Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Organizational knowledge and processes or individuals
Answer:
The first two paragraphs of clause 7.1.6 are about keeping and sharing when needed, the necessary knowledge to operate processes and getting conforming products and services. What I do is: look for each process and list the roles that participate, and determine what kind of knowledge someone with that role need to be autonomous and make good decisions, aligned with the quality policy and objectives. So, it is about processes and roles more than with individuals. Individuals come when you look to competencies and clause 7.2.
The following material will provide you information about the organizational knowledge:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 – https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://t raining.advisera.com/course/iso-90012015-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Employee security awareness training
Answer:
There is no single document explaining to employees what to do and how to treat personal data within the a specific company. However, if you take a closer look each of the policies/procedures in the “EU GDPR Documentation Toolkit” refer to specific tasks that some employees need to undertake in order to ensure compliance with the EU GDPR.
You can start by going through the documents starting with the “Personal data protection policy” and build up your own list of responsibilities for your employees.
You can also use our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// as a reference. -
Re-consent
Answer:
Unless the 20000 emails belong to the members of the charity you would need to reach out to get consent from the data subject before engaging them is email and SMS marketing activities. If you don`t have the means to prove that consent was given is a if it does not exist.
Makes sure that the consent fulfills the requirements of the EU GDPR namely to be freely given, specific, informed and unambiguous indication of the individual’s wishes. You must keep records so it can demonstrate that consent has been given by the relevant individual.
To find out more about consent you can check out our webinar “How to handle consents under GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ ) as well as our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Resources for ISO 27001 Exam
Thats great many thanks for your help. Syed. -
Reaction plan vs Contingency plan
Answer:
There is no big difference between contingency and reaction plan, the both plans represent the series of steps that you would take in response to a specified abnormal condition and help to minimize damage. They are often referred to as "Plan B," because they can be also used as an alternative for action if expected results fail to materialize. The plans are a component of business continuity, disaster recovery and risk management.
Here you can download free preview of our Contingency Plan https://advisera.com/16949academy/documentation/contingency-plan/ -
Data Protection Directive
Answer:
Where consent has been given under the Data Protection Directive, it will continue to be valid under the EU GDPR if it also meets the requirements of the Regulation.
This may be difficult given the new and stringent requirements for consent. In theory, you should therefore consider approaching your existing customers to obtain a fresh consent that is valid under the EU GDPR. Be aware that opt-out consents are not valid under the EU GDPR.
Basically you need to benchmark the consents you already have against the requirements of the EU GDPR and if the consents meet those requirements you need to do nothing if they don`t you need to reach out to the individuals to get new compliant consents. -
ISO 27001/GDPR
Answer:
ISO 27001 is a standard that specifically deals with information security. ISO27001 and GDPR overlap in terms of keeping personal data secure as required by EU GDPR art. 32 “Security of processing” (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).
So, basically adding to your current security framework additional measures as per the ISO27001 standard will help you to be in compliance with the EU GDPR.
To learn more about the EU GDPR check out our “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Personal data
If we give a work-issued cell phone number as part of the contact information does that count as GDPR Personal Data as the number can be called to reach the data subject?
Answers:
1. The phone number and email address personal data because they relate to a individual are personal data regardless if it relates to work. The physical address of data subject is not necessary for the rest of the data set to be considered personal data.
2. Yes it does, because the phone number relates to an individual. -
Writing a non conformity
Please just give me an example how to write finding in audit report, which should include finding , evidence and clause/requirements?
Sometimes, I found difficulties in determining which control or clauses should be for the finding. For example, if the server upgraded didn’t not raise any change request and fail to reassess the risk. What control would that be? It’s hard to made fair judgement
Answer: Considering your example, the finding is "A server was upgraded without a proper change request and risk assessment."
Possible evidences may be:
- a difference between the information in the inventory of assets and what is effectively on production (e.g., a hardware serial number or an application);
- the change is scheduled in the maintenance plan but there is no corresponding change request;
- there is no evidence that a risk assessment was performed for th e server change.
As for the non fulfilled requirements, the control most related to the situation is the control A.12.1.2 (Change management Control), which requires that changes that affect information security shall be controlled. Regarding the requirement related to the lack of risk assessment, you can menton clause 8.2 (Information security risk assessment), which requires that information security risk assessments must be performed at planned intervals or when significant changes are proposed or occur.
So, a proper non conformity statement may be:
Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and the clause 8.2 - Information security risk assessment. Evidences: "The serial number of server XXXX in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on server XXXX at DD/MM/YYYY, according maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."
You should note that writing a non conformity requires some level of knowledge of the standard and practice on performing audits.
I suggest you to take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/ -
Template content
Answer: The values 0, 1 and 2 are the values for the proposed scale for defining Consequences and Likelihood in the Risk Assessment and Risk Treatment Methodology template that comes with the toolkit you bought. It is important to understand that you have to finish the Methodology document first and then start working on Excel sheets.
With the toolkit you bought you have access to a video tutorial that can help you fill in the Risk Assessment Table and explains these range values.