Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is life-cycle analysis necessary for ISO 14001 implementation
Answer:
LCA (life-cycle analysis) is required by the standard during the assessment of environmental aspects and their impacts. The organization needs to identify life-cycle stages of its product or service and assess environmental aspects emerging in each stage and define appropriate controls for each significant environmental aspect.
For more information, see: Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
These materials will also help you regarding LCA:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
DPIA
2. What changes can be proposed as part of remediation plan (some examples will be enough)?
3. Data Mapping and how to conduct this?
4. And any other information which I could add in my CV to get the role. Obviously, once I will get the role, I will be contacting you for your help (and will pay your fee for your assistance). But in order to get the job of BA of GDPR, I need these information.
Answers:
1. A Data Protection Impact Assessment is basically an assessment of the likelihood and severity of risks for the rights and freedoms of individuals resulting from a processing operation. Data controllers will be required to undertake DPIAs prior to data processing – in particular processing using new technologies - which is likely to result in a high risk for the rights and freedoms of individuals (Article 35 - Data protection impact assessment - https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
The EU GDPR provides the some non-exhaustive list of cases in which DPIAs must be carried out:
- automated processing for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects (e.g. automatic credit checking performed by banks or other financial institutions)
- processing on a large scale of special categories of data or of data relating to criminal convictions and offences (e.g. processing of mental information by a psychiatric clinic);
- systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV)
If you want to have a more in depth view on how to actually perform a DPIA the following materials would be helpful:
- Article 29 Working Party - “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679”
- Free webinar “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR” - https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/
- Article “5 phases of the EU GDPR Data Protection Impact Assessment” - https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
- Document: “Data Protection Impact Assessment Methodology” -https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/;
- Document: “DPIA Register”- https://advisera.com/eugdpracademy/documentation/dpia-register/;
2. The risk mitigation measures derived form a DPIA may greatly vary depending on the processing activity that is subject to the DPIA.
For some examples of mitigation measures derived from a DPIA in CCTV you can access our webinar on “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR” - https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/
3. For the data mapping there is a specific guidance document in our EU GDPR Toolkit that would most likely shed some light on how to go through the data mapping exercise. You can find the “ Inventory of Processing Activities” here : https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/
4. As for other things to add to your CV I would suggest getting acquainted with the EU GDPR provisions and attending our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//#reviews) and the EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/#reviews -
Applicability of controls
Delete this item if control A.9.2.1 is marked as inapplicable in the Statement of Applicability
This implies that Access Control may not be mandatory. However, it seems a bit against the principles of ISO 27001 to disregards Access Control to information assets. In the documentation I find elsewhere seems to indicate that this is in fact mandatory.
Would you care to elaborate on that, for me, please?
Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you further explanation about risk assessment:
- ISO 2700 1 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Lead auditor course
Answer: Some organizations that offer such course are:
- BSI: https://www.bsigroup.com/en-GB/iso-22301-business-continuity/iso-22301-training-courses/iso-22301-lead-auditor/
- Continuity Link: https://www.continuitylink.com/public/en/training.php?id=iso22301-la
Through the above links you can choose a country and search for a suitable location from where you can attend the course. -
ISO 27031
Answer: ISO 27031 provides detailed guidance on how to deal with the continuity of ICT elements to ensure that the organization’s processes will deliver the expected results to its clients. It can be used as a tool to implement the technical part of ISO 22301, or the section A.17.1 of Annex A of ISO 27001 standard.
Regarding the deliverables, they will depend on the business impact analysis (when supporting ISO 22301) or the results of risk assessment (when supporting ISO 27001), but in a general manner they will cover these areas:
- Key competencies and knowledge
- Facilities
- Technology
- Data
- Processes
- Suppliers
This article will provide you further explanation about ISO 27031:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/ -
EU GDPR document
Answer:
Not really, it is not a typo. The document is a standard template issued by the EU Commission to be used as a safeguard when sending data outside EU. Moreover, the document should not be altered but only the blanks need to be filled in.
The term “Community” refer to the European Union so the document is to be used whenever personal data is transferred outside the European Union (Community) to countries that don’t have an adequacy decision. To find out which countries have adequacy decisions please check put this link :https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
If you want to have more insight on cross- border data transfer you can attend our online “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Risk management
Answer:
It is not a mandatory documented process.
You can’t skip this clause by only documenting risk management/ assessment on your company objective.
Look clause 4.4.1 f) your organization should handle risks and opportunities about your processes
Look clause 5.1.2 b) your organization should handle risks and opportunities about the conformity of products and services.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 90 01:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Adjustments for EU GDPR
Answer: Basically you have to implement controls such as top-level Data Protection Policy, Inventory of Processing Activities, consents, Data Protection Impact Assessment, agreements with processors, regulate the transfer of data outside of the EU, etc.
I suggest you to download the List of documents file of our EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link: https://advisera.com/wp-content/uploads//sites/15/2017/11/List_of_documents_EU_GDPR_ISO_27001_Integrated_Documentation_Toolkit_EN.pdf
From this document you can see which document can help you to comply with EUI GDPR framework or ISO 27001 standard.
This article will provide you further explanation about ISO 27001 and EU GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
This mater ial will also help you regarding ISO 27001 and EU GDPR:
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Evaluating risk assessment results
Answer: Considering they have used the same assessment criteria, then you should evaluate the impact of each activity to the business as a whole to make a decision. If both activities have similar impact, then you should rate the laptop as High, to ensure proper controls to the worst case scenario considered in your scope. -
Toolkit content
We were looking for documentation templates to assist us with achieving compliance to ISO 27001/27002 and when we were on your website we noticed that there was an additional section for the implementation of EU GDPR documentation. So we took that option.
Looking back now at the pricing web page, could please confirm that the ‘EU GDPR & ISO 27001 Integrated Documentation toolkit’ that we purchased is two distinct work packages or if in fact, I now read the page correctly, it covers an integration of the two standards with both GDPR and ISO 27001 references..
Answer: The "EU GDPR & ISO 27001 Integrated Documentation toolkit" is a single toolkit with templates that cover requirements of both EU GDPR regulation and ISO 27001 standard.
2 - When we look at the references and content within the policy templates it appears to have a focus more on the EU GD PR and not always to the ISO 27001. Is this correct or am I missing something in reading the documents?
Answer: Some templates are specifically for EU GDPR, others specifically for ISO 27001 and a third group of templates cover both EU GDPR and ISO 27001 requirements. Included in the toolkit you bought there is a List of Documents file that can show you which templates cover which requirements from both EU GDPR and ISO 27001.
If you wish, you can schedule a meeting with one of our experts to clarify any elements from the toolkit. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/