Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Transmission of data to third countries


    Answer:

    You should first check the iCloud Privacy Policy because it might be that the data for EU users are stored in Europe.

    To find out about data transfers don't miss our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  • Policy documentation

    In ISO world, mandatory requirements/documents are related to the words "must" or "shall", while non mandatory requirements/documents are related to words "may"or "should". In ISO 27002, since it provides recommendations for the implementation of controls that may be required as a result of a risk assessment, you will find the guidance ruled by "should", i.e., you only have to consider the recommendations that will help handle the risks you identified as unacceptable.

    You can find more information in this article: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/

  • ISO 22301 LA course


    From your perspective, is it possible to take only the exam for ISO23001 lead auditor and not do once again the training? Is it something your company is offering?

    Answer: The ISO 22301 Lead Auditor exam is the final part of the ISO 22301 Lead Auditor course, so you cannot take the exam without attending the course, unless you are taking a second exam after failing the first one in the allowed time interval.

    Besides that, the content about audit methodologies and techniques are only part of the course. You will be presented to ISO 22301 concepts and requirements, as well as the exercises developed during the course are different.

    At this moment we are not providing the ISO 22301 Lead Auditor course.

  • Communication of information security


    “Can you please clarify where we specify what areas need to be known by what group of people?

    For example, the NOC personnel are not involved in Legal Matters (A.18) and vice versa Legal department needn’t know about the Incident Management Procedure (A.16). Our aim is that all employees in Scope must know the Scope Document and the IS Policy very well and then know documents that are relevant to their particular domain.”

    Answer: Included in the toolkit you bought there is a template called Training & Awareness Plan that you can use to map and organize the competences required for particular areas/skills and which people need to know them. This template can be found on folder 09 Training and Awareness Plan.

    Regarding your example, it is important to note that although NOC personnel is not directly responsible for Legal Matters, they provide an important support for the technical evaluation of solutions t o be implemented. Likewise, legal department should be aware of Incident Management Procedure to ensure evidences are properly handled so they can be legally accepted in case when a legal action is needed. It is important to note that information security requires a multidisciplinary approach to be effective, with different areas working together.

  • Signing DPA with large companies


    Answer:

    Usually big companies such as Microsoft, when acting as processors they don`t sign separate DPAs, this would be impossible due to the sheer amount of customers.

    However, they have similar DPA clauses regarding their commitment to protect personal in their “Licensing terms and documentation” (https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46).

    To find out more about processors you can also check out our free course “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//)

  • IT Provider


    Answer:

    Company Y is clearly acting as a sub-processor of company X, thus, company Y and company X need to have a DPA among themselves. I definitely not you who needs to sign a DPA with company Y unless you contract directly a service from them.

    To find out more about sub processors you can also check out our free course “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR Types of data


    Answer:

    I would recommend a minimum level of detail. You could use the following taxonomy as a reference:

    Personal data

    □ Personal master data (e.g. Name, surname, date of birth,)
    □ Communication data (e.g. telephone, e-mail, address)
    □ Contract master data (contractual relationship, product or contract interest)
    □ Customer history
    □ Contractual invoicing and payment data
    □ Planning and control data.
    □ Academic and professional data (training / qualifications, professional experience).
    □ Employment details (work center, job position and department).
    □ IP addresses
    □ Transaction details
    □ Others………….. (please describe)

    Sensitive Data:

    ☐ Racial or ethnic origin
    ☐ Political opinions, religious or philosophical beliefs
    ☐ Trade union membership
    ☐ Genetic data
    ☐ Biometric data
    ☐ Health data
    ☐ Sex life or sexual orientation
    ☐ Criminal record

    To find out more about data trasnfers you can also check out our free course “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//)

  • Article 37 – Designation of the data protection officer

    Thank you, Andrei !

  • Taking consent from a subject


    Answer:

    If the “subject” is a individual (consumer) then you need the “opt in” consent before engaging them in marketing activities. If however by “subject” you refer to a representative of a company and is the company you are targeting with the advertising and not the individual than the “opt out” would be enough.

    To find out about consent check put our article “Four main questions for obtaining and managing data subjects’ consent under GDPR” https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

  • Code of Ethics


    Answer:

    This is because there is no requirement to have a “Code of Ethics” or not to have a document entitled like this. The document that would be the one to show the commitment of a organizations to comply with the requirements of the EU GDPR is the “General Data Protection Policy”.

    To learn more about the content of such a policy check out our article “Contents of the Data Protection Policy according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/
Page 750-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +