Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
EU GDPR document
Answer:
Not really, it is not a typo. The document is a standard template issued by the EU Commission to be used as a safeguard when sending data outside EU. Moreover, the document should not be altered but only the blanks need to be filled in.
The term “Community” refer to the European Union so the document is to be used whenever personal data is transferred outside the European Union (Community) to countries that don’t have an adequacy decision. To find out which countries have adequacy decisions please check put this link :https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
If you want to have more insight on cross- border data transfer you can attend our online “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Risk management
Answer:
It is not a mandatory documented process.
You can’t skip this clause by only documenting risk management/ assessment on your company objective.
Look clause 4.4.1 f) your organization should handle risks and opportunities about your processes
Look clause 5.1.2 b) your organization should handle risks and opportunities about the conformity of products and services.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 90 01:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Adjustments for EU GDPR
Answer: Basically you have to implement controls such as top-level Data Protection Policy, Inventory of Processing Activities, consents, Data Protection Impact Assessment, agreements with processors, regulate the transfer of data outside of the EU, etc.
I suggest you to download the List of documents file of our EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link: https://advisera.com/wp-content/uploads//sites/15/2017/11/List_of_documents_EU_GDPR_ISO_27001_Integrated_Documentation_Toolkit_EN.pdf
From this document you can see which document can help you to comply with EUI GDPR framework or ISO 27001 standard.
This article will provide you further explanation about ISO 27001 and EU GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
This mater ial will also help you regarding ISO 27001 and EU GDPR:
- What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Evaluating risk assessment results
Answer: Considering they have used the same assessment criteria, then you should evaluate the impact of each activity to the business as a whole to make a decision. If both activities have similar impact, then you should rate the laptop as High, to ensure proper controls to the worst case scenario considered in your scope. -
Toolkit content
We were looking for documentation templates to assist us with achieving compliance to ISO 27001/27002 and when we were on your website we noticed that there was an additional section for the implementation of EU GDPR documentation. So we took that option.
Looking back now at the pricing web page, could please confirm that the ‘EU GDPR & ISO 27001 Integrated Documentation toolkit’ that we purchased is two distinct work packages or if in fact, I now read the page correctly, it covers an integration of the two standards with both GDPR and ISO 27001 references..
Answer: The "EU GDPR & ISO 27001 Integrated Documentation toolkit" is a single toolkit with templates that cover requirements of both EU GDPR regulation and ISO 27001 standard.
2 - When we look at the references and content within the policy templates it appears to have a focus more on the EU GD PR and not always to the ISO 27001. Is this correct or am I missing something in reading the documents?
Answer: Some templates are specifically for EU GDPR, others specifically for ISO 27001 and a third group of templates cover both EU GDPR and ISO 27001 requirements. Included in the toolkit you bought there is a List of Documents file that can show you which templates cover which requirements from both EU GDPR and ISO 27001.
If you wish, you can schedule a meeting with one of our experts to clarify any elements from the toolkit. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/ -
Performing gap assessment
Answer: Basically you have to ask questions based on standard's requirements, to identify if they are being meet or not.
For example, for requirements such as "The organization shall determine...", the question should be "Did the organization determine...". For requirements such as "The organization shall consider", the question should be "Did the organization consider...", and so on.
To help you perform a gap assessment, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
This simple questionnaire will help you and your client to visualize which specific elements of a information security management system he has already implemented, and what he still needs to do. -
EU GDPR questions
2. How long do we keep the log files for? Also if an unmanaged customer stops the service and asks for deletion of all data and the vps ( I guess we are obliged to delete everything but if that customers was dealing in unlawful activities and the police asks for information we won’t have any to give. (hoe does this work?)
3. If a customer complains about a bridge on their website that is handled by them on a shared hosting platform are we required to have tools that will identify such bridge and from where it came from? Now we use tools to prevent this from happening such as brute force attacks, sql injection etc…
4. Just to add further the data we ask and keep for Billing purposes for the customers is as follows:
Company Name, Contact Name, Address, V.A.T number, Email address
We use the above only for billing and email them for maintenance and invoices. Are the above considered Personal data as all this c an be found on their website? We don’t provide this info to 3rd parties.
Answers:
1. All documents except for the ones in folder 4 “Managing Data Subject Rights” can be used by both processors and controllers so we strongly suggest you go through all of them. Also, there is a document called List of Documents EU GDPR Toolkit where you can find out which documents are mandatory according to the EU GDPR.
2. Regarding the retention period the EU GDPR in article 5 - Principles relating to processing of personal data (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/) states that personal data shall not be kept for “ longer than is necessary for the purposes for which the personal data are processed” this means that controllers have to delete the data once is no longer needed for processing unless there is a specific legal requirement that allows them to keep them for longer ( e.g regulatory compliance). As far as your activity as a processor goes the retention periods should be defined by the controllers and communicated to you. If a manages services customer asks you to delete the data you need first to assess if you can comply with the request or not by assessing the local legislation and if there is no reason to hold on to the data for longer you can delete it.
3. Your platform should be designed to prevent and detect data breaches. However, if the data breach originates from a customer is the duty of the customer to detect an report the breach when necessary (EU GDPR article 33 - Notification of a personal data breach to the supervisory authority - https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/; EU GDPR article - Communication of a personal data breach to the data subject - https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/) . If the customer has a breach on their website is their duty to deal with that and notify the appropriate entities, you however, if acting as a processor might be required to assist.
4. The contact name and email address (provided it belong to an individual) on invoices are personal data. Usually invoices have to be kept by companies for regulatory compliance for periods up to 15 years. You should check your local legislation (usually the Tax Code) to see which is the retention period for invoices .
You might find interesting our article on “5 steps to handle a data breach according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/ as well as our EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
ID Verification
The identification method used in cases of DSARs depends on various factors such as the information you hold about the data subject as well as how the DSAR was received.
For example, if the data subject sends the request via email and the email is already in your database as it was provided by the data subject you can safely assume that the data subject is the one sending the email. If you receive the request via telephone you can just ask the data subject some ID verification questions same as banks do such as ( the last recorded address, the social security number, etc.).
One easy way is to establish a set of identification questions to be used to check the ID of the data subjects whenever a request is received. If the request comes form another person then the data subject you need to ask for a authorization from the data subject by which he empowers anoth er party to submit a DSAR on his/her behalf.
To learn more about how to handle DSARs you can book a seat at our webinar - Data Subject Rights under the EU GDPR - https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/
You can also check out our EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/ -
Procesos y procedimientos
Respuesta: De acuerdo a la filosofía de ISO 9000, un procedimiento es una forma específica para llevar a cabo un proceso, por tanto no hay mucha diferencia con respecto a los procedimientos, por lo que podrías usar el artículo que comentas para implementar procesos.
Quizás también te pueda interesar el libro "Seguro & Simple" : https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/ -
Scope definition
Would we have a scope of entire organisation, but exclude physical management and operation of the Helpdesk/Monitoring system and ensure some sort of ISO compliance from the Datacenter provider. I assume we would then write policy for our staff access to Datacenter/Helpdesk and Monitoring and have defined roles ?
Answer: I'm assuming that by excluding physical management and operation of the Helpdesk/Monitoring system you are referring to focus only on using the Helpdesk/Monitoring system (like a Software as a Service - SaaS).
Considering that, for the relation with the datacenter provider you should consider a service agreement, establishing clauses to ensure it will apply the security controls you require for your business (e.g., based on ISO 27001 and ISO 27017). These clauses should cover not only the policy for your staff to access the Datacenter/Helpdesk and Monitoring system and necessary roles, but also refer to other controls, like your right to audit the provider operation and receive periodic performance reports.
These articles will provide you further explanation about scope definition and supplier management:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding scope definition and supplier management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/