual fee, and the onsite assessment fee. These costs will depend primarily on your location (impacts on travel and accommodation costs for the assessors) and the scope of accreditation (number of test methods to be assessed as well as their complexity). The initial assessment involves a full assessment, where typically a team leader will assess the management requirements over two days and one or more technical assessors will be assigned to assess the technical competency over the same period. 

Regarding your multiple sites, if they all fall under the same legal entity, and have the same scope of tests, there is a “sampling percentage” for assessment where on initial assessment all five sites will be assessed in full. Thereafter not all will be assessed during surveillance assessments, where a minimum of two of the five will be selected. 

To obtain a cost estimate it would be best to contact the accreditation body that you will use, or look up the tariffs on their website. 

Secondly, you mentioned the instruments and procedures were in place. It was not clear from your question if the management systems were established. If you need assistance with the implementation of ISO 17025:2017, the following may be of interest:

• Project Plan for ISO/IEC 17025 implementation https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation
• Diagram of ISO 17025 Implementation Process https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process
• ISO/IEC 17025:2017 Documentation Toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Business Impact Analysis

Business Impact Analysis (BIA) is not required by ISO 27001, therefore the template for such analysis is not included in the ISO 27001 Toolkit. 

The BIA is required by ISO 22301, so we included it in our ISO 22301 Toolkit. 

Cost of ISO 27001 certification and Internal auditor re-certification

Here are the answers:

I am trying to estimate the cost for ISO 27001 certification with my company

Answer: The cost of certification depends on the size of your company (i.e. the number of employees) and the price per man/day of local certification bodies - the best thing is to ask for quotes from a couple of certification bodies to get a feeling for the price. Here's an article that can help you: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

The cost of implementation of a standard will include several items, you can find the details here: How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/

I am trying to figure out for Internal auditor certification is there a requirement that auditors get recertified periodically?

There is no requirement for periodic certification (or maintenance) of internal audit certification - once you get the certificate, it is valid indefinitely. Here you can find online ISO 27001 Internal Auditor Course with possibility of certification: https://advisera.com/training/iso-27001-internal-auditor-course/ 

Maintaining ISMS Certifications from a merging company

It seems to me the change in your case is in location, but also in the legal entity. 

For other information it is best that you consult with your certification body, I wouldn't like to speculate without detailed insight. 

Benefits of ITIL implementation

Incident and Problem Management are always a good start, so you can't miss with them.

Regarding Servide Design - well, that depends on the situation inside your organization (e.g. do you have some form of Service Catalogue, how many services you have, how different are they, how many users do you have, what's their level of IT skills, etc.). But, Service Catalogue is must have and it's better to implement it as soon as possible.

Here is the article with more details 

Ready, steady… go – Starting ITIL implementation https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/

ISO 9001 implementación

Lo primero que debe de hacer es contar con el apoyo de la alta dirección, que es quién va a proporcionar los recursos tanto económicos como de personal para llevar a cabo el proyecto de implantación.

Posteriormente realizar un análisis GAP o análisis de brecha en su organización para saber con qué requisitos cumple ya y con cuáles debe de cumplir. Aquí puede llevar a cabo ese análisis - Herramienta de análisis de brecha para ISO 9001: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/

Para que tenga claro cada uno de los requisitos de la norma le recomiendo que lea el siguiente informe gratuito, que le ayudará a entender cada una de las cláusulas de ISO 9001 - Clause by Clause explanation of ISO 9001:2015: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

Cuando ya cuenta con esta información puede empezar a escrbir un Plan de Proyecto, donde establezca cada uno de los hitos de la implantación del sistema de gestión de calidad, así como los plazos, responsabilidades, etc. Aquí puede descargar un ejemplo gratuito de Plan de Proyecto - Plan de Proyecto para la implementación de ISO 9001: https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

Una vez que ya tiene definido el Plan de Proyecto ya puede empezar a definir cómo va a llevar a cabo el control de documentos y registros del SGC. Luego ya puede determinar la política y los objectivos de calidad, el alcance del SGC... así hasta llegar a la auditoría interna y la revisión por la dirección. Puedes descargar este Diagrama de Implementación de ISO 9001;2015 que indica todos los pasos en la implementación de ISO 9001:2015: https://info.advisera.com/9001academy/es/descarga-gratuita/diagrama-de-implementacion-iso-90012015

Estos materiales también pueden ayudarle en la implementación de la norma ISO 9001:2015

- Inscríbase gratis en este curso -  Curso de Fundamentos de la norma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/