Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27018
Answer: ISO 27018 is not a certifiable standard. It can be used to support implementation of controls of ISO 27001 Annex A (this one is a certifiable standard), providing additional guidance to implement security practices to protect privacy in the cloud.
Some certification bodies are issuing unofficial ISO 27018 certificates but only together with official ISO 27001 certificate.
This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Controls applicability
Answer: According to ISO 27001, the implementation of antivirus application, or any control from Annex A, is required only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you further explanation about risk assessment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Few GDPR queries
2. Could you clarify the confidential level, what should we write and why?
3. About the Cross-border Transfer of Personal Data. The current legislation GDPR EU 2016/679 says about the free movement of data, so why we need Data Transfer Agreement and with whom? And why we should to obtain the authorization from Supervisory Authority? ( it was before 25 may 2018, the Transfer was with license).
4. So we need only Processor Data Processing Agreement, please approve...
5. Question from 8.1.3 Section: If we are Controller and provide service for Non-EU companies with our nominee EU persons, what we are doing in this case? My opinion, we have EU local Supervisory Authority and we have Processor Agreement with all our suppliers, is it enough lawful or correct...
Answers:
1. Data Protection Policy is usually an internal document but there are companies that chose to publish the document on their website in order to be more tran sparent in front of their clients.
2. Usually companies classify their internal documents based on their importance to the company. Personal data should at least be considered as “Confidential” so it can only be handled by specific personnel that needs to process the data to fulfill their duties. For more information about “Information classification” you can check out our free article https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
3. A Data Transfer Agreement (DTA)is a contract between the providing and recipient organizations that governs the legal obligations and restrictions, as well as compliance with applicable laws and regulations, related to the transfer of such data between the parties. When you are transferring personal data outside the EEA, in addition to the DTA you must use appropriate safeguards in the absence of an adequacy decision. Appropriate safeguards are intended to provide enforcement and effective rights to individuals. All require prior approval from a supervisory authority. According to GDPR the appropriate safeguards are: Binding corporate rules, Standard Contractual Clauses, Approved codes of conduct or certification mechanisms, Ad hoc contractual clauses and Reliance on international agreements. Among the most used appropriate safeguards are Standard Contractual Clauses.
The document “Standard contractual clauses for the transfer to Processors ” is to be used when transferring personal data to countries outside the EEA the same information can be found in the “Cross border data transfer procedure” (Cross Border Data Transfer (CBDT) - Transfer of personal data by controllers established in the European Union (EU) to recipients established outside the territory of the EU/EEA who act either as controllers or as processors.). To learn more about cross border data transfer please check out our free webinar on “How to make personal data transfers to other countries compliant with GDPR “ https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
4. If you are transferring data to a processor (supplier) which is located in the EU you need to use document 07.2 Supplier data processing agreement that can be found in folder 7 “Third party compliance” in the EU GDPR Documentation Toolkit.
5. I am not sure I understand very well the question. Please rephrase it and please provide more details of what data you are processing in order to provide services to your non – EU clients. Please define “nominee EU Persons”.
To learn more about GDPR implementation please check out our free article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/ -
New Website GDPR policy statement
Answer:
The document you are looking for is called a “Privacy Notice” and is regulated by EU GDPR art. 13 - Information to be provided where personal data are collected from the data subject (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) and a template can be found in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/documentation/privacy-notice/).
To find more about privacy n otices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Privacy & GDPR
Answer:
What you are looking for is the Privacy Notice where you inform the website visitors/clients about the data you collect when they access/register on the website and you can use the template Privacy Notice in the toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
To find more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Meaning of context determination
Answer:
Any organization is an open system interacting with the outside world. So, an organization’s approach to its products, services and priorities is affected by the interested parties (and its needs and expectations), and external issues (like political, economic, social, technologic, environmental and legislation), and internal issues (like performance, strategic orientation, history, …). Determining context of the organization is a way of listing all those issues.
The following material will provide you information about the context determination:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- Procedure for Determining Context of the Organization and Interested Parties - https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Considering the lifecycle aspect
I am trying to consider the lifecycle aspect but do not really know where to start. I would appreciate any help in this”
Answer:
I would think of your service as a process with its own lifecycle:
You purchase consumables – do you have environmental considerations when deciding to whom to buy?
Your welders have to move to customers locations – do you any environmental considerations about that transport?
Your welders perform their work and generate some kind of waste - do you any environmental considerations about how to perform and how to handle wastes?
The following material will provide you information about considering lifecycle aspects:
- ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Exemplar Global accreditation
Answer: Exemplar Global certified our ISO 27001 exams according ISO 17024. For more information see this link: https://exemplarglobal.org/who-we-are/our-accreditations-and-associations/ -
Template content
Answer: Business continuity management is a set of practices to ensure the continuity of business operations in case of disasters or disruptive events that impact the organization. The main ISO standard for business management is ISO 22301.
Regarding ISO 27001 implementation, everything you need to comply with section A.17 from ISO 27001 Annex A (Information security aspects of business continuity management) is already included in the toolkit you bought. You can find them on folder 08 Annex A A.17 Business Continuity
These articles will provide you further explanation about ISO 22301, business continuity, and its applicability on ISO 27001 implementation:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2 015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
This material will also help you regarding business continuity:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Compliance exercise
Answer:
From your description it seems like your processing activities are only concerning individuals in Pakistan and thus not subject to the EU GDPR. Another thing is that if you are targeting only enterprises this means the exposure to personal data could be quite limited.
Thus, I fail to understand why would you want to become compliant with the piece of legislation which is not applicable to you. However, it you are interested in some advice you can check out our article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/