Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Medical data
Answer:
As the doctors are sharing patient data with you, they should both obtain consent and present the patient with a privacy notice that is GDPR compliant. -
Minimum standard
Answer:
The information you need to provide to the data subject is the same as for written/online notices. So there is not difference in term of content. However, make sure you keep the recordings of you presenting the notice. -
DPO
Indeed as mentioned before no formal certifications are required at least for the time being. However, keep in mind that a strong knowledge about the EU GDPR as well as other relevant privacy laws is needed since most likely the DPO will be the one running the whole EU GDPR framework within the company. -
¿Apéndices en la ISO 22301?
Respuesta: Disculpa, pero ISO 22301 no tiene apéndices, por tanto, este estándar no habla sobre apéndices. Donde puedes ver apéndices es en nuestro paquete de documentos de la ISO 22301, por ejemplo, el documento “Procedimiento para identificación de requisitos” tiene el apéndice “Lista de requisitos legales, normativos, contractuales y de otra índole” que simplemente es un documento adicional que se utiliza como soporte al procedimiento. Puedes ver aquí nuestra lista de documentos con sus apéndices, y también puedes ver qué documentos son obligatorios : https://advisera.com/wp-content/uploads//sites/5/2015/06/Lista_de_documentos_Paquete_de_documentos_sobre_ISO_22301_BS-25999_ES.pdf -
Inventory of processing activities
Answer:
Inventory of processing activities need to be filled in by the companies themselves, there are no “most used processing activities” since these are closely linked to the business. For example a call center processing activities will be different than the ones form a recruitment company. This is why we provided in the EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ the ”Guidelines of Processing Activities Inventory” that will explain how you could tackle this task.
As for the Retention Schedule it is somehow the same story especially for certain types of records for which retent ion period is established by local legal requirements for example the retention period for CCTV footage is different between various Member States the same goes for payroll related documents as well. -
ISO 27017 and ISO 27018 certification
Answer: Although there are some certification bodies issuing certificates for ISO 27017 and ISO 27018, these are unofficial (to ISO these standards are not certifiable), and cannot be issued without a formal ISO 27001 certification.
ISO27017 and ISO 27018 are support standards to ISO 27001, providing specific guidance and orientation on security controls form ISO 27001 Annex A that are applicable to cloud environments and Personally Identifiable Information.
These articles will provide you further explanation about ISO 27001, ISO 27017 and ISO 27018:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. I SO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Maximum Allowable Outage and non financial impact
Answer: You can have situations where the non financial impact is high and the financial impact is low, so the non financial impact is more significant to determine the MAO. In such cases the MAO is not calculated, but determined considering the perceptions of the interested parties about how much time the outage should last so the organization wouldn't be able to resume business activities. Since this is a subjective approach, you should involve personnel with as much as experience and knowledge about the impact as possible, to ensure some degree of confidence in the MAO value.
This material will also help you regarding Maximum Allowable Outage and non financial impact:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Book Becoming Resilient: The Definitiv e Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISMS implementation
Answer: First of all I suggest you ISO 27001, the ISO standard with requirements for implementing an ISMS, which will provide you a structured framework for the implementation. To have an overview of the process of implementing an ISMS according ISO 27001, I suggest you the following material:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
- Seven key problems to avoid in ISO 27001 implementat ion [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Case study: ISO 27001 implementation in an IT system integrator company https://advisera.com/27001academy/blog/2017/05/08/case-study-iso-27001-implementation-in-an-it-system-integrator-company/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Specifically about defining the scope, I suggest this material:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Finally, to support you implementation, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit will provide you easy to fill templates and expert support to guide you in your implementation process. -
Procedure for identification of requirements
Can you suggest some additional help material that I can use when I am working through this template. For the Information Security Scope and Policy templates, I found using the video’s very helpful, but I don’t think that there is a video related to this template.
Answer: To help you with the identification of requirements I suggest you the following material:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Exclusion of requirements
@Anthony
Software validation may be exluded, or deeemed not applicable.
* may not :)
Hit enter too fast