Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Control of documents
please note that both templates fulfills ISO 27001 requirements.
Answer: ISO 27001 doesn't require that all the documents use the same format, (the use of templates is only a best practice), so you can state in our document control procedure that any new or updated policy/procedure must be used after a defined date.
This material will also help you regarding document control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Performing risk assessment
Your conclusion is correct. By understanding which policies are already implemented and which risks are identified and considered relevant you can have a snapshot of the organization's culture, as well as some perception of the cultures of the other organizations which have business with it. -
BYOD Policy template content
there are no more lists:
[Liste der berechtigten Anwender von BYOD und wozu sie Zugang haben]
[Liste der erlaubten BYOD, sowie deren jeweiligen Einstellungen]
[Liste der verbotenen BYOD Anwendungen]
Bezüglich der Wirksamkeitskriterien wäre auch eine Gesamtliste aller Kriterien sinnvoll, weil das wäre doch die Bewertungsmatrix für Klausel 9.1?
Regarding the efficacy criteria, a complete list of all criteria would make sense, because that would be the evaluation matrix for clause 9.1?
Answer: These lists are described in the text of the BYOD policy itself, and since they are very simple, organizations can use free form instead of having defined templates.
Of course an organization can add more lists considering other criteria it wants to control (e.g., from which locations the devices can access organization's systems, on which days and hours, etc.).
This article will provide you further explanat ion about BYOD policy:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/ -
Corporate Integrity Declaration
Answer:
ISO 9001:2015 has no explicit requirement for a “Corporate Integrity Declaration”, but if one of your relevant interested stakeholders requires, it becomes a requirement for your organization, but not because of ISO 9001:2015.
The following material will provide you information about suppliers/vendors:
ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR Encryption
Answer:
The EU GDPR is quite broad when it comes to security of processing. It uses terms like ”appropriate” or “adequate” to refer to the safeguards that must be in place to protect personal data. The reason behind is that usually pieces of legislation are meant to be in force for a long period of time and remain unchanged as much as possible to ensure a stable legal environment. Referring to specific security measures would mean that the GDPR should undergo permanent changes and put unnecessary burden on the entities which must comply with it. Thus, the law maker actually leaves the controllers and processors to choose what security measures should be in place and only refers to as examples to “pseudonymisation” and “encryption” as examples (art.32(1)a EU GDPR).
To put it bluntly, as long as they are lawful, any security measures can be used to protect personal data, what matters is that you are able to ensure “confidentiality, integrity, availability and resilience “.
In our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated folder ( 8. Security of Personal Data) which contain various policies and procedures that you might find useful.
You may as well turn to ISO 27001 which is a very good framework for data security, and check out our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” that you may find at https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Best practice
Answer:
The EU GDPR does not distinguish between production and non-production environments.
As long as personal data is concerned, information technology systems processing personal must be adequately protected as to ensure the ongoing, confidentiality, integrity, availability and resilience as required by Article 32 Security of Processing of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).
So, in strict EU GDPR terms, it does not matter the environment where the data is stored if the requirements of Article 32 mentioned above are considered. -
GDPR and possible software changes
Answer:
The documents provided in the EU GDPR implantation toolkit https://community.advisera.com/topic/eu-gdpr-documentation/ are meant to be cross industry so, as long as EU GDPR is applicable to a certain entity the documents can be used.
Of course , depending on the industry some document might be more relevant than others, but nevertheless at least all of the documents marked as mandatory in out EU GDPR toolkit List of documents should be considered.
As you mentioned that you are a software development company I think that the “Privacy Notices” might be particular useful, and our EU GDPR implementation toolkit provides in folder 2 “Personal Data Policy Framework” a “ General Data Protection Notice ” that can be used as a template to develop “Privacy Notices” for your software products.
Another important topic would most likely be implementing the Privacy by design and Privacy by default principles as set forth in Article 25 of the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/) .
If your software are meant, for example, to process sensitive personal data or to profile or predict the behavior of data subject then a DPIA should be also performed. A full guide on how to perform DPIAs as well as the necessary templates can be found in folder 5 “Data Protection Impact Assessment” of our EU GDPR implementation toolkit. You can also check out our webinar in DPIAs at: https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/ -
Audit tools suggestion
I want you to be my professional role model for advise and guidance. I have five years IT Audit experience using applicable frameworks. Can you please advise me on best Audit management tools that is compatible with ISO 27001 .
Answer: To support audit activities I suggest you take a look at the free version of our ISO 27001/ISO 22301 Internal Audit Toolkit at this https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit can help you plan and perform the tasks related to internal audits and record corrective actions and nonconformities, and it is fully compliant with ISO 27001 requirements. -
Enforcing policies
Answer: The best way to convince people about the implementation of policies and information security is by presenting them how this implementation will help them and what may be the consequences of security compromise or policy non compliance. In a general way the benefits are:
- Fulfilment of legal requirements your organization has to follow
- Improved processes performance
- Reduction of losses due to information security incidents
As for negative impacts of non compliance you can mention:
- Legal actions
- Payment of fees
- Rework
- Loss of public trust
This article will provide you further explanation about ISO 27001 benefits and documentation development:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures/
These material will also help you regarding benefits presentation:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation -
EU GDPR documentation
Answer:
The Dlgs 196/2003 is the Italian transposition act for Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, also known as the ePrivacy Directive. Currently there is a proposal for a ePrivacy Regulation which will probably be published next year and until then the ePrivacy Directive and consequently Dlsg 196/2003 would still remain in force.
The ePrivacy Regulation was created to complement and particularize the EU GDPR, so the rules of the EU GDPR are always relevant and an overall part of the legislative aspects of the ePrivacy.
Having in mind all of the above is safe to say that the content of the EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ does not conflict with the provisions of the ePrivacy Directive or Dlsg196/2003.