Search results

Home / Search

Category:
Select
Select

11278 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • GDPR tips

    Now my question, whether this makes sense and whether this approach could be fatal to us. Unfortunately, it is not possible for us, e.g. 100% free for 1 month only for GDPR activities. Since you certainly have experience, also in terms of the scope, I am very curious about your tips and hints.

    Answer:

    First I would like to start by mentioning that a DPO is not necessary to be appointed unless (a) the processing is carried out by a public authority or b ody, except for courts acting in their judicial capacity; or (b) the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the legal entity of processing on a large scale of special categories of data pursuant to Article 9 of the EU GDPR and personal data relating to criminal convictions and offences referred to in Article 10 of the EU GDPR. If you could link the implementation of ISMS together with GDPR it won’t constitute an issue.

    To learn more about ISMS and GDPR check out our articel “Does ISO 27001 implementation satisfy EU GDPR requirements?” (https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/).

  • Contracting and GDPR

    2. We buy contacts data bases from Poland(EU) company for direct marketing purposes. Should we inform the addressee from these DBs about source of their contacts and is this business lawfully at all?

    Answers:

    1. To transfer personal data from EU to a third country certain safeguards need to be set up according to Chapter V of the EU GDPR “Transfers of personal data to third countries or international organizations” (https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/). One of the most used safeguards are the Standard Contr actual Clauses which were drafted by the EU Commission to regulate the transfer the data to third countries. To find out more about transfers of personal data check out webinar “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

    2. When obtaining personal data from a third party you would need to provide to the data subject an adequate Privacy Notice as required by article 14 of the EU GDPR “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/). To find out more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

  • Software tools for BIA


    Answer: Only some activities related to ISO 22301 can be semi-automated (e.g., control of documents, controls measurement, etc.). Being a management system, ISO 22301 still requires some human intervention to analyse and evaluate information, including performing BIA, so for small and mid-size business we do not recommend nothing more complex than a spreadsheet to help organize information needed for BIA.

    This article will provide you further explanation about automated tool:
    - When to use tools for ISO 27001/ISO 22301 and when to avoid them https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/

  • Audit procedure and information logging


    Answer: For an audit procedure, I suggest you to take a look at the free demo of our Internal Audit Procedure at this link: https://advisera.com/27001academy/documentation/internal-audit-procedure/

    If I understood correctly, you want to know what should be logged by systems to be used as evidence in an audit. "Audit logging" is not a term used by the standard and may lead to misunderstandings.

    Considering you are referring to what should be logged, you should look for legal and contractual requirements you must fulfil and the results of risk assessment (unacceptable risks ca provide you information about what should be logged). For IT systems, the most common logs are related to date, time, IP address (both from origin and destination), user (both common users and administrators), action performed (e.g., login attempts, modifications on configurati ons, etc.) and results (success or failure).

    These materials will also help you regarding audits:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

  • Subscription services

    2. Consent :
    We currently have 'Contact form' on our website. We need to take consent of a person to contact him / her to resolve their queries (for which they are contacting us) and send him / her periodic updates about our products and events etc. We may be sharing their data with third party marketing service provider in case they opt for receiving periodic updates. Our privacy notice talks about third parties. Is it okay to give reference of our privacy policy in the consent form ? Instead of having a long consent form can we just ask the user to refer to privacy policy for details such as data shared with third parties ?
    3. Revoking the consent to send emails with periodic updates - We do not provide facility of creating user id etc on our Website. Based on data collected from contact form, we send newsletters and product updates. We have an 'Unsubscribe' option in periodic updates email that we send.s it necessary to provide 'Unsubscribe' option on website also - e.g. should we have a link

  • Required documented information


    Answer:

    Please check clause 4.4.2, “To the extent necessary, the organization shall” and then “a) maintain documented information to support the operation of its processes”. ISO 9001:2015 has no requirement making procedures mandatory. So, according to the advice from 4.4.2 a) it is up to each organization to evaluate the value added of creating, or not, a documented procedure.

    The f ollowing material will provide you information about documented procedures creation:

    - ISO 9001 - List of mandatory documents required by ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    - New approach to document and record control in ISO 9001:2015 https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
    - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • The life cycle perspective


    Answer:

    Your organization must make provisions for all environmental aspects during the whole lifecycle, including end of life. Identify all relevant steps after the product leave the plant or the service is provided, and for each step determine possible aspects and impacts. I always give the example of manufacturing AA batteries, imagine what a consumer can do after the battery becomes dead. That is why packaging tries to influence consumers to give a proper final disposition. A normal procedure for aspects and impacts determination can be used as long as the methodology applies to those steps after selling.

    The following material will provide you information about implementing the life cycle perspective:

    - ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
    - How does pro duct life cycle influence environmental aspects according to ISO 14001:2015? https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
    - ISO 14001 documentation Toolkit https://advisera.com/14001academy/iso-14001-documentation-toolkit/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Scope definition


    Can you please help?

    Answer: According to ISO 27001, an ISMS scope must be defined in terms of information, locations or business units to be protected, considering the organization's objectives and context. For your scenario, beside which type of information (e.g., customer data, R&D information, etc.) you should consider which locations and sectors should be part of the ISMS

    These articles will provide you further explanation about defining scope:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding defining scope:
    - Book Secure & Simple: A Small-Business Guide to I mplementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Filling the risk assessment template


    Answer: If you have existing measures you believe are related to the identified risk, you have to include them in the last column, even if the risk value falls as an acceptable risk. Probably these measures are the reason for the low value of the risk and your organization must be aware of them in the risk assessment and treatment process.

    By the way, included in the toolkit you have access to a video tutorial that can help you fill the risk assessment template.

  • Risk mitigation and BC strategy


    As I had to take the exam and I still didn´t have answer for the question I bought ISO 27001 Risk Management, hoping to find the answer. But I didn´t.

    The pocket book is really fine, though having read “Becoming resilient” most of the contents of the ISO 27001 Risk Management pocket book are exactly the same. But anyway I think I learned some new things.

    Answer: Risk mitigation involves the implementation of controls to reduce the impact and/or probability of a risk to happen, so by mitigating risks before implementing the strategies for BC will help reduce the required resources to implement BC strategies. Regarding ISO 27001 Risk Manag ement, it has much more precise requirements regarding the timing of the mitigation - the controls do not need to be implemented right away, but they need to be planned through the Risk Treatment Plan.

    For example, by installing a lightning rod system, you can reduce the need for a secondary site as result of a lighting storm damaging a build electrical infrastructure.
Page 711-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +