Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11288 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Comparison of the different GDPR articles
Answer:
I would first suggest to check the websites of the Supervisory Authorities of the jurisdictions you are interested in. For Guernsey and Jersey you could try starting with https://www.gov.gg/article/158844/Data-Protection-EU-General-Data-Protection-Regulation.
The ICO in the UK has a pretty good website where you will find all the necessary information https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ .
If you are interested in a document that contains local adaptations of the EU GDPR you could consult the “GDPR National Legislation Survey” issued by Baker and McKenzie which is publicly available here https://globalitc.bakermckenzie.com/files/Uploads/Documents/Global%20ITC/DSC146096_GDPR%20Survey%20National%20Legislation%20Updated%2026%20May%202017%20(Belfast).pdf.
DLA Piper has also on their website a s ection with local data protection laws around the world as well which can be consulted here: https://www.dlapiperdataprotection.com/index.html?t=eu-section&c=AU. -
Quality objectives
thank you strahinja -
EU GDPR procedures
Answer:
Articles 13 and 14 of the EU GDPR refer to the information to be provided to data subjects or “privacy notices”. You can find a “General Data Protection Notice” in folder 2 “Personal Data Policy Framework” which contains all the information you need to put into your “Privacy Notices”. Personal Data Records Management is covered by the “ Data Retention Policy” and “Data Retention Schedule” which can be found as well in ” in folder 2 “Personal Data Policy Framework”.
Folder 4 “Managing Data Subject Rights” contains the “Data Subject Access Request Procedure” that is meant to cover all the rights of the data subjects including the right to access, erase or rectify the data etc.
Please consider that you don’t actually need a “Data Minimization”, “Special Categories of Personal Data Procedure”, “Reference letters procedure” , “Direct Marketing procedure”, not every item from the EU GDPR needs a procedure or policy.
To get an overview of the whole content of the EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ in terms of documents you should check out .pdf document called “List of Documents EU GDPR documentation toolkit”. -
Program success factors
The subject matter I need to know is how to keep a successful program running; why do people Pass successfully for several years, and then begin to fail (with disastrous consequences)?
The main reason for programs to start failing after a long period running is the loss of alignment between the program and the business objectives, so you should consider constant monitoring of business objectives and strategies, identification of how your programs can help support them, and implementation of proper adjustments.
I am a Certified Internal Auditor with several years of Internal Audit experience, getting ready to transition, and am looking for an ISO 27001 Analyst or Auditor job; how can I find companies who are (or are looking to become) ISO 27001 compliant?
For certified organizations you may try the websites of certification bodies (e.g, BSI, TUV, etc.). Some of them have databases with their certified organizations you can access. For organizations looking to become certified there is no such databases available, so you should rely on internet and professional social networks searches.
-
Certifications for consultancy
Answer: most certifications required will depend on the industries your company cover (financial, communication, etc.) and your line of business (e.g., IT security consultancy, business continuity, forensics, etc.).
Considering ISO 27001, you should consider the lead auditor and the lead implementer certifications.
These articles will provide you further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Supplier Data Processing Agreement
Answer:
The document you are referring to is the Supplier Data Processing Agreement https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/ that can be found in in folder 7 “ Third Party Compliance” of our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
The Data Processing Agreement should be an Annex/Appendix to the contract (or another legally binding document) based on which the Processor processes personal data on behalf of the Controller. -
Control of documents
please note that both templates fulfills ISO 27001 requirements.
Answer: ISO 27001 doesn't require that all the documents use the same format, (the use of templates is only a best practice), so you can state in our document control procedure that any new or updated policy/procedure must be used after a defined date.
This material will also help you regarding document control:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
Performing risk assessment
Your conclusion is correct. By understanding which policies are already implemented and which risks are identified and considered relevant you can have a snapshot of the organization's culture, as well as some perception of the cultures of the other organizations which have business with it. -
BYOD Policy template content
there are no more lists:
[Liste der berechtigten Anwender von BYOD und wozu sie Zugang haben]
[Liste der erlaubten BYOD, sowie deren jeweiligen Einstellungen]
[Liste der verbotenen BYOD Anwendungen]
Bezüglich der Wirksamkeitskriterien wäre auch eine Gesamtliste aller Kriterien sinnvoll, weil das wäre doch die Bewertungsmatrix für Klausel 9.1?
Regarding the efficacy criteria, a complete list of all criteria would make sense, because that would be the evaluation matrix for clause 9.1?
Answer: These lists are described in the text of the BYOD policy itself, and since they are very simple, organizations can use free form instead of having defined templates.
Of course an organization can add more lists considering other criteria it wants to control (e.g., from which locations the devices can access organization's systems, on which days and hours, etc.).
This article will provide you further explanat ion about BYOD policy:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/ -
Corporate Integrity Declaration
Answer:
ISO 9001:2015 has no explicit requirement for a “Corporate Integrity Declaration”, but if one of your relevant interested stakeholders requires, it becomes a requirement for your organization, but not because of ISO 9001:2015.
The following material will provide you information about suppliers/vendors:
ISO 9001 – How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/