Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Territorial scope of the GDPR
Answer:
The extraterritorial reach of the GDPR is one of the new features that contribute significantly to the increased level of protection of personal data. What does extraterritorial mean? Probably one of the most important changes, the GDPR enjoys extended applicability affecting entities not established in the EU. Of course, some conditions must be met for the extraterritoriality to be applicable. The EU GDPR applies to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or ser vices to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case, the processing does not take place “in the Union,” nor is the individual “in the Union”.
One of the consequences of the extraterritorial reach is that companies not established in the EU must appoint a representative. That representative must be based in a Member State in which the relevant data subjects are based. Only a limited derogation is permitted where the processing is occasional, does not involve large-scale processing of sensitive personal data, and the purpose and result of the processing is unlikely to be a risk to individuals.
If you want to find out more about the EU GDPR check out this free EU GDPR Foundation Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
27001 training
Answer:
Without more detailed information about the training you are referring about, it is not possible to give you a proper answer regarding discrepancies. What we can tell you now is for you to verify if those are accredited courses. If they are, their content will be enough for you regardless of the price (so, you could go for the cheapest one).
We'd like to offer you additional options to consider for ISO 27001 training and certification:
- ISO 2 7001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/ -
Handling residual risks
Answer:
Residual risks refer to the risks that remain after you apply all treatments you consider worthy, and you should consider these alternatives to treat them:
- If the risk level is below the acceptable level of risk, then you do nothing besides getting acceptance of the residual risk by top management
- If the risk level is above the acceptable level of risk, then you need to find out some new (and better) ways to mitigate those risks
- If the risk level is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, then you need to propose to the management to accept these high risks.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- 4 mitigation options in risk treatment acc ording to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/ -
ISO 20000-1:2018 certification schedule
Answer:
No, you don't have problem certifying against 2011 revision of the standard.
I would suggest to continue with certification according to 2011 revision ( I have such project as well) and next year "upgrade" to 2018 revision of the standard. -
Template content - Policy for mobile devices and teleworking
Answer:
I'm assuming this question refers to the Mobile Device and Teleworking Policy template, section 4.
Considering that, the "identifying of existing rules“ means that for smaller companies you do not need additional detailed plans or procedures, you can simply define phrases identifying the rules used by the organization directly in the policy. This way you have less documentation to worry about. Here is an example considering one of the items of this section (the text on brackets is the identification of the rule):
- prevention of unauthorized access by persons living or working on the location where the telework ing activity is performed [by means of locking the door to the room where the activity is performed every time the employee is absent from the work place]. -
Template content - Teleworking
Your Team wrote in the policy that „teleworking doesn't include the use of mobile phones outside the company“.
Why did you exclude that? Cause you talked before (in the policy) about mobile devices plus their rules and you put mobile phones in that, let my call it „first“ category?
Answer:
First it is important to note that by not including mobile phones as part of Teleworking section does not mean it is forbidden to use them for this purpose, only that specific rules for teleworking do not apply to them. The reason for this is that teleworking mostly refers to secure physical locations and equipment that are not moved very often (e.g., network equipment), even if they are mobile devices (e.g., notebooks), because the place is the location where the employee works most of his time, and this is not the nature of mobile phones use. Additionally, we understand that rules defined on Mobile Computing section are sufficient to bring potential risks to acceptable levels. -
Records and documents
1. What does „record“ exactly mean? It my opinion in means that: Document that cannot be changed after creation (protocols, test reports, management evaluation). For example: the result of a management review does not change after 3 months.
Answer: Record is a specific type of document with the purpose to evidence an achieved result or a performed activity. So your understanding is almost correct considering that a record cannot be changed after it is approved or accepted, because errors can occur when the record is created, and someone has to verify if all information is complete and correct before the record can be considered valid.
2. Beside during the process of the certification you have „documents“. Documents in my understanding mean:
A Document, which can be changed and from which different revision levels can exist (guideline, QM-manual, process instruction).
Okay, by that let’s take the policy for mobile devices and telework. In your template in section 5 - records: you talk about the „permission for teleworking“. Is that permission by that the signed permission of the employee or the blank permission? In my understanding the „record“ only can be the signed permission, the solid document? Is that correct? If we know about that we can decide on which place the document is stored and under which conditions.
Answer: Considering the previous answer, your understanding is correct, the record referred on section 5 is filled and singed permission, not the blank form.
For further information about record management, please read:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
Templates content
Answer: First it is important to note that the number of applied controls does not have a direct correlation with the number of treated risks. You can have scenarios with many risks treated by few controls, as well as scenarios with few risks treated by a large number of controls. This all depends of organization context, legal requirements to be fulfilled and business objectives.
Considering that, to justify that a control is not applicable you should verify first if there are no unacceptable risks that justify the implementation of the control, or that there are no legal requirements demanding the implementation of the control. If both situa tions occur you can state that a control is not applicable on SoA.
For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2. Controls of A.16 and A.17: These controls can be applicable to each risk more or less, since you should document each disaster and aside of that it's important that your business still runs after a disaster. Is it okay to write at each control of A.16 that there is a legal requirement (GDPR) that enforces us to do so? As for the controls of A.17 is it okay to write that this is a management decision? (In this case we would basically not link them to any specific risk.)
Answer: Both justifications you presented for applying the controls you mentioned are valid (demanded by a legal requirement or by a top management decision). -
Auditing a production area
Answer:
When I audit a production area, I want to see evidence of:
Operation parameters are defined, are monitored and the process is being controlled;
SOPs if defined, are available and are being followed;
Production and quality control records are being made;
Non-conforming products are removed, identified, corrected or destroyed;
Traceability is in place and working for machines, people and raw materials;
Machines and other equipment have preventive maintenance according to plan;
Operators are competent;
Cleaning processes are in place and validated
The following material will provide you information about auditing production:
- Understanding Product & Service Provision in ISO 9001 - https://advisera.com/9001academy/blog/2014/10/07/understanding-product-service-provision-iso-9001/
- Managing Production and Service Provision using ISO 90 01 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
- How to establish process validation in the QMS - https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/
- Free online ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/