Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Personal data

    If we give a work-issued cell phone number as part of the contact information does that count as GDPR Personal Data as the number can be called to reach the data subject?

    Answers:

    1. The phone number and email address personal data because they relate to a individual are personal data regardless if it relates to work. The physical address of data subject is not necessary for the rest of the data set to be considered personal data.
    2. Yes it does, because the phone number relates to an individual.

  • Writing a non conformity


    Please just give me an example how to write finding in audit report, which should include finding , evidence and clause/requirements?

    Sometimes, I found difficulties in determining which control or clauses should be for the finding. For example, if the server upgraded didn’t not raise any change request and fail to reassess the risk. What control would that be? It’s hard to made fair judgement

    Answer: Considering your example, the finding is "A server was upgraded without a proper change request and risk assessment."

    Possible evidences may be:
    - a difference between the information in the inventory of assets and what is effectively on production (e.g., a hardware serial number or an application);
    - the change is scheduled in the maintenance plan but there is no corresponding change request;
    - there is no evidence that a risk assessment was performed for th e server change.

    As for the non fulfilled requirements, the control most related to the situation is the control A.12.1.2 (Change management Control), which requires that changes that affect information security shall be controlled. Regarding the requirement related to the lack of risk assessment, you can menton clause 8.2 (Information security risk assessment), which requires that information security risk assessments must be performed at planned intervals or when significant changes are proposed or occur.

    So, a proper non conformity statement may be:

    Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and the clause 8.2 - Information security risk assessment. Evidences: "The serial number of server XXXX in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on server XXXX at DD/MM/YYYY, according maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."

    You should note that writing a non conformity requires some level of knowledge of the standard and practice on performing audits.

    I suggest you to take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

  • Template content


    Answer: The values 0, 1 and 2 are the values for the proposed scale for defining Consequences and Likelihood in the Risk Assessment and Risk Treatment Methodology template that comes with the toolkit you bought. It is important to understand that you have to finish the Methodology document first and then start working on Excel sheets.

    With the toolkit you bought you have access to a video tutorial that can help you fill in the Risk Assessment Table and explains these range values.

  • Risk assessment and treatment process


    Is the sequence in the last steps (SoA vs risk treatment plan) interchangeable or is there a correct way?

    Answer: The ISO 27001 risk treatment consists of these requirements (exactly in this order):
    - Selection of applicable risk treatment options
    - Determination of necessary controls to implement the chosen options
    - Comparison of determined controls against SO 27001 Annex A
    - Elaboration of the Statement of Applicability
    - Formulation of the Risk Treatment Plan
    - Approval of the Risk Treatment Plan and residual risks

    The standard follow this order because, besides the results of risk assessment, the risk treatment plan must also consider applicable legal requirements and top management decisions when defining actions, resources and deadlines to implement a control, and these information is found in the SoA justification for controls inclusions.

    These articles will provide you further explanation about risk treatment and SoA:
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    This material will also help you regarding risk treatment:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Cómo presentar los documentos en la auditoria

    No es necesario tener impresos todos los documentos obligatorios para la auditoria interna, siempre y cuando todos los documentos obligatorios se encuentren correctamente codificados e identificados en soporte digital se daría cumplimiento a la parte documental de la norma ISO 9001:2015.
    Para más información, vea el artículo "Cómo preparar su empresa para la auditoria de certificación (en inglés): https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/#
    Estos materiales también pueden ser de utilidad para el proyecto de implementación y posterior auditoria :
    - Libro "Preparación para la auditoria de certificación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/
    - Curso de fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Herramienta de cumplimiento en línea: https://advisera.com/conformio/

  • Deadlines for acceptance of documents

    I recommend you to set the deadlines for the acceptance of individual documents in accordance to project files . It is important to follow the structure of the toolkit (the folders are numbered for the optimalimplementation) when implementing the standard, and of course, not to skip the folders.
    This book can help you with the implementation project: "Preparations for the ISO implementation project: a plain English guide": https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/

  • Starting off ISO 9001:2015

    Following there are some tips that should help you to avoid most of the problems during the implementation:
    - Get real management support – enough money, enough human resources. For this purpose the business benefit of the project need to be communicated to the top management.
    - Establish project structure – nominate the project manager, the project sponsor, the project team (if needed), define the milestones, deadlines, outputs and budget.
    - Do not try to write too many documents – you should aim at the minimum that is really needed; do not try to write too detailed documents (e.g., risk assessment) – such documents will be improved throughout time during the regular review process.
    - Learn which documents and records are mandatory. In this article you can find the mandatory documents and those wh ich are recommended: https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
    These materials will provide you information about ISO 9001:2015 implementation:
    - Free online training ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
    - Book "Discover ISO 9001:2015 Through Practical Examples": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Privacy notice


    Answer:

    Yes, you can do that. Alternatively you can also send the privacy notices to the employers instead of the data subjects. This may save you some time.

    To find out more about privacy notices check out our webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • Questions in the DPIA

    Or is there need for extending the questionnaire?
    Can you help me with putting an sample example of one process in the DPIA register?

    Answers:

    The DPIA register is meant to be use as a tool to asses the risks related to a processing activity. Based on EU GDPR art. 35 – “Data protection impact assessment” ( https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/) the need to perform a DPIA is assessed by the controller and this first assessment is done through the first 5 questions in the DPIA register.

    The questions within the DPIA register are consistent with the EU GDPR requirements but there is nothing keeping you in adding additional questions and to customize the document for your needs.

    To find out more about how to perform DPIAs you can check out our free webinar “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/) as well as our article “ 5 phases of the EU GDPR Data Protection Impact Assessment” https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

  • GDPR Regions planning


    Answer:

    US is out of the question, Canada however because is one of the countries which was issued an adequacy decision may very well make some changes to its data protection legislation to match with the requirements of the EU GDPR.

    Other countries such as Switzerland also announced that they will try to mirror the requirements of the EU GDPR in their own local laws.

    If you want to find out more about the EU GDPR you can check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//
Page 756-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +