Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR- opt in or legitimate interest
Answer:
No it does not. However bear in mind that “legitimate interest” for marketing activities can be used only in relation with existing customers not for prospective customers.
Switching to consent doesn't make a difference just make sure that the consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes. You must also keep records so it can demonstrate that consent has been given by the relevant individual.
To find out more about consent you can check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
Data Sharing Agreement
Answer:
If you both parties are controllers no Data Processing Agreement is needed.
However, if one controller needs to send data to another controller outside the EEA you would need to relay on the controller to controller Standard contractual clauses which is document 6.1 of the Toolkit.
To find more about transfering personal data check out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
ITIL and cloud
Answer:
If you already have (or are planning to) have implemented ITIL, there shouldn't be problems if you use cloud to support your operations. Read the article "How ITIL can help cloud services" https://advisera.com/20000academy/blog/2015/07/28/how-itil-can-help-cloud-services/
to learn more about this. -
Compliance questionnaire
Você poderia por gentileza, dar uma orientação em como formular esse questionário?
(I am doing an academic paper (Article) on information security in which I have to prepare a questionnaire with the purpose of analyzing the adherence of information security adopted in companies with ISO 27002.
Could you please give guidance on how to formulate this questionnaire?)
Answer: Basically you have to identify for each control what is required (generally an action followed by the word "should") and formulate a question based on it.
For example, for control 5.1.1 (Policies for information security), the requirement is:
"A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties."
So a proper question would be "Are t here policies for information security defined, approved by management, published and communicated to relevant parties?"
For reference, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ -
ISO 27001 standard course
Answer: I'm sorry, but I believe there has been a little misunderstanding regarding standard's structure. The term "clause" is used for separate the content of the main part of the standard, and ISO 27001:2013 has 10 clauses. Regarding Annex A, it has 114 controls, and not 111, and it is organized into 14 parts called "sections".
These articles will provide you further explanation about ISO 27001:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- A first look at the new ISO 27001 https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
- Main changes in the new ISO 27002 https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/
This material will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On You r Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Audit and ISO 22301
Answer: For an audit program first you have to define if you are going to perform one audit or a series of audits throughout the year. After that you have to define criteria to define individual audits and the auditors that will perform them, the procedure that will be used for the audits, and if you are going to use checklists or not.
For testing plans first you have to define which kind of test you will perform (e.g., Orientation seminar, Desk check, Plan walk-through, Functional testing, etc.), After that you have to define the tests scope, objectives, and timing, and align these decisions with top management and management heads to develop the necessary details for the test plans.
These materials will provide you further explanation about internal audit and test plans:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- How to prepare for an ISO 27001 internal audit (the general concepts are al so applicable to ISO 22301) https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/
2 - Also, does ISO 22301 has SoA as in ISO 27001?
Answer: The statement of applicability is a requirement only for ISO 27001. There is no similar requirement for ISO 22301.
These materials will provide you further explanation about ISO 22301:
- What is IS 22301 https://advisera.com/27001academy/what-is-iso-22301/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
SOA preparation
Answer: The folders and documents in your toolkit are listed in the exactly order you need to follow in order to implement the ISMS, so you have to prepare the Statement of Applicability after you have finished to fill the Risk Assessment Table and the Risk Treatment Table.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Idioma de la documentación del SGSI
Respuesta: Básicamente sí, porque si tu organización tiene empleados, por ejemplo, en USA, y sólamente hablan inglés, tienes que desarrollar documentación en este lenguaje. Por tanto, el criterio básicamente es desarrollar documentos en el lenguaje de las personas que los tienen que leer. Si todas las personas involucradas en el alcance del SGSI pueden entender el inglés, este puede ser el idioma oficial para toda la documentación, pero si no es así, debes desarrollar los documentos en el lenguaje específico de cada empleado, porque estos son los que los tienen que leer.
Por cierto, ¿Quieres saber cómo estructurar la documentación de los controles del Anexo A? Este artículo te puede interesar “How to structure the documents for ISO 27001 Annex A controls” : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Aquí también puedes encontrar una lista de los documentos que son obligatorios en la implementación de la ISO 27001 “Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)” : https://advisera.com/27001academy/es/knowledgebase/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
Finalmente, aquí también puedes encontrar recursos gratuitos para tu proyecto de implementación de la ISO 27001 https://advisera.com/27001academy/es/descargas-gratuitas/ -
Meeting the requirements of the Regulation
Answer:
Where consent has been given under the Data Protection Directive, it will continue to be valid under the EU GDPR if it also meets the requirements of the Regulation.
This may be difficult given the new and stringent requirements for consent. In theory, you should therefore consider approaching your existing customers to obtain a fresh consent that is valid under the EU GDPR. Be aware that opt-out consents are not valid under the EU GDPR.
Basically you need to benchmark the consents you already have against the requirements of the EU GDPR and if the consent s meet those requirements you need to do nothing if they don`t you need to reach out to the individuals to get new compliant consents.