Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 LA course
From your perspective, is it possible to take only the exam for ISO23001 lead auditor and not do once again the training? Is it something your company is offering?
Answer: The ISO 22301 Lead Auditor exam is the final part of the ISO 22301 Lead Auditor course, so you cannot take the exam without attending the course, unless you are taking a second exam after failing the first one in the allowed time interval.
Besides that, the content about audit methodologies and techniques are only part of the course. You will be presented to ISO 22301 concepts and requirements, as well as the exercises developed during the course are different.
At this moment we are not providing the ISO 22301 Lead Auditor course. -
Communication of information security
“Can you please clarify where we specify what areas need to be known by what group of people?
For example, the NOC personnel are not involved in Legal Matters (A.18) and vice versa Legal department needn’t know about the Incident Management Procedure (A.16). Our aim is that all employees in Scope must know the Scope Document and the IS Policy very well and then know documents that are relevant to their particular domain.”
Answer: Included in the toolkit you bought there is a template called Training & Awareness Plan that you can use to map and organize the competences required for particular areas/skills and which people need to know them. This template can be found on folder 09 Training and Awareness Plan.
Regarding your example, it is important to note that although NOC personnel is not directly responsible for Legal Matters, they provide an important support for the technical evaluation of solutions t o be implemented. Likewise, legal department should be aware of Incident Management Procedure to ensure evidences are properly handled so they can be legally accepted in case when a legal action is needed. It is important to note that information security requires a multidisciplinary approach to be effective, with different areas working together. -
Signing DPA with large companies
Answer:
Usually big companies such as Microsoft, when acting as processors they don`t sign separate DPAs, this would be impossible due to the sheer amount of customers.
However, they have similar DPA clauses regarding their commitment to protect personal in their “Licensing terms and documentation” (https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46).
To find out more about processors you can also check out our free course “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
IT Provider
Answer:
Company Y is clearly acting as a sub-processor of company X, thus, company Y and company X need to have a DPA among themselves. I definitely not you who needs to sign a DPA with company Y unless you contract directly a service from them.
To find out more about sub processors you can also check out our free course “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR Types of data
Answer:
I would recommend a minimum level of detail. You could use the following taxonomy as a reference:
Personal data
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction details
□ Others………….. (please describe)
Sensitive Data:
☐ Racial or ethnic origin
☐ Political opinions, religious or philosophical beliefs
☐ Trade union membership
☐ Genetic data
☐ Biometric data
☐ Health data
☐ Sex life or sexual orientation
☐ Criminal record
To find out more about data trasnfers you can also check out our free course “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Article 37 – Designation of the data protection officer
Thank you, Andrei ! -
Taking consent from a subject
Answer:
If the “subject” is a individual (consumer) then you need the “opt in” consent before engaging them in marketing activities. If however by “subject” you refer to a representative of a company and is the company you are targeting with the advertising and not the individual than the “opt out” would be enough.
To find out about consent check put our article “Four main questions for obtaining and managing data subjects’ consent under GDPR” https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/ -
Code of Ethics
Answer:
This is because there is no requirement to have a “Code of Ethics” or not to have a document entitled like this. The document that would be the one to show the commitment of a organizations to comply with the requirements of the EU GDPR is the “General Data Protection Policy”.
To learn more about the content of such a policy check out our article “Contents of the Data Protection Policy according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/ -
Data Sharing vs Data Processing agreements
Answer:
Until I see a “Data Sharing Agreement” I am not sure but most likely they refer to the same thing that is regulating how a processor should process the data on behalf of a controller. -
Initial steps in ISO 9001
My response:
After getting the management approval the next step would be establishing a project plan – nominate the project manager, the project sponsor, the project team (if needed), define the milestones, deadlines, outputs and budget.
When starting the implementation keep in mind the following:
- Avoid writing too many documents – you should aim at the minimum that is
really needed; do not try to write too detailed documents (e.g., risk assessment), such documents will be improved throughout time during the regular review process.
- Learn which documents and records are mandatory. Here you can find a list of mandatory documents: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
These materials will provide you information about ISO 9001:2015 implementation:
- Free online training ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book “Discover ISO 9001:2015 Through Practical Examples”: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/