Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
CSF, KPI, metric
Answer:
CSF or Critical Success Factor is something that must happen if an IT service, process, plan, project or other activity is to succeed.
Key Performance Indicator or KPI are used to measure the achievement of critical success factors. With KPI you measure the achievement of CSF's.
Metric is, by definition, something that is measured and reported to help manage a process, IT service or activity. So this is direct item that you measure.
For example, CSF is: Maintain quality of IT services.
KPI's are: Total numbers of incidents, Size of current incident backlog for each IT service, Number and percentage of major incidents for each IT service... If you put KPI's in time constraint - you'll get trend. E.g. in last quarter or in last twelve months.
Se the article "Facing reality – measurements in ITIL" https://advisera.com/20000academy/blog/2013/04/02/facing-reality-measurements-itil/ to learn more. -
Email disclaimer
2. Does the law from 2007, EU Directive 2003/58/EC, applies? We are a Bulgarian Company which has an online shop to sell mobile gadgets in Germany. We just send emails to customers who made an order with us or contact us, via the website contact form. No marketing is done.
Answers:
1. There is no requirement regarding placing email disclaimers so you can use regular confidentiality or IP related disclaimers, there is no need to mention anything about processing of personal data. For this you should use privacy notices.
2. Directive 2003/58/EC will still be applicable after the 25th of May once the EU GDPR becomes enforceable.
To learn more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/). -
Are we a data processor or controller?
Answer:
For the billing part you don't need to do anything as both you and the customers are data controllers for separate processing activities. As regards to he data of your customers employees which you process for the purpose of booking meeting rooms you are doing that as a data processor.
For the last instance the controller should be the one responsible for engaging you to sign a DPA.
To learn more about controll ers and processors check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Marketing emails
2. Can I do it only if they consented to receive marketing emails from me or maybe to customer who have an account with the store but not necessarily subscribed to marketing emails?
3. If I send email newsletter only to those that checked a relevant checkbox (so they agreed to receive them) and I had some basic information about how their data is used in my privacy policy (so not that detailed as GDPR required so it might not have had all the information that are necessary under GDPR)- does that mean that I have to get their consent again in order to send them email and to do it before the 25th? or in that case the law does not work backwards and the "old" consent is valid and I can continue to send the newsletters?
Answers:
1.No you cannot send marketing e-mail to a customer that didn’t finish his order because consent is needed for direct marketing unless you send out marketing ma terials to existing customers (see the answer to your question number 3). In order to be valid the consent from a customer must be freely given, specific, informed and unambiguous indication of the individual’s wishes (https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/ ). The principle of “opt-in” is a must, meaning no processing can take place until consent is assured. A data controller is required to be able to demonstrate that consent was given. Not finishing the order means that his consent is ambiguous and doesn’t represent a clear indication of individual’s wishes. You can however send a reminder that the customer did not finish his/her order.
2.Yes, you can send to your customers direct marketing e-mails ONLY if they consented. For the customers who have only an store account but they haven’t subscribed for marketing e-mails you cannot send them marketing e-mails.
3. You are required to get consent only for new customers, for the existing customers you can rely on legitimate interest to carry out your marketing activities. For prospects and leads you may need to obtain their consent if you want to send them marketing materials. You can continue sending marketing emails to your existing clients based on legitimate interest proved you leave them the choice to refuse marketing (opt out) as for prospects most likely you need their consent. So, unless you have appropriate grounds for processing personal data for marketing purposes you should not sent marketing.
To find out more about consent you can check out our webinar “How to handle consents under GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/) as well as our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
Controls identification
Answer: First it is important to understand that controls are not part of the risk assessment step in the risk management process. In the risk assessment the main output is the valuation of the risk (either in a quantitative or qualitative form). Controls are part of the risk treatment, identified after you define that a risk needs to be mitigated by implementing one or more controls.
This material will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ in-english/
Considering that, although ISO 27001 clause 6.1.3 b) (which covers Information security risk treatment) only requires that controls are determined, if you do not use numbering it will be more difficult to track them in the process, because this clause also requires the controls from Annex A to be taken into account in the controls selection and in the elaboration of the Statement of Applicability, and the controls of Annex A are identified by numbers.
So, the main point is - you do not need to use control numbers in risk treatment, but this will make your job much harder.
This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls selection:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control A14.1.1
This document does not have a lot of details and seem unrelated to the topic of acquiring a new information system. Can you please help by providing examples on this doc?
Answer: The basic difference between internal developed and acquired information systems is that when systems are acquired, the information systems requirements identified in this template should be included in the contract or service agreement established between the organization and the supplier. When the information systems is developed internally, the information in this template is included in the organization's development process.
Here are some examples for each field in this template, considering the information system will be acquired:
- Name of information system: Contract Payment Reporting System (CPRS)
- Version of existing information system: New system to be acquired (the inf ormation in this field will define which and how acquiring information will be included in the "Method of checking and testing implemented security controls")
- Impact value from risk assessment: 7 (in a scale from 1 to 9)
- Functional specification of the information system: The system must maintain information that identifies each entity in the contract, including: entity name, entity ID number, entity contact information, etc.
- Necessary automated controls: The system must prevent the duplicate entry of contract records (e.g., by editing contract ID numbers or entity names.). The system must provide on-line warning message to the user when duplication is identified.
- Necessary manual controls: The system only must sent information about contracts after an authorized user approves the request.
- Method of checking and testing implemented security controls: The security controls in the acquired CPRS will be tested by an independent party using as reference the ISO 15048:2008 - Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance components -
Documentation examples
Answer: Included in the toolkit you bought you have access to video tutorials explaining how to fill in some templates with real data (e.g., document control procedure, internal audit procedure, procedure for corrective action, risk assessment, risk treatment plan, etc.). -
DPIA Register template
2. Can 06.2 & 06.3 templates be used as it is to be available for use when needed? Is it necessary to allocate to it a Confidentiality Level?
Answers:
1. You can edit the DPIA Register to better suit your specific business needs especially in terms of the questions which not marked as mandatory.
2. The templates themselves are not confidential since they are drafted by the EU Commission. However, when filling them in with all the details you can apply to them the same confidentiality level as the commercial contract which they refer to.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Data subject access request procedure
Is this definitely right, where is the reference in GDPR legislation ?
Answer:
The EU GDPR is considered in legal terms as “lex generalis” which means that it can be overridden by specific legal obligations such as the ones referring to copyright as well as attorney – customer communication.
There is no specific text in the GDPR but it is a well known fact. -
Internal audits scope
Answer:
Internal audits are required on all QMS processes and all ISO 9001 clauses, even an internal audit including in its scope the internal audits.
The following material will provide you information about the internal audits:
- ISO 9001 – ISO 9001 – How to prepare for an internal audit - https://advisera.com/9001academy/blog/2017/09/26/iso-9001-how-to-prepare-for-an-internal-audit/
- Five Main Steps in ISO 9001 Internal Audit https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/