Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 22301 implementation


    Answer: ISO 22301 was designed to be implemented in organizations of any size or industry, so there is no specific recommendation for financial organizations. In a general manner you should consider:
    - Ensure the buy in of you top management for this project
    - Make the employees aware of the importance of this implementation
    - Identify and involve in the project the right people (the ones with the knowledge, experience and skills to help the implementation).
    - Identify the proper implementation strategy

    These articles will provide you further explanation about ISO 22301 implementation:
    - What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    - 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
    - 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

    These materials will also help you regarding ISO 22301 implementation:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/

  • Use of cryptographic controls


    Answer: The control A.10.1.1 - Policy on the use of cryptographic controls defines the guidelines for the use of cryptographic technologies in an organization (e.g., which technologies to use, when, by whom, etc.). So, if you have cryptographic technologies in your organization (like the SSL certificate) you have to consider the implementation of this control to treat risks like:
    - IT staff implementing SSL in different ways in different places because there is no general rule about the issue,
    - Unauthorized people accessing cryptographic technologies, because there is no list defining who can use it

    To have an idea about how a cryptographic policy looks like, I suggest you to take a look at the free demo of o ur Policy on the Use of Cryptographic Controls at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

    This article will provide you further explanation about control A.10.1.1:
    - How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

    These materials will also help you regarding control A.10.1.1:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Toolkit content


    Answer: Included in your toolkit there is a List of Documents file which correlates each template with the clauses of ISO 27001 it covers.

    Clause 6.2 is covered by the template Risk Treatment Plan, which can be found on folder 7.

  • Critical processes, RTO and RPO


    Answer: To identify the business critical processes you must first understand your organization's context and identify your relevant interested parties requirements (e.g., products and services they demand, delivery conditions, laws and regulations to be fulfilled, etc.). Based on that you can identify which processes are critical to your business.

    Regarding RTO and RPO, they are more defined than calculated, because they are based on the needs and expectations of your interested parties, which most of the time reflects clauses in contracts, laws or regulations, and historical data (statistical data can also be present). So, if your definition of RTO or RPO can be supported by a solid justification, it is not mandatory for you do to search a formula to calculate them.

    This article will provide you further explanation about BIA and RTO and RPO:
    - What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

    This material will also help you regarding BIA and RTO and RPO:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

  • Where to start IATF 16949 implementation


    Answer:

    The best way to start is with gap analysis to determine to what level your organization is already compliant with requirements of the standard and what needs to be done to achieve full compliance. According to the results of the gap analysis, you can start planning the implementation project and define all activities to be performed.

    Here you can download our free IATF 16949:2016 Implementation diagram https://info.advisera.com/16949academy/free-download/iatf-16949-implementation-diagram

    As far as the internal audit goes, you can use internal audit checklist, it is a valuable tool that can help you avoid missing something out. Here you can download free previ ew of our Internal QMS Audit Checklist https://advisera.com/16949academy/documentation/internal-qms-audit-checklist/

  • Personal data protection policy

    2. Ideally a DSAR should be in writing. Under GDPR, can a DSAR be made verbally by the data subject? Must my organization also be prepared to receive DSAR via social media?

    Answer:

    The Personal data protection policy is aimed to be a commitment of the Company towards achieving compliance with the EU GDPR and could be made public if the Company wants. The Employee data protection policy is meant to regulate within the Company how does the HR department uses employees data and what are the conditions in which those data are processes. So the main difference is the target audience for the two document.
    It is advisable to set up dedicated channels to manage the data subject access requests and one reason for this would be to make sure you property identify the data subject so you would need to ask certain identification elements.
    If you receive the requests via other channels you need to make sure that you can reasonably and accurately identify the data subject before providing the request. There is no obligation for the data subject to use a certain channel and you need to reply nevertheless.

    To find out more about data subject access requests check out our webinar “Data Subject Rights under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

  • Auditees and corrective actions


    Answer:

    I presume that you are asking why auditees need to be involved in the development of a corrective action after an internal audit. The development of sound corrective actions depends on the determination of the cause(s) of a nonconformity. Normally, auditees are in the best position to identify possible cause(s) and to determine actions to remove or minimize them. Previous versions of ISO 9001 made it mandatory that the management of the audited areas were responsible for development of corrective actions, ISO 9001:2015 only requires that the audit results should be reported to the relevant management.

    The following material will provide you information about the risk-based approach:

    - ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
    - free online training ISO 9001:2015 Internal Auditor Course – https:// /course/iso-9001-internal-auditor-course/
    - book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Marketing activities

    I own a sandwich bar and run an advert in my local newspaper that says I am giving a 25% discount off any orders. Consumers can get a voucher for this discount by texting the word “discount” to the advertised number and receive a text message by return that contains the voucher code. The text message they receive will include the standard “Optout reply STOP” statement. Two months later I want to send a text message to all 263 people who replied to the first advert to tell them that I now have another offer which is that when they buy their next order they can have a free drink!
    I have one question… which of the following actions would be compliant with GDPR ?
    1. I cannot send them another text message until I receive their written consent to do so
    2. I can send them another text BUT this must only contain a link to my privacy notice where they must provide consent.
    3. I can send them another text message as long as I continue to include the “Optout reply STOP” statement

    Answer:

    1. The general rule i s that you must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. So, you may use the “soft opt-in” for your existing customers and in this case you need to provide the possibility to the customer to opt out at any time. When I refer to existing customers I mean the customers that actually used the discount voucher. Your legal base for processing would be legitimate interest.

    Besides the possibility of opting out the data subject will need to be provided with a privacy notice as provided by EU GDPR article 13 - Information to be provided where personal data are collected from the data subject - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ For the individuals not using your discount but whose data I have received I would reach out to ask for consent.

    2. You definitely need to provide the information in the privacy notice in both cases.
    3. The possibility to opt out has to be provided whenever a message is sent to the data subject. Especially when you don’t use the consent as a lawful base for processing is legitimate interest.

    You might find our article “How does GDPR impact marketing activities?” - https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ as well as our webinar “How GDPR Affects Marketing Practices” - https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/

  • Data Processor Addendum


    As we are a reporting tool, the above PII is the only information we request from our customers and store this information in Salesforce (Salesforce is a data processor to us).

    We are being requested to sign a Data Processor Agreement with our customers and believe we are more of a Data Controller in this instance. Could you clarify.

    Answer:

    My understanding is that you are providing a Reporting Software to customers that would be required to register with a username and email so start using the software. For th is instance you are a controllers because you are determining what information is required from a customer to register.

    I assume that the reporting software is addressed to companies rather than individuals. In this instance if the companies as your customer would use the reporting software to process personal data of their individual customers that would make you a processor when providing for example hosting and/or maintenance.

    To find out about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Records of consent


    Answer:

    The fact that you don’t have records of consent basically means that you don’t have any consent. Legitimate interest could be used for marketing only if you can prove that how you use individual data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. If the individuals that you want to send marketing to are already your customers and their details were collected in the context of a sale and the individual was given the ability to opt-out at that time than you can use the legitimate interests to send information about the goods and/or services you provide. If you can`t rely on legitimate interest you need do reach out to the data subjects to obtain their consent.

    You might find our article “How does GDPR impact marketing activities?” - https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ as well as our webinar “How GDPR Affects Marketing Practices” - https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/
Page 773-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +