Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit templates
1. Business Continuity Plan with Roles and Responsibility of BCP manager.
2. Software Change Management policy and process { including Change Advisory Body (CAB) management process}
3. Suppler Performance Evaluation process and Evaluation form
It will be highly appreciated if you kindly provide me template.
Answer: Just to note that to be complaint with ISO 27001 requirements the Business Continuity Plan, Software Change Management process and the Supplier Performance Evaluation process and Evaluation form are not mandatory, however if you decide to write those documents, they are already included in your toolkit:
- to cover all ISO 27001 requirements for business continuity you can use the Disaster Recovery Plan, located on folder 08 Annex A A.17 Business Continuity
- to cover the Software Change Management policy, you can use as template the Change Management policy, located in folder 08 Annex A A.12 Operations security.
- to c over the evaluation process you can use the Supplier Security Policy, located on folder 08 Annex A A.15 Supplier relationships
If you need them for other reasons (e.g., to comply with a legal requirement), I suggest you to schedule a meeting with one of our experts so he can guide you through this elaboration process. To schedule a meeting , please access this link: https://advisera.com/27001academy/consultation/ -
Questions from the external auditor
Answer:
The external auditor will ask questions in order to be able to conclude about the conformance and/or effectiveness of the management system. When auditing quality personnel he will be making questions like:
Is the quality control plan at reception and production being fulfilled? Evidence!
Are nonconformities identified, segregated and treated? Evidence!
Are corrective actions developed and effective? Evidence!
Is process and product performance monitored, and decisions made? Evidence!
The following material will provide you information about the certification audit:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Preparing for ISO Certific ation Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Right to be deleted
Facebook and Google track their usage of our site. We may continue showing them remarketing ads theoretically for months to come, by using Google and Facebook tools. I believe Facebook and Google are the data controller.
Do we have an obligation to not do this? It's very hard to comply with this technically, and I'm not sure we are required to?
Answer:
If it is Facebook or Goggle that this means that they are the controllers and your customer should direct their deletion request as well. As long as you delete the data and inform the user of the website that Facebook and Google are using cookies to track the behavior o the user of the websites though your cookie policy (providing information on how to set up the website not to accept cookies) you should be fine.
To learn more about data subject rights check out our webinar “Data Subject Rights und er the EU GPPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Obligations to EU residents
2. Do our clients need to obtain permission to input this personal information first?
3. Do we need to purge any historical data about EU residents from our database if we do not know how the information was collected?
Answers:
1. From the beginning it is important to know that GDPR is applicable to your company because you are monitoring individuals who’s behavior takes place within the European Union. As your company is collecting the data and decides what data is to be collected this makes it a controller. It should notify the EU residents from it’s data base that is processing their personal data as per the requirements of EU GDPR article 14 - “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/)
2. Your client acts as a controller as well and should notif y the EU Residents that he is processing their personal data and also to communicate them the source of the data (which in this case is you). See art. 14 from the EU GDPR – “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/ )
3. According to GDPR you can not process personal data unless you have a legal ground. If you can not rely on a legal ground than your processing activity may be unlawful. In conclusion, if you can not prove that your personal data was collected legally, than you should erase it.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Parent's right
Answer:
This is related to the age of the student and the local legislation. As long as the parent acts as the legal guardian of the student then the parent is entitled to ask for that information. -
Non- EU clients
2. Eventually, we should protect all the data for the EU clients/ Non-EU clients who has business contact in Europe, right?
Answers:
1. If I understand correctly, after the process of incorporation the company will have the headquarter or a subsidiary in European Union. In this case the answer is yes, GDPR applies to every company which is based in European Union and processes personal data. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR.
2. Yes you should protect the personal data of every individual who’s data you are collecting as long as your business is based in European Union.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR on employees
Answer:
If the company that performs backgrounds checks is not based in the European Union and processes only the data of individuals located on the territory of the United States, then it does not have to comply with GDPR. -
Documenting QMS Issues in AS9100
Answer:
The internal and external issues that comprise the context of the organization in AS9100 Rev D do not need to be documented information as per the standard requirements. For instance, if you have a small business where the owner is always considering these issues (such as being part of an industry action group that meets to discuss industry issues) then you may not need to write these down. However, as these need to be reviewed occasionally organizations that have several people in top management may find it very useful to write these down for later review.
If you want to see a sample of our procedure for context of the organization which includes identifying issues you can see this page: https://adv isera.com/9100academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/ -
ISO 27018
Answer: ISO 27018 is not a certifiable standard. It can be used to support implementation of controls of ISO 27001 Annex A (this one is a certifiable standard), providing additional guidance to implement security practices to protect privacy in the cloud.
Some certification bodies are issuing unofficial ISO 27018 certificates but only together with official ISO 27001 certificate.
This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Controls applicability
Answer: According to ISO 27001, the implementation of antivirus application, or any control from Annex A, is required only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you further explanation about risk assessment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/