Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Best practice
Answer:
The EU GDPR does not distinguish between production and non-production environments.
As long as personal data is concerned, information technology systems processing personal must be adequately protected as to ensure the ongoing, confidentiality, integrity, availability and resilience as required by Article 32 Security of Processing of the EU GDPR (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).
So, in strict EU GDPR terms, it does not matter the environment where the data is stored if the requirements of Article 32 mentioned above are considered. -
GDPR and possible software changes
Answer:
The documents provided in the EU GDPR implantation toolkit https://community.advisera.com/topic/eu-gdpr-documentation/ are meant to be cross industry so, as long as EU GDPR is applicable to a certain entity the documents can be used.
Of course , depending on the industry some document might be more relevant than others, but nevertheless at least all of the documents marked as mandatory in out EU GDPR toolkit List of documents should be considered.
As you mentioned that you are a software development company I think that the “Privacy Notices” might be particular useful, and our EU GDPR implementation toolkit provides in folder 2 “Personal Data Policy Framework” a “ General Data Protection Notice ” that can be used as a template to develop “Privacy Notices” for your software products.
Another important topic would most likely be implementing the Privacy by design and Privacy by default principles as set forth in Article 25 of the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/) .
If your software are meant, for example, to process sensitive personal data or to profile or predict the behavior of data subject then a DPIA should be also performed. A full guide on how to perform DPIAs as well as the necessary templates can be found in folder 5 “Data Protection Impact Assessment” of our EU GDPR implementation toolkit. You can also check out our webinar in DPIAs at: https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/ -
Audit tools suggestion
I want you to be my professional role model for advise and guidance. I have five years IT Audit experience using applicable frameworks. Can you please advise me on best Audit management tools that is compatible with ISO 27001 .
Answer: To support audit activities I suggest you take a look at the free version of our ISO 27001/ISO 22301 Internal Audit Toolkit at this https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
This toolkit can help you plan and perform the tasks related to internal audits and record corrective actions and nonconformities, and it is fully compliant with ISO 27001 requirements. -
Enforcing policies
Answer: The best way to convince people about the implementation of policies and information security is by presenting them how this implementation will help them and what may be the consequences of security compromise or policy non compliance. In a general way the benefits are:
- Fulfilment of legal requirements your organization has to follow
- Improved processes performance
- Reduction of losses due to information security incidents
As for negative impacts of non compliance you can mention:
- Legal actions
- Payment of fees
- Rework
- Loss of public trust
This article will provide you further explanation about ISO 27001 benefits and documentation development:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures/
These material will also help you regarding benefits presentation:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation -
EU GDPR documentation
Answer:
The Dlgs 196/2003 is the Italian transposition act for Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, also known as the ePrivacy Directive. Currently there is a proposal for a ePrivacy Regulation which will probably be published next year and until then the ePrivacy Directive and consequently Dlsg 196/2003 would still remain in force.
The ePrivacy Regulation was created to complement and particularize the EU GDPR, so the rules of the EU GDPR are always relevant and an overall part of the legislative aspects of the ePrivacy.
Having in mind all of the above is safe to say that the content of the EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ does not conflict with the provisions of the ePrivacy Directive or Dlsg196/2003. -
Incident management and Incident Response
In your template at paragraph 3.4. Treating major incidents, is stated "In the case of major incidents that could disrupt activities for an unacceptable period of time, an [Incident Response Plan as part of the Business Continuity Plan] is invoked." In the note: "If such a document is not in place, describe here the procedure in the case of a major incident."
Since Incident Response Plan is not in the toolkit, in pratice the content of your procedure is "you have to write the procedure"! This makes your template useless.
Please provide more content for that document.
Answer: Sorry for this inconvenience.
To build a Incident Response Plan you should consider the following information:
- Name, job title and contact information of personnel required to handle specific incidents (e.g., system / network administrator for IT related incidents, facilities manager for premises related incidents, etc.).
- Which extern al parties should be contacted (e.g., customers, partners, media, public services / authorities, etc.), in which situation, through which communication channel (e.g., by phone, e-mail, press conference, etc.) and by whom.
- Types of incidents that should be handled by the plan (e.g., fire, premises evacuation, service failure, etc.)
- Details on how to treat each of the identified incident (e.g., for fire, summon the fire brigade, start premise evacuation, call fire department, etc.)
These articles will provide you further explanation about incident management and response plan:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
These materials will also help you regarding incident management and response plan:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
If you think you still need more information, included in you toolkit you can schedule a meeting with one of our expert so he can help you build response plans that can fulfill your needs. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
By the way, the Incident Response Plan template is included in the ISO 22301 Toolkit, you can see here how this document looks like: https://advisera.com/27001academy/documentation/incident-response-plan/ -
Exclusions
Answer:
If your organization does not use any equipment during services it can state that clause 7.1.5 is not applicable.
The following material will provide you information about exclusions:
ISO 9001 – What is an acceptable exclusion in Clause 7 of ISO 9001? - https://advisera.com/9001academy/blog/2015/03/24/what-is-an-acceptable-exclusion-in-clause-7-of-iso-9001/
ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
Standards controls
Answer: In the ISO 27001 series of standards there is no standard with 27 groups of controls. ISO 27017 (for cloud services security), ISO 27018 (for privacy protection), and ISO 27019 (for energy utility industry) have additional controls that can be used with ISO 27001 Annex A controls, but they do not compose additional groups of controls.
This article will provide you further explanation about ISO 27017 and ISO 27018:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Scope definition
There is no need to include the customers as an exception in the audit scope. The fact that your customers may require the results of your internal or certification audit to complete their own audits (e.g., if their auditor is auditing their supplier management process) is not reason for you to include them in the scope of your audits either as an exception. The proper document to ensure customers access rights over your audit results is the contract or service agreement you signed with them.
These articles will give you an idea on how customers may handle the audit of their suppliers according ISO 27001:
- How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Major Incident questions
Answer:
There is no pre-defined or out-of-the-box question set to resolve major incidents. One question that needs to be set for all major incidents is - How do we prevent repeating of such an incident. Rest of the diagnosis depends on the incident itself.
This article may help you dealing with major incidents - "Major Incident Management – when the going gets tough…" https://advisera.com/20000academy/knowledgebase/major-incident-management-going-gets-tough/