Search results

Information labeling

Here are the answers:

1. Is the classification of information based on confidentiality and integrity?

ISO 27001 control A.8.2.1 allows you to classify information according to legal requirements,
value, criticality and sensitivity - therefore, you are not limited to confidentiality and integrity. However, in most cases, companies classify information based on confidentiality. 

See also this article: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

2. What's the purpose of information labeling? Is that just for informing internal employees?

The purpose is to inform anyone who gets in contact with classified information about the level of classification. Without the users knowing what the level of classification is, the classification itself wouldn't make sense. 

3. Is it necessary to label all physical and electronic information?

You can declare the control A.8.2.2 Labelling of information as inapplicable if there are no related risks nor legal or contractual requirements.

Even if you declare this control as applicable, you can define the level of classification for particular type of information (e.g. applications) through a policy, so that labelling of such information is not needed. 

ISO 27001 6.1.1 Allgemeines

ISO 27001 clause 6.1.1 does not require you to document how you manage opportunities (i.e. no written policy or procedure is needed), it only requires you to plan to address risks and opportunities. 

In Advisera's toolkit, you will find the document "Risk treatment plan" placed in folder "07 Implementation plan" - there you should list all activities through which you address both risks and opportunities (since opportunities can be considered as "positive risks"). 

This article will give you a couple of examples of what opportunities are: How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/ 

ISO 14001 approach?

My first advice is about making a Gap Analysis to have an idea about what needs to be done. Then, you can develop your implementation plan.

Be sure to invest your time in determining and evaluating environmental aspects and impacts, they are very important for the foundation of your environmental management system (EMS). Consider also this article with a checklist for implementing an EMS - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/

The following material will provide you more information about aspects and impacts:

- ISO 14001:2015 Gap Analysis Tool - https://advisera.com/14001academy/iso-14001-gap-analysis-tool/
- Project Plan for ISO 14001:2015 implementation - https://info.advisera.com/14001academy/free-download/project-plan-for-iso-140012015-implementation-ms-powerpoint
- Free webinar on demand - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
- Book – ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

GDPR and personal data handling

1. What is the difference between consent and explicit consent?

Based on the EU GDPR consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant individual. This would be consent in general.

Consent must be explicit if you are processing special category personal data or transferring personal data outside the EU. This entails a degree of formality, for example, the individual ticking a box containing the express word “consent”.

Explicit consent cannot be obtained through a course of conduct. If you want to find out more about consent check out this free webinar How to handle consents under GDPR: https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/

2. What is the time and usual procedure when receiving a deleting request? What are the limitations regarding the time to respond to a request?

The time to answer a request from a data subject is usually one month but it can be prologued with another two months if the request is complex. If you want to find out more about answering requests check out this free webinar Data Subject Rights under the EU GDPR: https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

3. Do emails containing personal data need to be encrypted?

Not necessarily, however, if you are sending large quantities of personal data or special categories of personal data you should consider encryption or other measures to secure the transfer.  

4. If I want to make a complanit because my data is being used abusively where do I need to go?

You can find a full list of contact details of all Supervisory Authorities in the EU at https://edpb.europa.eu/about-edpb/about-edpb/members_en

GDPR compliance and data protection

1.There is some suppliers like couriers that want to sign DPAs with us. Is this ok? Are couriers processors?

Couriers act like independent data controllers so you need to sign a Controller to Controller Agreement. You can find such an Agreement in this EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/pricing/

2. Also since we want to start from January to work on our implementation how much time do you think we need? How about resources?

Both the time and resources depend on various factors such as the size of the company and the activities it performs. We have developed some tools that allow you to calculate the duration and the costs of becoming compliant. Check out this tool: https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/ .

3. Being a shipping company do we need to register?

As far as I know, this requirement no longer exists. However, you should check out the website of the local Supervisory Authority as this is a local decision.

4. When we provide the notices to the crew members we are recruiting do they need to sign it?

Privacy notices need to be made available to the data subjects but not necessarily signed. You can make them available on your website for example.

5. Are we allowed to keep the CVs for possible future arrangements?

Based on your legitimate interest or the candidate consent you can keep the CV longer. You need however to decide and asses which lawful ground would suit you best. You can find out more about Privacy Notices in this free webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ .

6. And if yes is there a time limit?

The GDPR does not provide specific retention principles however, based on the minimization principle personal data should not be kept more than needed to achieve the purpose for which it was collected. My suggestion is not to keep CVs for more than 1 year.

Performance Evaluation

The most common way is to define process KPI in Turtle diagram. Also, you can use some strategy approach as Balanced Scorecard. 

In the document where you have defined process, also, you can set KPI for each of them.

For each process, you can set the quality objective and KPI should be aligned with it.

For more information, please read our article: „How to write IATF 16949 Quality objectives“ https://advisera.com/16949academy/knowledgebase/how-to-write-iatf-16949-quality-objectives/

GDPR and impact assessment on data protection

So we have this software where people make recommendation for friends to buy goods, and in the process of buying with credit card's etc customer information is disclosed. how can we make sure people don't use those info; to hack or etc other customers?

If credit card data is processed you need to ensure that you are PCI compliant or that you use a third party that it is PCI compliant.

Regarding the use of other personal data besides credit card data, you need to follow the GDPR principles and apply adequate security measures as per art. 32.

In summary: like how do we protect customer data when a project went live.?

Another thing you need to consider is having adequate Terms and Conditions so the users have a clear view of what they can do and what is forbidden.

I would advise you to perform a Data Protection Impact Assessment before going live.

You can find out more about Data Protection Impact Assessment from thus fee webinar Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR: https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/

SOA Documentation

Here are the answers:

Do we have to prepare the Documentation for each and every Control mentioned in SOA or prepare only mandatory Documents (the Ones mentioned in the List of Docs attached)? Since ISO does not says to document each and every Control.

Answer: As you mentioned, ISO 27001 does not require you to create a document for each control. You should prepare only the documents that are mandatory (e.g. Access control policy) + the documents that you think will be useful for you (for example, you might decide that BYOD Policy will be useful because lots of your employees are bringing their own devices). Bear in mind that if you declared a control as not applicable in your Statement of Applicability, then you do not have to write any document for it (even if it is marked as mandatory). 

See also this article: 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

If need to prepare only mandatory Docs, then will other docs also be checked during the Stage 1 Audit of ISO 27001.

Answer: The certification auditor will check all the ISMS documents you have written, it does not matter if they are mandatory or not. 

See also: What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit 

While preparing SOA, can we only prepare the Docs which are relevant to the Organization and exclude the ones which are not organization relevant?

Answer: As mentioned in the first answer, you need to write the documents that are mandatory + those that you consider useful for your company. You should exclude the documents that you did not find useful, but also the documents that are related to controls that you declared as not applicable in your Statement of Applicability. 

Backup continuous policy

You can find a more detailed explanation here: Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Here you can find a template for the Backup Policy, you can also see a free preview: https://advisera.com/27001academy/documentation/backup-policy/ 

These materials will also help you regarding backup:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

15.2.2 managing changes to supplier services

It is difficult to provide an advice without knowing what exactly was your nonconformity - in general, when you make changes to the existing contracts with your suppliers you need to take into account the results of risk assessment, and how critical is the data they have access to. 

See also these articles:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/ 
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

If you can provide more details on your nonconformity, I can give you a more precise guideline.