Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Quality objectives
thank you strahinja -
EU GDPR procedures
Answer:
Articles 13 and 14 of the EU GDPR refer to the information to be provided to data subjects or “privacy notices”. You can find a “General Data Protection Notice” in folder 2 “Personal Data Policy Framework” which contains all the information you need to put into your “Privacy Notices”. Personal Data Records Management is covered by the “ Data Retention Policy” and “Data Retention Schedule” which can be found as well in ” in folder 2 “Personal Data Policy Framework”.
Folder 4 “Managing Data Subject Rights” contains the “Data Subject Access Request Procedure” that is meant to cover all the rights of the data subjects including the right to access, erase or rectify the data etc.
Please consider that you don’t actually need a “Data Minimization”, “Special Categories of Personal Data Procedure”, “Reference letters procedure” , “Direct Marketing procedure”, not every item from the EU GDPR needs a procedure or policy.
To get an overview of the whole content of the EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ in terms of documents you should check out .pdf document called “List of Documents EU GDPR documentation toolkit”. -
Program success factors
The subject matter I need to know is how to keep a successful program running; why do people Pass successfully for several years, and then begin to fail (with disastrous consequences)?
The main reason for programs to start failing after a long period running is the loss of alignment between the program and the business objectives, so you should consider constant monitoring of business objectives and strategies, identification of how your programs can help support them, and implementation of proper adjustments.
I am a Certified Internal Auditor with several years of Internal Audit experience, getting ready to transition, and am looking for an ISO 27001 Analyst or Auditor job; how can I find companies who are (or are looking to become) ISO 27001 compliant?
For certified organizations you may try the websites of certification bodies (e.g, BSI, TUV, etc.). Some of them have databases with their certified organizations you can access. For organizations looking to become certified there is no such databases available, so you should rely on internet and professional social networks searches.
-
Certifications for consultancy
Answer: most certifications required will depend on the industries your company cover (financial, communication, etc.) and your line of business (e.g., IT security consultancy, business continuity, forensics, etc.).
Considering ISO 27001, you should consider the lead auditor and the lead implementer certifications.
These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Supplier Data Processing Agreement
Answer:
The document you are referring to is the Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/ that can be found in in folder 7 “ Third Party Compliance” of our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
The Data Processing Agreement should be an Annex/Appendix to the contract (or another legally binding document) based on which the Processor processes personal data on behalf of the Controller. -
Control of documents
please note that both templates fulfills ISO 27001 requirements.
Answer: ISO 27001 doesn't require that all the documents use the same format, (the use of templates is only a best practice), so you can state in our document control procedure that any new or updated policy/procedure must be used after a defined date.
This material will also help you regarding document control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Performing risk assessment
Your conclusion is correct. By understanding which policies are already implemented and which risks are identified and considered relevant you can have a snapshot of the organization's culture, as well as some perception of the cultures of the other organizations which have business with it. -
BYOD Policy template content
there are no more lists:
[Liste der berechtigten Anwender von BYOD und wozu sie Zugang haben]
[Liste der erlaubten BYOD, sowie deren jeweiligen Einstellungen]
[Liste der verbotenen BYOD Anwendungen]
Bezüglich der Wirksamkeitskriterien wäre auch eine Gesamtliste aller Kriterien sinnvoll, weil das wäre doch die Bewertungsmatrix für Klausel 9.1?
Regarding the efficacy criteria, a complete list of all criteria would make sense, because that would be the evaluation matrix for clause 9.1?
Answer: These lists are described in the text of the BYOD policy itself, and since they are very simple, organizations can use free form instead of having defined templates.
Of course an organization can add more lists considering other criteria it wants to control (e.g., from which locations the devices can access organization's systems, on which days and hours, etc.).
This article will provide you further explanat ion about BYOD policy:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/ -
Corporate Integrity Declaration
Answer:
ISO 9001:2015 has no explicit requirement for a “Corporate Integrity Declaration”, but if one of your relevant interested stakeholders requires, it becomes a requirement for your organization, but not because of ISO 9001:2015.
The following material will provide you information about suppliers/vendors:
ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR Encryption
Answer:
The EU GDPR is quite broad when it comes to security of processing. It uses terms like ”appropriate” or “adequate” to refer to the safeguards that must be in place to protect personal data. The reason behind is that usually pieces of legislation are meant to be in force for a long period of time and remain unchanged as much as possible to ensure a stable legal environment. Referring to specific security measures would mean that the GDPR should undergo permanent changes and put unnecessary burden on the entities which must comply with it. Thus, the law maker actually leaves the controllers and processors to choose what security measures should be in place and only refers to as examples to “pseudonymisation” and “encryption” as examples (art.32(1)a EU GDPR).
To put it bluntly, as long as they are lawful, any security measures can be used to protect personal data, what matters is that you are able to ensure “confidentiality, integrity, availability and resilience “.
In our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated folder ( 8. Security of Personal Data) which contain various policies and procedures that you might find useful.
You may as well turn to ISO 27001 which is a very good framework for data security, and check out our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” that you may find at https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/