Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • EU GDPR article 28

    1. If a systems builder installs several workstations with different applications at a customer and needs to log information on those systems (not per se an audit trail) to be able to debug what went wrong between these systems, and the customer is happy to provide these logs or even (continuous) access to the systems to have things debugged, but the logs may contain privacy related information, then what do you do? Warn systems users that their actions are logged?Demand that customer anonimifies the logs / State we uphold privacy and use logs only for debugging our systems and not for audit trail? Do we need a processor agreement for that? Who provides it?
    2. Do processor agreements need to be signed by both parties?
    3. Do you need to actively request a website visitor to accept cookies and read the privacy statement even if you do not use personal information that is collected, e.g. by google analytics and similar 3rd party tools? Or is it enough just to link to a disclaimer or legal statement on these pages…

    Answers:

    1. If the users are having access to personal data you need to ensure that they are bound by the duty of confidence. This is a requirement of EU GDPR article 28.(3)e – Processors (https://advisera.com/eugdpracademy/gdpr/processor/). You can also have a pop up message to the users that they are about to access personal data.
    2. If possible the customer should try to anonymize the personal data and if is not possible a Data Processing Agreement should be signed by you as the data processor and your customer as the data controller. This need to be legally binding agreement and need to be signed or agreed by both parties.
    3. Is the ePrivacy Directive, which requires websites to gain consent from readers if they want to use cookies to track them. You should have a separate Cookie Policy that need to be accepted by the users. Also, the users must be informed about how they can set up their browsers not to accept cookies.

    If you want to find out more about the processors obligations you can check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//

  • GDPR- opt in or legitimate interest


    Answer:

    No it does not. However bear in mind that “legitimate interest” for marketing activities can be used only in relation with existing customers not for prospective customers.

    Switching to consent doesn't make a difference just make sure that the consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes. You must also keep records so it can demonstrate that consent has been given by the relevant individual.

    To find out more about consent you can check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/

  • Data Sharing Agreement


    Answer:

    If you both parties are controllers no Data Processing Agreement is needed.

    However, if one controller needs to send data to another controller outside the EEA you would need to relay on the controller to controller Standard contractual clauses which is document 6.1 of the Toolkit.

    To find more about transfering personal data check out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

  • ITIL and cloud


    Answer:
    If you already have (or are planning to) have implemented ITIL, there shouldn't be problems if you use cloud to support your operations. Read the article "How ITIL can help cloud services" https://advisera.com/20000academy/blog/2015/07/28/how-itil-can-help-cloud-services/
    to learn more about this.

  • Compliance questionnaire


    Você poderia por gentileza, dar uma orientação em como formular esse questionário?

    (I am doing an academic paper (Article) on information security in which I have to prepare a questionnaire with the purpose of analyzing the adherence of information security adopted in companies with ISO 27002.

    Could you please give guidance on how to formulate this questionnaire?)

    Answer: Basically you have to identify for each control what is required (generally an action followed by the word "should") and formulate a question based on it.

    For example, for control 5.1.1 (Policies for information security), the requirement is:

    "A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties."

    So a proper question would be "Are t here policies for information security defined, approved by management, published and communicated to relevant parties?"
    For reference, I suggest you to take a look at our ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

  • ISO 27001 standard course


    Answer: I'm sorry, but I believe there has been a little misunderstanding regarding standard's structure. The term "clause" is used for separate the content of the main part of the standard, and ISO 27001:2013 has 10 clauses. Regarding Annex A, it has 114 controls, and not 111, and it is organized into 14 parts called "sections".

    These articles will provide you further explanation about ISO 27001:
    - What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - A first look at the new ISO 27001 https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
    - Main changes in the new ISO 27002 https://advisera.com/27001academy/blog/2013/02/11/main-changes-in-the-new-iso-27002-2013-draft-version/

    This material will also help you regarding ISO 27001:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On You r Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Audit and ISO 22301


    Answer: For an audit program first you have to define if you are going to perform one audit or a series of audits throughout the year. After that you have to define criteria to define individual audits and the auditors that will perform them, the procedure that will be used for the audits, and if you are going to use checklists or not.

    For testing plans first you have to define which kind of test you will perform (e.g., Orientation seminar, Desk check, Plan walk-through, Functional testing, etc.), After that you have to define the tests scope, objectives, and timing, and align these decisions with top management and management heads to develop the necessary details for the test plans.

    These materials will provide you further explanation about internal audit and test plans:
    - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    - How to prepare for an ISO 27001 internal audit (the general concepts are al so applicable to ISO 22301) https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    - Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

    2 - Also, does ISO 22301 has SoA as in ISO 27001?

    Answer: The statement of applicability is a requirement only for ISO 27001. There is no similar requirement for ISO 22301.

    These materials will provide you further explanation about ISO 22301:
    - What is IS 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • SOA preparation


    Answer: The folders and documents in your toolkit are listed in the exactly order you need to follow in order to implement the ISMS, so you have to prepare the Statement of Applicability after you have finished to fill the Risk Assessment Table and the Risk Treatment Table.

    This article will provide you further explanation about the Statement of Applicability:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

    These materials will also help you regarding the Statement of Applicability:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Idioma de la documentación del SGSI


    Respuesta: Básicamente sí, porque si tu organización tiene empleados, por ejemplo, en USA, y sólamente hablan inglés, tienes que desarrollar documentación en este lenguaje. Por tanto, el criterio básicamente es desarrollar documentos en el lenguaje de las personas que los tienen que leer. Si todas las personas involucradas en el alcance del SGSI pueden entender el inglés, este puede ser el idioma oficial para toda la documentación, pero si no es así, debes desarrollar los documentos en el lenguaje específico de cada empleado, porque estos son los que los tienen que leer.

    Por cierto, ¿Quieres saber cómo estructurar la documentación de los controles del Anexo A? Este artículo te puede interesar “How to structure the documents for ISO 27001 Annex A controls” : https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

    Aquí también puedes encontrar una lista de los documentos que son obligatorios en la implementación de la ISO 27001 “Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)” : https://advisera.com/27001academy/es/knowledgebase/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/

    Finalmente, aquí también puedes encontrar recursos gratuitos para tu proyecto de implementación de la ISO 27001 https://advisera.com/27001academy/es/descargas-gratuitas/
Page 758-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +