fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.34 "Privacy and Protection of Personal Identifiable Information (PII)" would include:

  1. Privacy Policies and Notices: Documentation of clearly defined and communicated privacy policies and notices that explain how personal identifiable information (PII) is collected, used, disclosed, and protected.

  2. PII Inventory: Records of the types of PII collected, stored, and processed by the organization, along with their purposes and legal basis.

  3. Data Processing Agreements: Evidence of data processing agreements with third parties that handle PII on behalf of the organization, outlining responsibilities and safeguards.

  4. Consent Records: Documentation of methods used to obtain consent from individuals for the collection and processing of their PII.

  5. Access Controls: Proof of access controls in place to ensure that only authorized personnel have access to PII and that access is based on job roles and responsibilities.

  6. Data Minimization: Evidence of practices that ensure only necessary PII is collected and processed, and that data is not retained longer than necessary.

  7. Encryption: Documentation of encryption methods applied to PII during storage, transmission, and processing.

  8. Secure Storage: Records of secure physical and digital storage methods implemented to protect PII from unauthorized access.

  9. Individual Rights: Documentation of procedures for individuals to exercise their rights regarding their PII, including requests for access, correction, deletion, and objection.

  10. Data Breach Response Plan: Evidence of a documented data breach response plan that outlines steps to take in case of a breach involving PII.

  11. Incident Response Procedures: Documentation of procedures for handling and reporting incidents involving the unauthorized access or disclosure of PII.

  12. Vendor Management: Evidence of privacy assessments and due diligence conducted on third-party vendors handling PII.

  13. Privacy Impact Assessments (PIAs): Records of PIAs conducted for new projects or systems that involve the processing of PII.

  14. Employee Training: Proof of training programs provided to employees on handling PII, privacy policies, and data protection best practices.

  15. Data Retention and Deletion: Documentation of policies and practices for retaining and deleting PII once its purpose has been fulfilled.

  16. Secure Transmission: Evidence of secure transmission protocols used when sharing or transferring PII.

  17. Cross-Border Data Transfer: Documentation of methods to ensure compliance with data protection laws when transferring PII across borders.

  18. Consent Management: Records of mechanisms to manage and track individuals' consent for processing their PII.

  19. Regular Audits and Assessments: Evidence of regular audits or assessments conducted to ensure compliance with privacy policies and data protection regulations.

  20. Privacy by Design: Documentation of practices and considerations to integrate privacy into the design of systems and processes that handle PII.

  21. Privacy Officer or Data Protection Officer (DPO): Evidence of a designated individual responsible for overseeing privacy compliance and handling PII-related matters.

  22. Documentation of Data Flows: Records of how PII moves through the organization's systems, networks, and processes.

  23. User Education and Awareness: Proof of initiatives to educate users (including customers and employees) about data protection, privacy practices, and their rights.

  24. Regulatory Compliance: Evidence of compliance with relevant data protection laws and regulations (such as GDPR, CCPA, etc.) applicable to the organization's operations.

By reviewing these types of evidence, an auditor can assess whether the organization has implemented appropriate measures to protect the privacy of individuals' personal identifiable information (PII) and comply with data protection laws and regulations.

  •            At the highest level, the Information Security Policy has been defined and approved by top management setting out the organization’s approach to managing Privacy including policies on clear statements concerning support for and commitment to complying with PII applicable legal requirements (e.g., laws, regulations, and contracts), clarifying responsibilities between involved parties.
  •            A Data Protection officer has been appointed to manage a governance and privacy program.
  •         Awareness of consequences to involved parties of breaching privacy or security rules and procedures.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.33 "Protection of Records" would include:

  1. Record Management Policies: Documentation of policies and procedures for the management, storage, retention, and disposal of records within the organization.

  2. Categorization of Records: Identification of different categories of records, including sensitive and confidential records, and how they are classified for protection.

  3. Access Controls: Documentation of access control mechanisms in place to ensure that only authorized personnel can access and modify records.

  4. Roles and Responsibilities: Records of roles and responsibilities assigned for managing and overseeing record protection and access.

  5. Record Retention Schedule: A documented record retention schedule specifying how long different types of records need to be retained before disposal.

  6. Backup and Recovery: Documentation of backup and recovery procedures for records to ensure availability and data integrity.

  7. Encryption: Evidence of encryption measures applied to sensitive or confidential records, especially during storage and transmission.

  8. Secure Storage: Proof of secure physical and digital storage measures for records to prevent unauthorized access or damage.

  9. Audit Logging: Documentation of audit logging practices to monitor access and changes to records, as well as regular reviews of these logs.

  10. Data Loss Prevention (DLP): Documentation of DLP measures implemented to prevent unauthorized sharing or leakage of sensitive records.

  11. Records Disposal: Procedures and evidence of secure and appropriate disposal methods for records that have reached the end of their retention period.

  12. Protection of Backup Records: Documentation of safeguards in place to protect backup copies of records from unauthorized access or loss.

  13. Disaster Recovery Plan: Documentation of the organization's disaster recovery plan, including measures for restoring and protecting records in case of data loss.

  14. Regulatory Compliance: Evidence of compliance with legal, regulatory, and industry requirements for record protection and retention.

  15. Incident Response: Documentation of incident response procedures in case of unauthorized access, data breaches, or loss of records.

  16. Employee Training: Records of training programs provided to employees regarding the proper handling, protection, and disposal of records.

  17. Secure Transmission: Evidence of secure transmission protocols used when records need to be shared or transferred electronically.

  18. Physical Security Measures: Documentation of physical security measures implemented to protect physical records and storage facilities.

  19. Vendor Management: If records are managed by third-party vendors, evidence of agreements and practices to ensure the protection of records.

  20. Monitoring and Auditing: Documentation of monitoring and auditing procedures to assess compliance with record protection policies.

  21. Non-Disclosure Agreements (NDAs): Evidence of NDAs or confidentiality agreements used with third parties that have access to the organization's records.

  22. Regular Reviews: Records of regular reviews and assessments of record management practices to ensure ongoing effectiveness.

  23. Escalation Procedures: Procedures for escalating potential breaches or violations of record protection policies.

By reviewing these types of evidence, an auditor can assess whether the organization has established appropriate measures to protect its records from unauthorized access, loss, or tampering, ensuring data integrity and confidentiality.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.32 "Intellectual Property Rights" would include:

  1. Intellectual Property Policies: Documentation of policies and procedures related to the management and protection of intellectual property rights within the organization.

  2. Identification of Intellectual Property: Records demonstrating the identification and categorization of intellectual property assets owned or used by the organization (e.g., patents, trademarks, copyrights, trade secrets).

  3. Ownership Documentation: Proof of ownership or rights to use intellectual property, including agreements, contracts, licenses, and registrations.

  4. Intellectual Property Registers: Registers or databases containing details of intellectual property assets, including their owners, creators, expiration dates, and terms of use.

  5. Protection Measures: Documentation of measures taken to protect intellectual property from unauthorized access, use, and disclosure (e.g., access controls, encryption).

  6. Employee Training: Evidence of training programs to educate employees about the importance of intellectual property rights and their responsibilities to protect them.

  7. Third-Party Agreements: Copies of agreements with third parties, vendors, or contractors that include clauses related to intellectual property rights and ownership.

  8. Secure Collaboration: Records of secure collaboration and data sharing practices to prevent inadvertent leakage of intellectual property.

  9. Non-Disclosure Agreements (NDAs): Documentation of NDAs or confidentiality agreements used to protect sensitive intellectual property information shared with external parties.

  10. Monitoring and Auditing: Documentation of monitoring and auditing processes used to ensure compliance with intellectual property policies and prevent unauthorized use.

  11. Handling of Third-Party Intellectual Property: Procedures for handling third-party intellectual property rights in the organization's products, services, and operations.

  12. Disposal of Intellectual Property: Procedures for the secure disposal of intellectual property assets that are no longer needed or relevant.

  13. Legal Disputes: Documentation of any legal disputes, claims, or actions related to intellectual property rights involving the organization.

  14. Documentation of Misuse: If incidents of misuse or unauthorized access to intellectual property have occurred, evidence of how these incidents were identified and addressed.

  15. Regular Reviews: Records of regular reviews and assessments of the organization's intellectual property portfolio and protection measures.

  16. Escalation Procedures: Procedures for escalating potential violations of intellectual property rights and the steps taken to address them.

  17. Evidence of Compliance with Regulations: Documentation demonstrating compliance with intellectual property laws, regulations, and industry standards.

  18. Evidence of Collaboration: Documentation of collaborations, partnerships, or joint ventures involving intellectual property and the measures taken to protect the interests of all parties.

  19. Documentation of Intellectual Property Strategy: If applicable, evidence of a well-defined intellectual property strategy aligning with the organization's business goals.

By reviewing these types of evidence, an auditor can assess whether the organization is effectively managing, protecting, and respecting intellectual property rights, both internally and in collaboration with external parties.

 

 

USER GUIDES

Image
Empowering organizations to achieve their performance objectives through a unique blend of consulting expertise and technology-driven solutions.

More Links

FEATURED SERVICES

Performance Improvement Consulting

ISO Management Systems Training

Customized Consulting Services

Technology Integration Solutions

 

ISO Compliance Software
Integrate . Mantain . Comply

Search