Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11270 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

ISO 27018

Answer: ISO 27018 provides guidance and recommendations to protect personally identifiable information, so if your services involve your customers personal data, or personal data from their customers, then probably this standard is applicable to you. To determine that you should verify your customers requirements and the laws and regulations applicable to your business.

This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Risk assessment and SoA

If I have a risk assessment documented already must I document the risks in the SOA as well?

Answer: The Statement of Applicability is required by ISO 27001 clause 6.1.3 d), so it is needed for certification purposes. In fact, it is one of the main documents used by the auditor during an audit.

Although important to the SoA to justify the applicability of controls, there is no need to document risks in the SoA. In such cases you can simply refer to the risks identifiers used on the risk assessment document (e.g., "control applicable to treat risks identified by numbers 12 and 34 in the risk assessment).

These article will provide you further explanation about mandatory documents and SoA:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/ dgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding mandatory documents and SoA:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Demostrar cumplimiento con ISO 22301

Respuesta: Cualquier compañía puede cumplir con ISO 22301, pero para esto, obviamente la compañía tiene que implementar el estándar, cumplimiento con sus requerimientos. Si yo soy un cliente de tu empresa, y quiero que me demuestres que puedes implementar el estándar, podrías mostrarme un plan de proyecto para la implementación del estándar, con la aprobación de la alta dirección.

Otra opción es la certificación de la ISO 22301 implementada, y otra opción es una auditoría de segunda parte.

Esta plantilla gratuita puede ayudarte a desarrollar el plan de proyecto “Project Plan for ISO 27001/ISO 22301 implementation” : https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

Y este artículo puede ayudarte a conocer cómo implementar el estándar en tu organización “17 steps for implementing ISO 22301” : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
Alta dirección

Respuesta: Si esta persona, formalmente, no es parte de la diracción, el problema puede ser que sus decisiones puedan ser ejecutadas informalmente, y esto puede ser un problema para el cumplimiento de la ISO 27001, porque tu organización podría no demostrar el liderazgo y compromiso de la alta dirección con respecto el sistema de gestión de seguridad de la información, lo cual es un importante requerimiento de la ISO 27001 (apartado 5.1.- Leadership and commitment). Por tanto, una recomendación sería que est a persona formalmente forme parte de la alta dirección.

Este artículo sobre roles y responsabilidades de la alta dirección puede ser interesante para ti “Roles and responsibilities of top management in ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

Y también este artículo sobre los beneficios de la implementación de la ISO 27001, que puede ser interesante para la dirección “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Purpose of requesting the birth date
2. For the Data Subject Access Request Procedure. A Data Subject Access Request can be made verbally in Germany. Hence it is necessary to ensure that verbal requests are treated with the same level of care as with written requests.

Answers:

1. The birth date is mentioned for two purposes: for establishing that the individual is not a minor and as well as means of making you easy ti identify him/her in your systems. However, you may choose not to ask that information from the data subject.

2. I cant see any question related to the topic of “Data Subject Access Request Procedure”.

To learn more about DSARs check out our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/
Language of the Privacy policy

Answer:

If your website is targeting Italian users you can have the Privacy Notice/Notices in Italian only.

To learn more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
Standards applicability

Answer: ISO management standards (like ISO 27001 / BS EN ISO 9001) were designed to be implemented in organizations of any industry or size, so they would work the same way for any of them:
1 - Identification of business context and requirements
2 - Development and implementation of documents and records required by the standard
3 - Development and implementation of documents and records required by business operations
4 - Processes performance measurement, monitoring and review
5 - Implementation of corrective actions and opportunities of improvement

The difference would be in the number and complexity of the developed documentation, and the required resources.

These articles will provide you further explanation about ISO 27001:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

2 - Can this apply and is it useful/necessary in this case or is there any equivalent?

Answer: As mentioned in answer 1, these standards can be applied in your case, and can be useful in at least four ways:
- to decrease costs related to information security incidents
- to provide a competitive edge in your market
- to help organize operations
- to help ensure compliance with legal requirements you must fulfil

Regarding necessity, you should consider your customers and legal requirements you must comply with.

This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

3 - Also what is the average cost for an "extra" small company ( Web-based Dev - 1 employee )

Answer: There are a significant number of variables to be considered when estimating an implementation cost, even for such a small organizations, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process

Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
Audit results

I believe somewhere in your information you recommend against sharing audit results with the customer. If this is true, could you send me a link to that information? It will help to convince Sales that this is not a good idea.

Answer: The sharing of audit results with customers should be handled carefully. While this can be a good marketing tool to demonstrate good faith and commitment of your organization with customers, it also may reveal situations that can compromise the relationship and your organization image if not handled properly.

My advice would be for your organization to define, by means of contracts and service agreements, in which situations these results should be shared, what information would be sha red, and what measures should be taken by the customer to protect this information (e.g., those customers that will have the access to the results should sign a non disclosure agreement).
Comprehensive consent document

Answer:

According to the EU GDPR consent needs to be “freely given, specific, informed and unambiguous indication of the individual’s wishes.” Among other thigs this means that if the relevant processing has multiple purposes, consent must be given for all of them and since we cannot possibly all the instances someone would ask for consent is up to the controller (you) to identify those purposes.

Also you cannot use the so called “bundled consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.

Having this in mind is impossible to have a readily available consent form to cover all scenarios.

To learn more about consent pleas check out our article “Is consent needed? Six legal bases to process data according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
Supervisory Authority
Could you explain in detail how we can contact to the Supervisory Authority:
1. Where I can find contacts like email, address, phone number etc. for Supervisory Authority
2. Should we contact to the Supervisory Authority in a specific country? What does it depend on?

Answers:

1. Here is a link to a EU commission's page containing the contact details of Supervisory Authorities in EU countries - https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 /> 2. If you are the controller under the EU GDPR you need to appoint a representative. That representative must be based in a Member State in wh ich the relevant individuals are based if you can`t determine where most of your EU customers are you can choose any EU Members State. So, in a case of a breach you need to notify the Supervisory Authority in the country where you have appointed a representative.

To learn more about data breaches check out our article “5 steps to handle a data breach according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11270 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

ISO 27018

Risk assessment and SoA

Demostrar cumplimiento con ISO 22301

Alta dirección

Purpose of requesting the birth date

Language of the Privacy policy

Standards applicability

Audit results

Comprehensive consent document

Supervisory Authority

Didn’t find an answer?