Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope and certificate
Answer:
Any ISO certificate has a description of the scope of the management system. Please check if the scope of the QMS of the main campus includes your facilities. Sometimes management decides that certification is just for one part of the activities (like a hotel that does not include the restaurant and the pool), sometimes the same certificate is applicable to one organization with different sites.
The following material will provide you more information about the scope:
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Toolkit content and SoA
method of identification of the other party
authorizations to access information
ensuring non-repudiation
technical standards for data transfer
incident response
labeling and handling sensitive information
copyright
Answer: These items aim to ensure specific clauses in information exchange agreements are included to protect information sent to other parties. General examples of clauses related to these bullets are:
- method of identification of the other party: "representative of organization's partner authorized to receive information must present as identification functional badge with his name and job title"
- authorizations to access information: "only personnel authorized by partner's -
Rules for identification, collection and preservation of evidence
In which part of the document: Validity and document management;
What is my question: What criteria must be considered for the effectiveness and appropriateness of the document?
Answer:
Regarding the rules for identification, collection and preservation of evidence, the criterion to be considered, among those included in this section of the template, is the "number of incidents for which evidence for legal action was inadequate", where the target number of incident must take into account the incident history of your organization, or a number considered a reference by your industry. -
Certification as a Lead Implementer and Lead Auditor
With that background information, I have a question about certification as a Lead Implementer and Lead Auditor: is there an order in which one of these two certifications should be obtained before the other? I believe that in the immediate future Lead Implementer would be the more useful of the two for me, but is Lead Auditor certification a prerequisite for Lead Implementer?
Answer:
There is no mandatory order to pursuit Lead Implementer and Lead Auditor certifications (in fact you can go for one certification and not for the other, because there is no prerequisite relation between them), so you must consider your personal and business obj ectives to define the proper approach.
If you plan to implement an ISMS, then you should go for Lead Implementer certification, but if you plan to work as an auditor, then Lead Auditor would be probably better for you.
These articles will provide you further explanation about ISO 27001 certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
GDPR Data Consent and Storage
Answer:
Visitors shouldn't be able to see who has signed in books before. This would mean that the personal data of the individuals signing in the books is disclosed to unintended recipients and the situation is considered a data breach.
2. What happens if somebody walks off with your visitors’ book? I’m afraid this is also a breach of data security and confidentiality.
Answer:
Walking off with the register will be considered a data breach.
3. If a visitor exercises their GDPR ‘Right to be forgotten’, verbally or in writing, you must erase/delete their personal information. How do you achieve this in your visitors’ book? Rip out a whole page?
Answer:
You could just redact the name of the visitor using a black marker or move to an electronic register.
4. How long does your visitors’ sign-in book sit in your reception?
Answer:
As mentioned before, the registry should not just sit in the reception to be consulted by everyone as that in itself is a data breach. The retention period in this case is something you need to establish by yourself depending on the types and categories of personal data you hold and the reasons for keeping the data. For example you could refer to the statute of limitations period in your local legislation.
5. How is it stored? What happens to the book when it’s full? If used visitors’ books are stored in a desk or cupboard, you’re in breach of GDPR because you’ve kept the information longer than necessary after the visitor has left, especially if they’re unlikely to return.
Answer:
When the register is full you just switch to a new one and archive the old one. Both registers, the one in use and the one which is archived should be kept secure and not made available to unauthorized persons.
6. Do you explain to each visitor how their information will be used, then gain the permission required under GDPR’s ‘Data consent and storage’ requirements before visitors sign your book?
Answer:
You can display a printed Privacy Notice at your reception so everyone can see it and consult. There is no need to verbally inform everyone. You can find more information about Privacy Notices in our free webinar Privacy Notices under the EU GDPR: https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
7. Can you prove that each visitor has given their consent before they signed?
Answer:
You won't be relying on consent as a lawful ground for processing the data of the individuals borrowing or consulting your books. I strongly recommend that you use legitimate interest and in this case providing an adequate Privacy Notice will most likely suffice.
8. Do you need all the information that is stored in your visitors’ book? GDPR stipulates that you can only collect required information. Does the information you need about each person vary according to visitor type? How does your visitors’ book help you manage this? Or does it hold the same information about each person who visitsyour premises?
Answer:
I don't know what information you are asking from the visitors so I cannot provide you with an accurate answer. However, you need to consider the reason for asking the information. For example, if you only collect the information to be able to count how many people visited you, most likely name and surname will suffice.
If you collect the information to be able to identify with certainty who borrowed a specific book to be able to take legal action to recover the book you may need to collect more information.
All the purposes for which you collected personal data must be clearly explained in your Privacy Notice.
If you want to find out more about the EU GDPR requirements then check out the this free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course// -
ISMS measurement
Answer:
Without more details about the nonconformity, what I can suggest you is to check which objectives were defined for the ISMS (see clause 6.2) and how you can ensure if they are being achieved (see clause 9.1):
- Which monitoring methods were defined?
- When monitoring must be performed?
- Who must perform the monitoring?
- When the results of monitoring must be analyzed and evaluated?
- Who must analyze the results of monitoring and evaluation?
These articles will provide you further explanation about measurement:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Incident management procedure
Record: Rules for the identification, collection and preservation of evidence
My question: What is the storage duration? The template doesn’t say anything about it.
Answer:
Retention time for evidences will depend mostly on laws and regulations your organization has to comply with, so you must consult those identified on the list of legal requirements to have a precise definition for this retention time, but a good start is to retain evidences for at leas three years (the period of a ISO 27001 certification)
This article will provide you further explanation about record management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
Cloud Services Agreement Guidelines
Answer:
I'm sorry about this confusion - the "Cloud Services Agreement Guideline" is not a document in the toolkit."
The term "Cloud Services Agreement Guidelines" refers to definitions (i.e., clauses) you can find in cloud services agreements you have signed with your hosting providers, applicable to a control (e.g., a clause defining how backup must be executed or where backup copies must be stored), so it can refer to one or more documents.
In the toolkit the document that can help you to include such guidelines in cloud service agreements is the Security Clauses for Suppliers and Partners: https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/
This article will provide you further explanation abou t security clauses:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
ISO 45001: A brief history
great information Mark
-
GDPR Questions
We've received additional questions:
>1. What is the difference between Privacy Notice and Personal Data Protection Policy?
Answer:
The GDPR increases the amount of information you need to include in your privacy notices. The information is provided to the data subject through Privacy Notices. Notices must also be concise and intelligible and provide the information required under art. 13 and 14 of the GDPR. On the other hand, the Data Protection Policy as stated previously is a statement of the company to process data in accordance with the GDPR and its principles. So both the purposes and the audience is different.
>2. What is the difference between Employee Privacy Notice and Employee Data Protection Policy?
Answer:
Keeping in mind the description and purpose of a Privacy Notice note that the Employee Privacy Notice is tailored as to be used for informing the employees what the company usually uses their personal data for. The Employee Data Protection Policy is a document which is setting up the rules for processing personal data by the HR department.