Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Remittance Group and GDPR
Another question, if for the airtime, all the air time supplier deal with service provider and supplier, we are all sub-processor and it is bilateral way. how do we draft it in processor sub processor agreement? as we all could be processor and sub processor at any time. we cant put it as A is a processor, B is a sub processor, as A could be sub processor and B could be processor at anytime they could always change. Their relationship is bilateral. how should we draft the agreement? -
Email subscription
Answer:
If you rely on consent for your marketing activities you need a “opt in” kind of consent so silence would not be considered a valid consent.
To find out more about consent check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
Landbase Casino GDPR
Answer:
From your description you are a data controller for the data of your casino customers as well as your visitors. Being a casino and using the mrz scanners you are collecting a great deal of personal data including winning and maybe “high rollers” player profile. You are most likely also processing high quality video surveillance footage from our gambling tables.
So, my conclusion is that the EU GDPR will deeply impact your processing activities and you would need to have a full blown EU GDPR compliance program in force to prove compliance. You would need to focus on : privacy Notices, managing data subject rights, data protection impact assessments, third party compliance, data breaches basically everything.
In your current situation I am sure that the EU GDPR Documentation Toolkit(https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/) would prove to be a useful tool. -
EU GDPR Documentation Toolkit
Answer:
All the documents in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are meant to be cross industry so they will most likely need minimum amendment from your part. Based on you description you are acting as a processor for the cinemas you provide the software as well as the ticketing services. All the documents in the EU GDPR Documentation Too lkit are meant to be cross industry so they will most likely need minimum amendment from your part. Based on you description you are acting as a processor for the cinemas you provide the software as well as the ticketing services.
In this case the sections in the Toolkit regarding managing data subject rights and DPIAs would be less relevant to your activity. However, be aware that if you are established in the EU you will be acting as a data controllers as regards to the data of your employees.
To learn more about the applicability of the EU GDPR check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course// ).
In this case the sections in the Toolkit regarding managing data subject rights and DPIAs would be less relevant to your activity. However, be aware that if you are established in the EU you will be acting as a data controllers as regards to the data of your employees.
To learn more about the applicability of the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR and private site
Answer:
Based on your description you are processing personal data of users on your website especially the ones that fill in the contact form and those to whom you are sending newsletters to. In this case you are acting as a data controller and yes the EU GDPR is applicable to you regardless if you are a company or not.
As per art 4(7) – Definitions (https://advisera.com/gdpr/definitions/) of the EU GDPR controller means “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or M ember State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
To learn more about the applicability of the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Residual risk in the risk assessment process
Answer: You have to calculate the residual risk after the definition of the risk treatment to be applied. At this point the residual risk is the risk value you expect to achieve with the implementation of the controls. After the implementation of the controls, the risk value you will measure will confirm if the previously calculated value is correct, or if you have to make adjustments in the control implementation.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basi cs of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27017 controls
For explanations about some ISO 27017 controls I suggest you these articles:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- Network segregation in cloud environments according to ISO 27017 https://advisera.com/27001academy/blog/2016/09/26/network-segregation-in-cloud-environments-according-to-iso-27017/
- How to use ISO 27017 to manage legal risks related to geographical location https://advisera.com/27001academy/blog/2016/09/19/how-to-use-iso27017-to-manage-legal-risks-related-to-geographical-location/ -
Becoming a ISO 27001 Lead Auditor
Answer: To obtain a ISO 27001 Lead Auditor Certification you should attend an ISO 27001 Lead Auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit (there is no need to get the lead implementer certification first), and to be approved at the exam at the end of the course
These articles will provide you further explanation about becoming a lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding auditing:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Toolkit content
Do you have any additional templates I can buy? And any other policies
And documentations related to incident management that are not included in the toolkit.
Also I need a password policy for the organization.
As I cannot find it in the toolkit I bought.
Answer: The Incident Management Procedure, Incident Log templates (located on folder 8 (Annex A), sub-folder A.16 (Information security incident management)) and Disaster Recovery Plan template (located on folder 8 (Annex A), sub-folder A.17 (A.17 Business Continuity 04 Business Continuity Plan)) included in your ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit are sufficient to fulfil ISO 27001, ISO 27017, and ISO 27018 requirements, but if you feel you still need more details or documents to cover your processes, you can schedule a meeting with one of our experts, so he can guide you on the best approach to fulfil your needs. You can schedule a meeting through this link: https://advisera.com/27001academy/con sultation/
Regarding the password policy, these documents included in your toolkit cover this issue:
- Access Control Policy
- Password Policy
Both are located on folder 8 (Annex A), sub-folder A.9 Access control, and the Password Policy may be implemented as a separated document or as part of Access Control Policy. -
Privacy and information classification
Answer: Since private information normally can cause significant damage to the natural person to which it is related to if compromised, as well as to the organization itself in terms of reputation, damage control, and legal actions, it should be classified in one of the highest levels of classification available, if not in the highest level.
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding information classification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/