Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Employees awareness
Answer:
For employee awareness I suggest you to take a look at our Why ISO 27001 – Awareness presentation at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
This short presentation is intended for employees to show what ISO 27001 is all about, why is it good for the company – and also for themselves, and what is their role in handling information security, and you can adjust it to fulfill your needs, or use its content in your e-mails. -
Secondary site location
Answer:
There is no standard distance for a secondary site, because this distance depends on primary site location, organization's profile, and many other variables. You can consider these factors to define the distance most adequate to your business:
- the impact radius of a disruption event that can hit your site (the greater the impact, the longer the distance of your secondary site)
- the costs related to keep this secondary site available (e.g., the greater the distance, the greater the cost of telecommunication links used to connect both sites, and costs to move personnel from the site in case of need).
This article will provide you further explanation about identifying distances for secondary site:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/ -
Controls objectives
Answer:
Controls objectives are written right after the title of each subsection in Annex A. For example, right after subsection A.5.1 (Management direction for information security) you can find the control objective for controls A.5.1.1 and A.5.1.2:
"Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations."
Please note that there is not a control objective for each control. Instead of it there is a control objective for a set of related controls (described in each subsection of Annex A).
This article will provide you further explanatio n about controls objectives:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
This material will also help you regarding control objectives:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Regulatory compliance
If such general regulations do not have impact on the ISMS they can leave them out of the scope and the control would be compliant. -
IATF 16949 and ISO 22301
Answer:
Main reasons to adopt ISO 22301 are:
- You have a legal requirement (e.g., law, regulation or contract) that demands such standard to be implemented.
- There is a marketing or operational edge the organization can take advantage of by implementing the standard
If neither reason applies to your organization you do not need to implement ISO 22301.
Regarding differences, while IATF 16949 focus on quality for automotive industry, ISO 22301 focus on business continuity, enabling an organization to effectively handle disruptive events that can impact its processes or services.
This article will provide you further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/ -
Testing cyber security
Answer:
The most effective and reliable tests of cybersecurity controls, plans and strategy will require software and other resources (these are called vulnerability assessment and penetration test).
However, you also may rely on documentation analysis and tabletop simulations to verify some aspects of your cybersecurity, but these cover far less of the scope you may be exposed to.
These articles will provide you further explanation about security tests:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
- ISO 27 001 vs. ISO 27032 cybersecurity standard https://advisera.com/27001academy/blog/2015/08/25/iso-27001-vs-iso-27032-cybersecurity-standard/ -
Opt-in email marketing
Answer:
There are three factors to be considered: the public source for that information, the fact that the email address is a “corporate” email address and the content of the direct marketing emails.
The first two factors above clearly indicate that we are dealing with a corporate email address which is made public for communication purposes. If you combine this with the content of your marketing emails, that should be targeting company, not the individual and using that email address you can rely on “legitimate interest” so no consent would be required, but you do need to provide an option to unsubscribe from the marketing emails.
To learn more about marketin g practices and GDPR check out our webinar “How GDPR Affects Marketing Practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/). -
Assessing the severity of personal data breaches according to GDPR
Case: personal data breach only involves non-sensitive categories of personal data but could conduct to a financial loss (unauthorized persons had access to name, surname, type of debit card first 4 digits of debit card and date of expiration of that card) - what score should I allocate, 1 or 2? More on that, some unauthorized persons took advantage of the system error and use debit cards belongs to others on our online platform. Of course, in a very short period of time we have compensated the affected people with money back.
Answer:
Recital 85 of the EU GDPR states that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important that the notification indicates these categories.
So , as you can see the key trigger requiring notification of a breach is when there is a likely risk to the rights and freedoms of individuals, and the key trigger requiring communication of a breach to data subjects is where it is likely to result in a high risk to the rights and freedoms of individuals. This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation.
To learn more about data breaches check out our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Management Systems Integration
Answer:
I don’t know if I’m understanding you well when you mention “numbering”. Whenever I work with integrated systems I avoid using the numbering of the standard and use a numbering based on processes. For example, 8.2 is no longer about commercial activities (quality) or emergency preparation (environment).
The following material will provide you information about management systems integration :
- How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
PayPal and GDPR
1. If I contact PayPal CS, do I have to tell them my GDPR right(s) to close it and remove my card details?
2. Any idea if PayPal is GDPR compliant?
Answers:
1. As a data controller PayPal should already have available adequate data protection notices for its customers. You can access their Privacy Notice at https://www.paypal.com/en/webapps/mpp/ua/privacy-full#10 and you will find details about your rights under section 10 of the document.
2. Compliance with GDPR is something that has to be established by a Supervisory Authority and for that reason we cannot tell if they are compliant or not.