Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Assessing data breaches
I'm trying to figure out what this means - when we should or shouldn't notify customers.
The sort of data we typically have is:
- IP address
- Full name
- Email
- Home address
- Work address & name of work (sometimes)
- Purchase history (we sell clothes)
- Other less interesting things such as what pages have been visited, which marketing emails have been opened, etc.
Based on my limited understanding, the most sensitive information we have is a customers's size data. If we leaked, say, 100,000 records it may directly or indirectly contain information on someone's size. Can you help clarify this?
Answer: I think you will find an answer to this if you read our “Assessing the severity of personal data breaches according to GDPR” (https://info.advis era.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr). This document will provide you with a simple “out of the box” methodology to asses your data breaches. -
Procedures development
Answer: To define which documents you need to develop and how to make them useful, you should consider issues such as:
- regulation or contractual requirements that demands a certain document
- the organization size and the number of people involved
- the importance and complexity of the process or activity
This article will provide you further explanation about documentation development:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding documentation development:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managi ng-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 toolkit for SaaS companies
Answer: Many of our clients are companies that provide SaaS and are using large hosting providers like AWS, Azure and similar - so yes, this toolkit is applicable for such companies, especially if they are small or medium-sized (up to 500 employees).
Here's a very useful article on defining the ISMS scope when using hosting services: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ -
Configuration Management and other processes
Answer:
I would say that neither Incident/Problem/Change Management is fully implemented without Configuration Management (Service Asset and Configuration Management in ITIL). That means that mentioned processes are depending on information from Configuration Management.
Following articles provide more details:
Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/
Answers to 5 FAQs about the ITIL Service Asset and Configuration Management process https://advisera.com/20000academy/blog/2016/03/29/answers-to-5-faqs-about-the-itil-service-asset-and-configuration-management-process/
Also, there is recorded webinar that can help you:
The basic elements of ITIL Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/webinar/the-basic-elements-of-itil-service-asset-and-configuration-management-sacm-free-webinar-on-demand/ -
Retention period and Data processor agreement
2. Data processor agreement – Our client requested us to sign a Data Processing Agreement, which defines our client as data controller and us as the data processor. However, under certain situation, in delivering the service to clients, we play the data controller role and our client is the data processor. Does this means we need another Data Processing Agreement for these exchanged roles?
Answer:
1. I strongly advise you to define a maximum retention policy for candidates CV considering that anyway the data in the CV would be most likely outdated in a few years.
2. Not necessarily. When you are acting as an independent controller it is not necessary to have a DPA with another controller.
To learn more about the EU GDPR check out our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Personal Data Protection Policy
Answer: Indeed, this is one reason and the other is that in order to fulfill all of its obligations as regards to the EU GDPR any company needs to get the support from the top management. Thus, the top management needs to be informed and it also needs to endorse the compliance effort together with the Personal Data Protection Policy as well.
To learn more about the Personal Data Protection Policy check out our article “Contents of the Data Protection Policy according to GDPR” (https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/). -
Filling out ISO 14001 templates
Answer:
In the case of policies and procedures you won´t need much effort since our templates are already written and they are fully editable, you just need to enter the specific information about your company. Although the forms are not pre-filled, so you will need to input all the information.
Also, it is important to highlight that our documentation not only deals with all the technicalities but also guides you on what to fill out with several comments.
You can click a "Download a Free Toolkit Demo" button to download a toolkit preview or you can click the preview of each document in the section "Toolkit Documents" here : https://advisera.com/14001academy/iso-14001-documentation-toolkit/ -
Lessons Learnt Program
Answer:
We do not have any detailed procedure for a Lessons Learnt Program. Your organization monitors performance, identifies improvement opportunities, develops improvement projects and after evaluating their effectiveness, intends to capture the know-how acquired.
A procedure for a Lessons Learnt Program should define how that know-how is acquired and transmitted to others in the organization. -
Flujogramas en los procedimientos
Mi respuesta:
No es necesario¡realizar flujogramas para los procedimientos. Tenga en cuenta que en esta nueva versión de la norma, ISO 9001: 2015, no es obligatorio escribir ningún procedimiento, por lo que puede optar por tener un procedimiento o no, y también cómo será el mismo. Sin embargo, la creación de flujogramas puede ayudar a una organización a explicar mejor un proceso, comunicarse e incluso a mejorar ese proceso.
Para obtener más información sobre la documentación de ISO 9001: 2015, consulte estos artículos:
- Nuevo enfoque para documentar y registrar el control en ISO 9001: 2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/#
- Proceso de ISO 9001: 2015 vs procedimiento: https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/
Además, puede descargar este documento técnico: cómo crear un diagrama de flujo del proceso ISO 9001: https://info.advisera.com/9001academy/free-download/how-to-create-an-iso-9001-process-flowchart
Estos materiales pueden ayudarle con la implementación de la norma ISO 9001: 2015:
- Libro "Descubra ISO 9001: 2015 a través de ejemplos prácticos": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso de Fundamentos ISO 9001: 2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio - Herramienta de cumplimiento en línea: https://advisera.com/conformio/ -
Privacy Policy vs. Privacy Notice and Data breaches
1. So the first one, should the company have both: privacy policy and privacy notice? Cause I see the differences between these two, but it is really hard to find a web were both of them are there... So I messed up...
2. next one, can I write about data breaches in my risk policy? Cause there are written all information about several breaches, so it seems to me legit to write this one as well...
Answer:
1. The Privacy Policy in the EU GDPR Documentation Toolkit is meant to be an overall Policy to describe what is a company doing to be compliant with the provisions of the EU GDPR. The Privacy Notice on the other hand is a document meant to explain to the data subjects what is a data controller doing with their data. So, as you can easily see the two documents are meant to serve different purposes. To learn more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)
2. Yes, you can. Just make sure that you can distinguish between a personal data breach and a breach that does not involve personal data. To learn more about data breaches check out our webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/).