Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR for Non-governmental organization
2. We have mapped all data our organisation processes. They fall into several categories (members, stakeholders, prospects, etc.) and the legal basis used to process data can be different in accordance (legitimate interest, contractual necessity, etc.). The description of the legitimate interest can also differ within the same group, according to the type of stakeholder approached. My question is the following: can we send out specific - and therefore different - privacy notices to data subjects according to their characteristics (legal basis used, reasons for processing), or do we need to have only one publicly available privacy notice that would consider every situation where we process data?
Answers:
1. The EU GDPR is applicable to your processing activity as long as the processing acti vity takes place in the Union regardless if the data subjects are in the Union or not.
2. Regarding your privacy notices, you can bundle them for similar processing activities even if for example the legal basis would be different.
To learn more about privacy notices check out our webinar “ Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) -
Preparing for certification
Answer: For study references about ISO 27001 I suggest you to take a look at the following material:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/ -
CISA vs ISO 27001 LA
Answer: There is no experience requirement to attend an ISO 27001 lead auditor course (although previous experience will help you in some aspects). The experience is only required if you want to become a lead auditor working as a certification auditor.
These materials can provide you more information:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
Regarding CISA, th e work experience is required only to apply for certification, not to attend a CISA course. Details about how demonstrate competence for this certification, and verify if your experience is enough, can be found at these links:
- https://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Apply-for-Certification/Pages/default.aspx
- https://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx
2 - Which one is in more demand these days?
Answer: CISA and Lead Auditor cover different fields (information on systems are only a small intersection between them), so does not make much sense to compare demands between them. Your choice between them should be based on the type and depth of the activities you desire to perform. If your want to focus on information security management, you should consider ISO 27001 Lead Auditor. If you want to go beyond the scope of information security, and also consider the strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how information interacts with business.
Another alternative you should consider is the Lead Implementer course.
For more information, please see these articles:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
¿Controles obligatorios?
Respuesta: Disculpa, pero no estoy seguro si he entendido bien tu pregunta, porque la lógica de la ISO 27001 es identificar riesgos, y tratarlos, implementando los controles de seguridad que sean necesarios. Por tanto, básicamente los controles que pueden no ser obligatorios son aquellos que no necesitas para tratar los riesgos identificados, por ejemplo porque no son aplicables. Por ejemplo, si en tu organización no exise el teletrabajo, el control relacionado con el teletrabajo no será aplicable, y por tanto no será obligatorio implementarlo. Este artículo te puede resultar interesante “La lógica básica de ISO 27001: ¿cómo funciona la seguridad de la información?” https://advisera.com/27001academy/es/knowledgebase/la-logica-basica-de-iso-27001-como-funciona-la-seguridad-de-la-informacion/
Por cierto, en algunos controles es obligatorio tener un documento con información documentada, aquí puedes encontrar una lista completa de los documentos que son obligatorios “Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)” https://advisera.com/27001academy/es/knowledgebase/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/ -
Data transfer
To what extent should we use Annex 2 of the Cross-Border Data Processing Procedure for:
- the application of visas for countries such as America, India, China, etc.? Consulates will not be prepared to sign Annex 2.
- the reservation of hotels, renting cars in e.g. the above-mentioned countries?
Answer:
1. If you apply for visas you don`t need to have a data transfer mechanism in place as the transfer of data is regulated via International Agreements between countries.
2. If the data subject does that directly there is no need for such data transfer agreement. However, if a company in the EEA would be passing personal data to a car rental company outside the EEA a data transfer agreement would be needed between the two entities.
To learn more about data transfers check out our webinar “How to make personal data transfers to ot her countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/) -
Herramientas para la transición
Para saber cuál es el nivel de cumplimiento de su documentación con la nueva revisión del estándar, puede realizar un análisis de GAP. Aquí puede acceder a nuestra herramienta de análisis GAP: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/
Una vez que sepa dónde está su empresa, puede seguir estos pasos para ayudarle con una transición exitosa a la nueva versión:
1) Definir el contexto de la organización
2) Revisar el alcance del SGC
3) Demostrar liderazgo
4) Alinear los objetivos SGC con la estrategia de la compañía
5) Evaluar riesgos y oportunidades
6) Controlar la información documentada
7) Control operacional
8) Revisar el proceso de diseño y desarrollo
9) Control de proveedores externos
10) Evaluación de desempeño
11) Medición e informes
Estas herramientas también pueden ayudarle con la transición de ISO 9001:
- Matriz ISO 9001: 2015 frente a ISO 9001: 2008: https://info.advisera.com/9001academy/free-download/iso-90012015-vs-iso-90012008-matrix
- Informe técnico - Proceso de transición de doce pasos desde ISO 9001: 2008 hasta la revisión de 2015: https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
- Lista de verificación de la documentación obligatoria requerida por ISO 9001: 2015: https://advisera.com/9001academy/2015transition/
- Herramienta de conversión ISO 9001: 2008 vs. 2015: https://advisera.com/9001academy/iso-90012008-vs-2015-conversion-tool/
- Curso de Fundamentos ISO 9001: 2015: https://advisera.com/es/formacion/?standard=iso-9001 -
ISO 9002 and ISO 9003
Answer:
Yes, they were. Before ISO 9001:2000 there were three quality assurance standards: ISO 9001 for a company with design, commercial and production in the scope, ISO 9002 or a company with for a company with commercial and production in the scope, and 9003 basically for a company without neither design nor production, just commercial activity.
The following material will provide you information about standards history:
- ISO 9001 – ISO 9002 & ISO 9003 are History - https://advisera.com/9001academy/knowledgebase/iso-9002-iso-9003-are-history/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Expectations for the transition audit
Answer:
I recommend you concentrate on the areas with the most important changes in the 14001:2015 version. Particularly risks and opportunities; context of the organization, interested parties and the life cycle consideration during the identification of environmental aspects.
The following material will provide you information about auditing the transition:
- ISO 14001 – How to avoid nonconformities during the ISO 14001:2015 transition - https://advisera.com/14001academy/blog/2015/10/26/how-to-avoid-nonconformities-during-the-iso-140012015-transition/
- 12 steps to make the transition from ISO 14001:2004 to 2015 revision - https://advisera.com/14001academy/blog/2015/09/28/12-steps-to-make-the-transition-from-iso-140012004-to-2015-revision/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
GDPR Application in Case of EU Nationals Living Outside UAE
Answer:
My guess is that the EU GDPR is not applicable in your case since you are not offering goods or services to individuals in the EU.
The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not cons idered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Transferring personal data
2. What do you mean by “substantially affects” in alternative b) I can’t really see that there is a requirement that our head office located din Norway would need to have a cross border agreement to process data for our employees located on branch offices within EU such as UK, Netherlands, Sweden.
Answer:
1. If you are transferring personal data to a third party located outside the EEA than this is consistent with a cross border data transfer and certain safeguards such as Standard Contractual Clauses (SSC) need to be in place in order for the transfer to be consistent with the EU GD PR requirements.
2. As mentioned above transfers to countries which are within the EEA is not considered a cross border transfers thus, there is no need for the SSCs or other safeguards.