Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data importer and Data exporter
We are being asked to fill in the "data exporter" during an agreement with a third party, and my understanding is that it should refer to our company name, but I want to be sure.
Answer:
The EU GDPR does not provide a definition for the “data importer” or the “data exporter”, nevertheless these definitions can be found in COMMISSION DECISION 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
According to article 2 of the abovementioned Decision:
- “data exporter” means the controller who transfers the personal data;
- “data importer” means the processor established in a third country who agrees to receive from the data exporter personal data intended for processing on the data exporter’s behalf after the transfer in accordance with his instructions and the terms of this Decision and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC.
Learn more here: EU GDPR controller vs. processor – What are the differences?https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
ITSM Implementation
Answer:
That depends on many circumstances. But, let's assume you have management commitment and available resources (if not - gaining management commitment is -must have). Our free webinar (recording is available) "How to use a Documentation Toolkit for the implementation of ITIL / ISO 20000 " https://advisera.com/20000academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-itil-iso-20000-free-webinar-on-demand/ will give you many information that you can use to start your project and answer the question regarding necessary documentation.
Also, the article "12 steps for ISO 20000 implementation" https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/ contains guidance how to approach the implementation.
Regarding training - at least ISO 20000 Foundation is a dvisable. It will give you understanding of the standard's requirements and some hints how to approach the implementation. -
Implementar ISO 22301 sin ISO 27001
Pregunta: es posible implementar la ISO 22301 sin la iso 27001? Respuesta: Completamente, aunque si implementas ISO 27001, la implementación de ISO 22301 puede ser muy sencilla, porque ambos estándares tienen muchos puntos en común. Este webinar te puede resultar interesante: https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar/ -
No Quality Manual?
Answer:
First, there is no mandatory requirement to keep documented information about clause 4.2. That means, organizations are free to decide how to handle that clause. An organization can decide to answer clause 4.2 in a top management meeting record for example.
Second, although the Quality Manual is no longer a mandatory document under ISO 9001:2015, that doesn’t mean that an organization shouldn’t keep a document, called Quality Manual, or Organization ID Card, or by any other name, reuniting important information about the organization such as: Who we are, What we do, to Whom and with Whom do we work, in What we believe, How do we do it
The following material will provide you information about ISO 9001:2015 and the Quality Manual:
ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/ ebase/the-future-of-the-quality-manual-in-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
SaaS providers and EU GDPR
Answer:
Regarding big SaaS suppliers as the ones you mentioned, all of them have either Privacy Policies or Terms and Conditions that you most likely agreed on when purchasing the services. These documents regulate the processing activities between you and the suppliers.
These documents will be updated for sure to meet the requirements of the EU GDPR at least when talking about suppliers like Microsoft.
Nevertheless, the obligations posed on processors such as the ones mentioned in article 28 of the EU GDPR ( processor must not appoint a sub-proc essor without the prior written consent of the controller, processors must implement appropriate technical and organisational security measures to protect personal data, etc.) would still be applicable even if they are not mentioned in a contract or any other legally binding document.
If they don’t comply with the above mentioned obligations they would be facing fines form the competent Supervisory Authorities. You could also bring them to court it they failed to fulfill their legal obligations as regards to EU GDPR compliance and you suffered a loss as a result.
Moving to the small SaaS providers, these regardless of their size, should be compliant with the EU GDPR (assuming the GDPR applies to them based on art. 3 of the EU GDPR). For these suppliers you would need to have a signed Data Processing Agreement (DPA). The Supplier Data Processing Agreement can be found under folder 7 of the EU GDPR Documentation Toolkit.
Depending on the types and categories of personal data processed by one of these suppliers a Due Diligence process might be necessary. For the Due Diligence process the Processor GDPR Compliance Questionnaire, which can be found under folder 7 of the EU GDPR Documentation Toolkit, can be used. -
Processing of publicly available personal data
Answer:
Regarding the processing of publically available personal data you would have to consider the fact that processing needs to be in line with the scope for which that data was made publically available by the data subject.
For example, you could get email addresses from LinkedIn and it would be fine to use those to contact the data subjects for recruitment purposes or to buildup a CV data base using the information fro m LinkedIn if you are a recruiting company.
However, if the email addresses were to be uses for marketing purposes this processing will most likely be unlawful unless you obtain the consent of the data subjects.
You could also check out this case law in Italy which you might find useful - https://europrivacy.info/2016/10/31/italiano-dati-personali-resi-manifestamente-pubblici-dallinteressato-e-uso-di-dati-pubblicati-su-social-network-prime-osservazioni-allart-9-co-2-lett-e-gdp/
The issue regarding Whois is still under debate but most likely changes would follow such as granting access to the information on domain holders only for law enforcement agencies. -
Interested parties
Answer: The way employees families should be considered will depend upon how they can impact, or be impacted by the organization's information security needs (you can determine that by identifying the organizational context as required by ISO 27001 clauses 4.1 and 4.2). Some examples may be:
- a family member using an employee's device (e.g., notebook, tablet, etc.) connected to organization's systems which may accidentally disclose sensitive information or install a malware
- a family member may be held hostage to force an employee to reveal organization's sensitive information
In both cases the organization may identify a real risk that should be mitigated and consider the implementation of proper controls.
These articles will provide you further explanation about context and interested parties identification:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://adv isera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding context and interested parties identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Firewall use requirements
Answer: I'm assuming that by the terms "Open source" and "License" you mean a firewall that is free of charge or paid .
Considering that, ISO 27001 is not prescriptive about how a firewall, or any other control, should be implemented, so organizations have freedom to choose the implementation that better fits its needs, provided that the solution is used in accordance with the license terms associated therewith (even open source firewall may have license terms that must be followed).
This article will provide you further explanation about using firewalls:
- How to use firewalls in ISO 27001 and ISO 27002 implementation https://advisera.com/27001academy/blog/2015/05/25/how-to-use-firewalls-in-iso-27001-and-iso-27002-implementation/
This material will also he lp you regarding the use of firewalls:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
Risk based thinking and audits
Answer:
I don’t advise a change in audit procedures. I advise to continue to audit each department against to the requirements of all the clauses and internal documentation applicable. During the audit, you can check if important risks, based on actual performance, have been determined and acted upon. Risk based thinking is another way of promoting preventive actions in organizations.
The following material will provide you information about risk based thinking:
ISO 9001 – Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/