Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BYOD Policy template content
there are no more lists:
[Liste der berechtigten Anwender von BYOD und wozu sie Zugang haben]
[Liste der erlaubten BYOD, sowie deren jeweiligen Einstellungen]
[Liste der verbotenen BYOD Anwendungen]
Bezüglich der Wirksamkeitskriterien wäre auch eine Gesamtliste aller Kriterien sinnvoll, weil das wäre doch die Bewertungsmatrix für Klausel 9.1?
Regarding the efficacy criteria, a complete list of all criteria would make sense, because that would be the evaluation matrix for clause 9.1?
Answer: These lists are described in the text of the BYOD policy itself, and since they are very simple, organizations can use free form instead of having defined templates.
Of course an organization can add more lists considering other criteria it wants to control (e.g., from which locations the devices can access organization's systems, on which days and hours, etc.).
This article will provide you further explanat ion about BYOD policy:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/ -
Corporate Integrity Declaration
Answer:
ISO 9001:2015 has no explicit requirement for a “Corporate Integrity Declaration”, but if one of your relevant interested stakeholders requires, it becomes a requirement for your organization, but not because of ISO 9001:2015.
The following material will provide you information about suppliers/vendors:
ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR Encryption
Answer:
The EU GDPR is quite broad when it comes to security of processing. It uses terms like ”appropriate” or “adequate” to refer to the safeguards that must be in place to protect personal data. The reason behind is that usually pieces of legislation are meant to be in force for a long period of time and remain unchanged as much as possible to ensure a stable legal environment. Referring to specific security measures would mean that the GDPR should undergo permanent changes and put unnecessary burden on the entities which must comply with it. Thus, the law maker actually leaves the controllers and processors to choose what security measures should be in place and only refers to as examples to “pseudonymisation” and “encryption” as examples (art.32(1)a EU GDPR).
To put it bluntly, as long as they are lawful, any security measures can be used to protect personal data, what matters is that you are able to ensure “confidentiality, integrity, availability and resilience “.
In our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated folder ( 8. Security of Personal Data) which contain various policies and procedures that you might find useful.
You may as well turn to ISO 27001 which is a very good framework for data security, and check out our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” that you may find at https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/ -
Best practice
Answer:
The EU GDPR does not distinguish between production and non-production environments.
As long as personal data is concerned, information technology systems processing personal must be adequately protected as to ensure the ongoing, confidentiality, integrity, availability and resilience as required by Article 32 Security of Processing of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).
So, in strict EU GDPR terms, it does not matter the environment where the data is stored if the requirements of Article 32 mentioned above are considered. -
GDPR and possible software changes
Answer:
The documents provided in the EU GDPR implantation toolkit https://community.advisera.com/topic/eu-gdpr-documentation/ are meant to be cross industry so, as long as EU GDPR is applicable to a certain entity the documents can be used.
Of course , depending on the industry some document might be more relevant than others, but nevertheless at least all of the documents marked as mandatory in out EU GDPR toolkit List of documents should be considered.
As you mentioned that you are a software development company I think that the “Privacy Notices” might be particular useful, and our EU GDPR implementation toolkit provides in folder 2 “Personal Data Policy Framework” a “ General Data Protection Notice ” that can be used as a template to develop “Privacy Notices” for your software products.
Another important topic would most likely be implementing the Privacy by design and Privacy by default principles as set forth in Article 25 of the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/) .
If your software are meant, for example, to process sensitive personal data or to profile or predict the behavior of data subject then a DPIA should be also performed. A full guide on how to perform DPIAs as well as the necessary templates can be found in folder 5 “Data Protection Impact Assessment” of our EU GDPR implementation toolkit. You can also check out our webinar in DPIAs at: https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/ -
Audit tools suggestion
I want you to be my professional role model for advise and guidance. I have five years IT Audit experience using applicable frameworks. Can you please advise me on best Audit management tools that is compatible with ISO 27001 .
Answer: To support audit activities I suggest you take a look at the free version of our ISO 27001/ISO 22301 Internal Audit Toolkit at this https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit can help you plan and perform the tasks related to internal audits and record corrective actions and nonconformities, and it is fully compliant with ISO 27001 requirements. -
Enforcing policies
Answer: The best way to convince people about the implementation of policies and information security is by presenting them how this implementation will help them and what may be the consequences of security compromise or policy non compliance. In a general way the benefits are:
- Fulfilment of legal requirements your organization has to follow
- Improved processes performance
- Reduction of losses due to information security incidents
As for negative impacts of non compliance you can mention:
- Legal actions
- Payment of fees
- Rework
- Loss of public trust
This article will provide you further explanation about ISO 27001 benefits and documentation development:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures/
These material will also help you regarding benefits presentation:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation -
EU GDPR documentation
Answer:
The Dlgs 196/2003 is the Italian transposition act for Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, also known as the ePrivacy Directive. Currently there is a proposal for a ePrivacy Regulation which will probably be published next year and until then the ePrivacy Directive and consequently Dlsg 196/2003 would still remain in force.
The ePrivacy Regulation was created to complement and particularize the EU GDPR, so the rules of the EU GDPR are always relevant and an overall part of the legislative aspects of the ePrivacy.
Having in mind all of the above is safe to say that the content of the EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ does not conflict with the provisions of the ePrivacy Directive or Dlsg196/2003. -
Incident management and Incident Response
In your template at paragraph 3.4. Treating major incidents, is stated "In the case of major incidents that could disrupt activities for an unacceptable period of time, an [Incident Response Plan as part of the Business Continuity Plan] is invoked." In the note: "If such a document is not in place, describe here the procedure in the case of a major incident."
Since Incident Response Plan is not in the toolkit, in pratice the content of your procedure is "you have to write the procedure"! This makes your template useless.
Please provide more content for that document.
Answer: Sorry for this inconvenience.
To build a Incident Response Plan you should consider the following information:
- Name, job title and contact information of personnel required to handle specific incidents (e.g., system / network administrator for IT related incidents, facilities manager for premises related incidents, etc.).
- Which extern al parties should be contacted (e.g., customers, partners, media, public services / authorities, etc.), in which situation, through which communication channel (e.g., by phone, e-mail, press conference, etc.) and by whom.
- Types of incidents that should be handled by the plan (e.g., fire, premises evacuation, service failure, etc.)
- Details on how to treat each of the identified incident (e.g., for fire, summon the fire brigade, start premise evacuation, call fire department, etc.)
These articles will provide you further explanation about incident management and response plan:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
These materials will also help you regarding incident management and response plan:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
If you think you still need more information, included in you toolkit you can schedule a meeting with one of our expert so he can help you build response plans that can fulfill your needs. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
By the way, the Incident Response Plan template is included in the ISO 22301 Toolkit, you can see here how this document looks like: https://advisera.com/27001academy/documentation/incident-response-plan/ -
Exclusions
Answer:
If your organization does not use any equipment during services it can state that clause 7.1.5 is not applicable.
The following material will provide you information about exclusions:
ISO 9001 – What is an acceptable exclusion in Clause 7 of ISO 9001? - https://advisera.com/9001academy/blog/2015/03/24/what-is-an-acceptable-exclusion-in-clause-7-of-iso-9001/
ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/