Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IT Provider
Answer:
Company Y is clearly acting as a sub-processor of company X, thus, company Y and company X need to have a DPA among themselves. I definitely not you who needs to sign a DPA with company Y unless you contract directly a service from them.
To find out more about sub processors you can also check out our free course “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR Types of data
Answer:
I would recommend a minimum level of detail. You could use the following taxonomy as a reference:
Personal data
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction details
□ Others………….. (please describe)
Sensitive Data:
☐ Racial or ethnic origin
☐ Political opinions, religious or philosophical beliefs
☐ Trade union membership
☐ Genetic data
☐ Biometric data
☐ Health data
☐ Sex life or sexual orientation
☐ Criminal record
To find out more about data trasnfers you can also check out our free course “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Article 37 – Designation of the data protection officer
Thank you, Andrei ! -
Taking consent from a subject
Answer:
If the “subject” is a individual (consumer) then you need the “opt in” consent before engaging them in marketing activities. If however by “subject” you refer to a representative of a company and is the company you are targeting with the advertising and not the individual than the “opt out” would be enough.
To find out about consent check put our article “Four main questions for obtaining and managing data subjects’ consent under GDPR” https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/ -
Code of Ethics
Answer:
This is because there is no requirement to have a “Code of Ethics” or not to have a document entitled like this. The document that would be the one to show the commitment of a organizations to comply with the requirements of the EU GDPR is the “General Data Protection Policy”.
To learn more about the content of such a policy check out our article “Contents of the Data Protection Policy according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/ -
Data Sharing vs Data Processing agreements
Answer:
Until I see a “Data Sharing Agreement” I am not sure but most likely they refer to the same thing that is regulating how a processor should process the data on behalf of a controller. -
Initial steps in ISO 9001
My response:
After getting the management approval the next step would be establishing a project plan – nominate the project manager, the project sponsor, the project team (if needed), define the milestones, deadlines, outputs and budget.
When starting the implementation keep in mind the following:
- Avoid writing too many documents – you should aim at the minimum that is
really needed; do not try to write too detailed documents (e.g., risk assessment), such documents will be improved throughout time during the regular review process.
- Learn which documents and records are mandatory. Here you can find a list of mandatory documents: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
These materials will provide you information about ISO 9001:2015 implementation:
- Free online training ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Book “Discover ISO 9001:2015 Through Practical Examples”: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Secure & Simple book content
Answer: You are right and we are sorry for this mistake. We'll work ASAP to make the correction. Thanks for the feedback. -
Training content
Could you advise the effectiveness of the course module coverage and the sample q's in the training sessions for certification fulfillment.
Soliciting your expert opinion and any additional details pertaining to the subject matter.
Answer: Our ISO 27001:2013 Foundations course provides basic knowledge about ISO 27001 structure, requirements and controls, and the ISO 27001 Foundations exam provided at the end of the coure is accredited by Exemplar Global (formerly RABQSA), being world-ide recognized.
Our ISO 27001:2013 Internal Auditor Course is also accredited by Exemplar Global (formerly RABQSA), and its content is developed to support attendants to take the Internal Auditor exam available at the end of the course. This Internal Auditor certification recognizes people who had attained Information Security Management Systems and Management Systems Auditing competencies.
At this moment we do not p rovide courses related to ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certifications (but soon we'll publish our LI/ LA courses). For now, we have this webinar that can help you with preparation to the ISO 27001 Lead Auditor course:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Relevant ISO standards for information security
Answer: You can consider the following standards of the ISO 27001 family as the basis for the generic approach to information security:
ISO/IEC 27001 — Information technology - Security Techniques — Information security management systems — Requirements.
ISO/IEC 27002 — Code of practice for information security controls
ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation
ISO/IEC 27005 — Information security risk management
However, ISO 27000 family also have additional standards that specific industries should also consider critical to properly protect information, such as:
ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC TR 27019 — Infor mation security for process control in the energy industry
ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27032 — Guideline for cybersecurity
So, a more appropriated statement would be "The ISOs 27001, 27002, 27004 and 27005 can provide the basic foundation for the information security posture of any organisation."