Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Audit activities
We have an internal audit procedure, which defines the auditor requirements, I.e. qualified, scope, criteria, plan, etc.
They said we need to audit them and document an audit report of the auditors, and we can even give them minor/major NCs.
Am I crazy?
Answer: ISO 27001 clause 9.2 (Internal audit) requires that an organization selects auditors and conducts audits that ensure objectivity and the impartiality of the audit process, and in the situation you mention it means the auditors cannot audit their own work. When you have more than one auditor, they can audit each others work. In cases were you only have one auditor, the organization must consider hiring an external auditor to audit specifically the clause 9.2.
This article will provide you further explanation about internal audit:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Impacts of not implementing a standard
Answer: There is no standard set of consequences if an ISO standard is not implemented in an organization, because these will depend on the applicable laws, contracts, regulations and business objectives, which will vary from organization to organization.
To help organizations understand this, ISO management standards require that organizations determine external and internal issues relevant to its purpose and that can affect its management system, including needs and expectations of interested parties (clauses 4.1 and 4.2 of ISO management standards).
On the other hand, when talking about benefits of adopting ISO standards, they can be related to:
- Enhanced competitive edge
- Reduction on losses due to incidents and non conformities
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
These articles will provide you further explanation about context, requirements and benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding context, requirements and benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Who does the EU GDPR apply to?
Answer:
The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.)
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant.
In your case, since the company is based in Brunei and the processing takes place in Brunei and the data subjects are ba sed in Brunei (regardless if they are UK citizens) the EU GDPR won`t be applicable.
To learn more about the applicability the EU GDPR check out our article “ What is it and how does it work?” https://advisera.com/eugdpracademy/what-is-eugdpr/ -
Sensitive personal data
Answer:
From your description you provided the data in your CRM system is indeed personal data but not “special category of data” as per article 9 of the EU GDPR – “Processing of special categories of personal data” https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/
The deidentification of data using a ID number or customer number is a measure to protect personal data which is caller “pseudonymization” which is referred to and recommended in article 32 of the EU GDPR – “Sec urity of processing” https://advisera.com/eugdpracademy/gdpr/security-of-processing/ so by all means proceed.
To find out more about the security of personal data you can check out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Collecting personal data
2) If personal data is transferred from India to one of the EU countries, then will it be considered as transfer to third country?
3) If we collect personal data from a site like ‘xxx’, will it be a joint controller for us?
4) In a case, where we are Processor, is Privacy Notice applicable?
Answers:
1. The answer is quite simple “NO” unless you want to advertise a job. You need the consent of the data subject for sending marketing materials via SMS and email.
2. If the data exporter is located in India and the data is transferred in the EU is not a personal data transfer.
3. Certainly not, both you and “xxx’ would be separate controllers. The only difference is that you obtain the data form a third party but both you and the data controllers on your own separate processing activities.
4. According to EU GDPR article 13 – “Information to be provided where personal data are collected from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ and article 14 – “Information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/ the controllers are the ones that need to provide the notice to the data subjects
If you want to find out more about privacy notices you can check out our free webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Implementation duration
Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 10 to 12 months.
To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Regarding how many people should be included in the project, there is no definitive number you should consider (this number also depends on the complexity of the scope), but to increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ -
Business Case for the implementation of an ISMS
Answer: ISO 27001 does not require development of a business case for ISMS implementation, although the elaboration of such material can be very useful to help you to identify business objectives related to information security and buy in the top management support for this project, and to define top-level objectives for the ISMS (which are mandatory for the standard).
These articles will provide you further explanation about getting top management support:
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
These materials will also help you regarding top management support:
- Book Secure & Simple: A Small-Business Guide to Implem enting ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Preparation of the ISO27k Lead Auditor Exam
1. Could you share any Case Study or role play exercises.
Answer: It's our policy not to provide specific answers or materials related to exams.
2. Is this session required technical skills such as the controls to answer correctly ?
Answer: For the Lead Auditor course and exam there is no need for deep knowledge about the controls to answer the questions, although basic knowledge will make easier for you to develop your answers.
3. Do we have to memorize the Annex A controls for the exam?
Answer: There is no need to memorize specific information for the exam (you can consult the standard during the exam), but it is important you understand and memorize the general structure of the standard, because this will let you find what you want faster (e.g., if the question is about leadership, then you can go directly to section 5 of the standard).
4. In the webinar, you mentioned that we should think of 5 to 6 findings. Do you mean we ju st arbitrarily think some security findings or there will be a case study to ask you for any security findings and describe the non-conformities?
Answer: In the exam there will be case studies for you to read and evaluate if they contain or not non-conformities (5 to 6 findings are the general quantity you can expect). You should note that not all case studies will contain non conformities (one of the purposes of the exam is just this, evaluate your understanding and skill to identify situations that are non conformites and when they are not).
5. Lastly, do we have to study the ISMS Manual in the exam ?
Answer: ISO 27001 does not require an ISMS Manual, so this document will not be covered in the exam. -
Courses for consultants
Answer: For ISO management system consultants, the recommended courses are the Lead Auditor and Lead Implementer courses. For detailed information about ISO 27001 related courses I suggest you to read these links:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
We will launch such courses in ca 2 months. -
DPO and Data Management
2) in one trial CRO where I'm working is responsible for Data Management - so here it's clear for me that we are data processor. But I have other trial where the DM is done by third party, but we are checking at the sites patient's data against CRF data - does it mean that here we are also data processor ? it's not clear for me..in this situation..
3) is there any situation where CRO might have the status of joint data controller ? or CRO is always the data processor, even if not responsible for the data management?
Answers:
The DPO contact details should be provided to the patient when the patient consents to the trial and is presented with the Privacy Notice. Don`t forget that the EU GDPR requires that the consent needs to be informed so the consent for shoul d always be paired with the Privacy Notice.
In the General Data Protection Notice in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated section where the DPO contact details need to be filled in.
If the processing you do is based on the instructions of the DM then you are a processor. If you however do the processing based on your own judgement then you are a controller regardless if you receive the personal data from a third party.
If the CRO decides the scope and means of processing together with another party then we can assume that joint processing. Each situation needs to be assessed in order to establish the controller, processor, joint controller status.
You should not assume that you are either until you have assessed the particular situation.
To learn more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/