Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Employee data privacy
Answer:
If you only provide telecom services to companies this does not mean that you should only focus on your employee personal data. I am guessing that while providing the service to your corporate clients you would actually have access to some of their persona data as well. In this instance you would be acting as a data processor and your main focus would be to comply with the requirements of the Controller. You also have to have the Inventory of the processing activities that you perform on behalf of the controller as well. -
Difference between DPIA and data processing risk assessment
Answer:
If your risk assessment focuses only on the security of personal data then one of the main differences would be that DPIAs focus on the right and freedoms of personal data subjects. You could keep the personal data as safe as you want but this does not guarantee that the data is processed lawfully nor that the data subjects can effectively exercise their rights. -
Control gap treatment
Answer: If the gap refers to a standard's mandatory requirement, or to risks considered unacceptable in your risk assessment, it has to be solved at most before the certification audit. Otherwise, its deadline can be defined to a date after the certification, but you have to be prepared to present to the certification auditor the action plan related to the treatment of this gap and any evidence of results already achieved. -
Supplier Assessment questionnaire
Answer: There is no specific document for a Supplier Assessment questionnaire (such questionnaire is not mandatory to comply with ISO 27001 requirements), but you can drawn up one based on the Security Clauses for Suppliers and Partners document, since this document lists security requirements that can be put into contract with suppliers and outsourcing partners,and through them you can evaluate how prepared a potential supplier is. You also can take a look at the free demo of our Processor GDPR Compliance Questionnaire at this link: https://advisera.com/eugdpracademy/documentation/processor-gdpr-compliance-questionnaire/
This document can show you how a questionnaire to assess supplier’s compliance with should look like.
These articles will provide you further explanation about suppliers assessment:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
DPIA template
Thank you for your answer Andrei. You have made some good points. Have a good day! -
DPIA and risk assessment
Answer:
The ISO27K risk assessment is aimed at identifying the risks for companies. However DPIAs focus on the risks to the rights and freedoms of data subject. Another difference is that DPIAs will be a legal requirement as of May next year as opposed to ISO standards that are from a legal perspective strictly voluntary. -
DPIA according to EU GDPR
Answer:
It relates to information security to the extend that the personal data is processed by certain IT systems thus those systems need to be secured in order to keep the integrity and availability of personal data. An existing ISMS system would , in DPIA , relate to the technical and organizational measures in place to protect the data. -
Risk Treatment Plan Template
Answer: To have a better understanding of our Risk Treatment Table I suggest you to take a look at the free demo provided through the link: https://advisera.com/27001academy/documentation/risk-treatment-table/
With this table you can determine options for the treatment of risks and appropriate controls for unacceptable risks. This table also includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.
Our templates are based on ISO 27001 standard, so I also suggest this material to better understand the risk assessment and risk treatment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
I also suggest you to consider purchase our Risk Assessment Toolkit (https:// advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/), so you can have the complete set of documents aligned with ISO 27001 and make the adjustments to integrate them with your already implemented process. We would charge you only the price difference with what you already spent. -
Standards for IT procedures and policies
Answer: For definition of IT Security and Operation Security policies complaint with ISO standards you should consider ISO 20000 (for IT service management) and ISO 27001 (for Information security management). By considering these standards, you can develop policies and procedures to ensure proper IT operations and protection of information.
If your focus is on information security, I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology at this link: https://advisera.com/27001academy/documentation/operating-procedures-for-information-and-communication-technology/
The purpose of this document is to ensure correct and secure functioning of information and communication technology.
If your focus is on information technology, I suggest you to take a look at the free demo of our ISO 20000 Documentation Toolkit at this link: https://advisera.com/20000academy/iso-20000-documentation-toolkit/
This toolkit will help you implement, operate manage an efficient and secure IT service process.
These materials will provide you further explanation about ISO 20000 and ISO 27001:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
2. My second question is that I am writing new Process document & guidelines for customer.. I am planing to used ISO standard only.
Need help to understand how to write Process & guidelines according ISO standard.
Answer: For developing and implementing procedures I suggest you the following articles:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ (the orientations applied here for ISO 27001 documents also can be applicable to other documents in general).