Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Data Disclosure Form


    Answer:

    It is not the Data Disclosure Form which is mandatory but rather the information you need to provide to the data subject. You can find a template for a Data Subject Disclosure form in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/documentation/data-subject-disclosure-form/

  • Privacy notice


    Answer:

    If employee data is being sent constantly outside EEA then you need to inform your employees about this via privacy notice. If the data being sent is the same every time a transfer occurs you need only to present the notice once and keep it available so the employee can access it at any time.

  • EU GDPR toolkit documents


    Answer:

    Besides the notices and consent related documents there are no requirements for you to make public other EU GDPR implementation documents https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ However policy documents such as the " General Data Protection Policy" could be made public as well as a way to prove commitment.

  • Handling the privacy

    As mentioned previously my understanding is that you are acting as a processor and performing certain evaluation services on behalf of various controllers. In this case all data subject requests should be directed to the respective controllers.

    This doesn't mean that you are ignoring the requests but you are directing them to the controllers so that they can evaluate and decide how to deal with them. If the controllers will consider the request grounded they will instruction you on how to proceed.

    When receiving such requests from the data subjects you should just mention that you cannot evaluate their request but you will send it to the data controller.

  • Process approach in a school environment

    We received a follow-up question:

    "what about the physical facilities or the 5s. How strict the registrar with regards to this? Do we really need to repair all our damage equipment and facilities"

    This is my answer:
    I included physical facilities under “Manage infrastructures” (please check ISO 9001:2015 clause 7.1.3 a)). About 5s it is not an ISO 9001:2015 requirement. If your organization use it, it will be demonstrated and does not need a process for that.

    I cannot predict registrars’ evaluation regarding facilities. I don’t believe your organization need to repair all damaged equipment and facilities, unless they question the ability:
    * to meet quality objectives,
    * to meet interested parties requirements like regulatory or legal requirements; or
    * to attain customer satisfaction

  • ISO 27001 implementation


    It was mentioned, however, that he just wanted me to go straight in and start writing out the polices, my questions are as follows which hopefully you can give me some guidance on:

    1 - Firstly, is this even possible or the right way? I’ve gone through a few training and webcasts you’ve provided, I was under the impression that you had to complete this, stage by stage, rather than jumping straight into the polices

    Answer: It is possible to start writing out the polices, but it is not the right way, and not recommended, because the chances are that the policies will not cover all the aspects where you need to protect information, conflicting rules will impair processes performance, and you will have a lot of rework to do to correct things (and this rework will certainly take more time then following the implementation step by step).

    2- Is this even possible to write the polices without any real scope, apart from wanting to implement these into the IT dept, which again, I was under the impression that this wasn’t supposed to just be an IT project

    I did try and explain about the different steps involved but I wanted to get your guidance on what I have mentioned above.

    Answer: Without an stated scope you will have to consider at least that all the organization is covered by the ISMS, and depending on the size of the organization and your real needs for security, the difference may mean a lot of unnecessary effort spent to write policies involving people and business units that will not use them, again resulting in losses that can be prevented by following the implementation step by step.

    Regarding designating the IT as responsible for information security, you should try to argument that information can exist outside information systems (e.g., in paper reports, whiteboards, on people talking), and in these situations the IT will not have the resources or authority to protect information, so the best course of action is to designate information security responsibilities considering where the information can be (e.g., HR can be responsible for information security related on hoe employees handle with information).

    These articles will provide you further explanation about implementing ISO 27001:
    - The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/
    - 4 crucial techniques for convincing your top management about ISO 27001 implementation https://advisera.com/27001academy/blog/2016/09/12/4-crucial-techniques-for-convincing-your-top-management-about-iso27001-implementation/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    These materials will also help you regarding implementing ISO 27001 (you may present them to your boss):
    - Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/

  • Cloud toolkit


    "Cloud Toolkit is suitable for smaller companies that do not have the need for complex business continuity process, but require the establishment of more strict security controls to protect information on cloud environments and have privacy related requirements to comply with."

    So do I understand correct that it is designed for companies who keep their data in the cloud (cloud customers), but not for companies who provide cloud services?

    Answer: Cloud Toolkit is designed to support both cloud customers (about how to define security and privacy requirements and make sure their suppliers are compliant with them) and cloud service providers (about how to define security and privacy requirements, implement them and ensure they are working properly).

  • Summary of changes in AS9100 Rev D

    Please give me the highlights on what the Rev D invokes.
    Example:
    1) Risk Assessment
    2) Leadership Context
    3) Process Capability

    Answer:
    The main changes in the new standard are the additions of requirements for understanding the context of your company, the interested parties of the QMS and their requirements, risk assessment for the QMS, leadership commitment, product safety and the prevention of counterfeit parts. Most other sections have few changes with the exception that they talk about the products and services that a company provides.
    In the near future there will be a whitepaper matrix of the changes from Rev C to Rev D being released on 9100Academy, but in the mean time the best place to look is the whitepaper on understanding the standard (https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d ) and the infographic on the changes (https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/ )

  • Risk Register vs Incident Log

    Risk register and incident log are complementary documents. The first records what may happen, and the second what really happened.

    Identified risks are required by ISO 27001, as part of the risk assessment and treatment process. Incident log is only required if there are unacceptable risks that justify controls that require its implementation (e.g., A.16.1.2 Reporting information security events).

    These articles will provide you further explanation about risk register and incident log:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

    These materials will also help you regarding risk register and incident log:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 803-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +