Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Operations security


    Answer: Controls from section A.12 can be applied both to server systems and employees' equipment, although most of them are generally more applied to servers.

    These articles will provide you further explanation about controls of section A.12:
    - Implementing capacity management according to ISO 27001:2013 control A.12.1.3 https://advisera.com/27001academy/blog/2016/02/22/implementing-capacity-management-according-to-iso-270012013-control-a-12-1-3/
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/
    - Implementing restrictions on software installation using ISO 27001 control A.12.6.2 https://advisera.com/27001academy/blog/2016/02/08/implementing-restrictions-on-software-installation-using-iso-27001- control-a-12-6-2/
    - How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

    These materials will also help you regarding controls of section A.12:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    2 - What are operational systems as per ISO 27001 ?

    Answer: For ISO 27001, operational systems are considered any set of software, hardware, database and othrr related assets, used in production environments, i.e., programs, applications and equipment  used daily to run the business activities.

  • Applicability of control


    Answer: Controls from section A.17 requires more than a plan to be fulfilled (e.g., control A.17.1.2 requires processes, procedures and other controls for maintaining adequate level of continuity), so only a backup plan is not going to be enough to the requirements of section A.17 and you must consider the devrlopmrnte of a Disaster Recovery Plan.

    This article will provide you further explanation about controls selection:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-inf ormation-security-work/

    This material will also help you regarding controls selection:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Rationalizing RPO


    Answer: Basically the RPO means a volume of data stored/processed in a time frame before the occurrence of a disruption that the organization accepts to lose. For example, if you have a RPO of 4 hours, it means the organization accepts to lose stored/processed data in the last 4 hours before the disruptive incident.

    Since the variables to evaluate such loss will depend of the business process evaluated, there is no general formula to apply (e.g., for a sales website the number of transactions lost can be a parameter, and for a cloud storage service the volume of data lost can be the parameter). The way to rationalize RPO is by assessing the damage for different amount of data loss - then they will be able to recognize what is acceptable and what is not. 

    This article will provide you further exp lanation about RTO and RPO:
    - What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

  • Right to Be Forgotten/Erasure


    Answer:

    The right to be forgotten does not apply when the processing is:

    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

    So, as you can see setting up a conventional retention period does not give you the right to object to a “erasure” (right to be forgotten request).

  • DPO Training

    We can keep personal data of clients once they are no longer our customers.
    (1)True
    (2) False
    The answer as posted on your website is #2. I disagree with this answer. Please help me understand why I am wrong. Here is an example.
    I use a provider of electricity. I then cancel my service with this provider and switch to another. I can still log into the first electricity service provider's website and review my historic bills and they have an account profile on me. This is a legitimate purpose for keeping my personal data even though I am no longer their customer. The same applies for banks, credit cards, etc. Why is the answer false to your question?

    Answer:

    Article 5.1.(e) of the EU GDPR - “Principles relating to processing of personal data” https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ states that “no longer than is necessary for the purposes for which th e personal data are processed” which means that indeed once someone ceases to be your customer their data should be deleted. This is the general rule and this is why the correct answer is “No”.

    However, there are some derogation that may apply such as when there is a legal requirement to keep personal data even if the processing activity is over. The bills and transaction history are usually kept for a certain period of time between 5 and 10 years for regulatory purpose so the legal grounds for processing in this case is legal obligation not legitimate interest.

  • GDPR DPO Job Description


    Answer:

    According to Recital 97 of the GDPR “data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.”

    Also, art.38 of the EU GDPR -“The data protection officer may fulfill other tasks and duties” https://advisera.com/eugdpracademy/gdpr/position-of-the-data-protection-officer/ . The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

    Also, one of the major roles of the DPO is to protect the rights and freedoms of the individuals whose data are collected. If the emplo yee is both appointed as DPO and is also responsible for determining the purposes and means of processing of individuals data, this conflictual situation would jeopardize the independence of the DPO.

    Signing an additional agreement ensuring that the responsibilities of that other function do not affect the carrying out of the DPO role could be a solution for you if the DPO will not be responsible at all for determining the purposes and means of processing (not only on documents but also in the day by day tasks). To be honest this approach is not full proof since it might be difficult in practice for someone to play two conflicting roles .

    Another solution would be to appoint an external DPO which represent an easy way to solve the conflict of interest issues and challenges presented by the requirements for independence.

    You can find out more about the role of the DPO form our article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

  • B2B - Supplier information


    Answer:

    Data belonging to a company such as company name, adress, registration number, VAT code does not fall under the category of personal data.

    However if the data refers to an employee of a company then is to be considered personal data and falls under the EU GDPR.

    To find out about personal data you can check out our free EU GDPR Foundations course https://advisera.com/training/eu-gdpr-foundations-course//

  • Users agreement


    Answer:

    You would be able to do that provided you put this information on your website Privacy Notice.

    To find out more about privacy notices you can check out our webinar Privacy Notices under EU GDPR https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • Cross border processing


    Answer:

    If the data is stored outside the EEA the answer is yes. Usually Mirosoft and Google mention in their T&C or similar documentation where the data would be stored. Check this article https://cloud.google.com/security/gdpr/

  • Supervisory authority

    We are based in Australia and are setting up an (Art 27) Representative office service and a DPO service based out of the UK for Australian businesses to use. Happy to answer questions. Mike Pym. Gordian 02 8075 3805. You must choose a rep service in one of the countries where your relevant data subjects are located, but that rep service can be used for all of EU Member States data subjects. The rep services is different to a DPO, and you will need both in this case . Brexit will make a difference, but what difference only time will tell! Hope that helps.
Page 767-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +