Search results

Standard Contractual Clauses template

GDPR - Collection of marketing consent from consumers

As you are a data controller, according to Article 4 GDPR – Definitions – you determine the purpose and means of the processing of personal data. I am supposing that you use consent as a legal ground or processing personal data in order to send marketing messages to the customers who accepted this. Article 4 GDPR – Definitions and Article 7 GDPR - Conditions for consent – request the consent to be “freely given, specific, informed and unambiguous” and presented “in an intelligible and easily accessible form, using clear and plain language”. That being said, you can choose what communication channels you offer to your customers – whether online or postal. So you can remove the postal option, just make sure that you collect the consent properly and you process the data respecting all GDPR requirements.

Please also visit these links for more details:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• Article 7 GDPR – Conditions for consent: https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/
• Data Subject Consent Form: https://advisera.com/eugdpracademy/documentation/data-subject-consent-form/
• EU GDPR Premium Toolkit (containing a set of documents helping you to become GDPR-compliant): https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

Annex A

Please note that according to ISO 27001, security controls can be demanded to treat relevant risks, fulfill legal requirements (e.g., laws, regulations, contracts, etc.), or by management decisions.

Considering that, you need to verify the results of risk assessment, applicable legal requirements, and your management objectives and strategies to decide which controls are applicable / not applicable.

For example, control A.14.2.9 System acceptance testing can be required for the acceptance of new information systems, upgrades, and new versions of the software provided by third parties.

This article will provide you with a further explanation about the selection of controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Advise on Project timelines for ISO 27001 Certification

1 - Our ISO 27K implementation project is on track to complete the documentation phase by the end of March. The plan after that is to have all Control records and evidence in place for an Internal Audit by April 22nd.  Thereafter (all being well) the plan is to engage with an external Auditor to commence the external Audit process on June 15th with an aim to be certified by June 30th

The question I have is, are these dates realistic? 

An internal audit can be performed within 1 day, with whatever records you may have, so a three-week period for generating evidence is more than enough to gather evidence for the internal audit.

Two weeks for the certification audit process is a realistic timeframe (in general certification audits last from 2 to 5 days, depending on scope size and complexity).

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

2 - My second question relates to Major nonconformities.  As I understand it,  if the Audit finds a major nonconformity we have 3 months to correct it.  Is this a fix period, as in we can only move the audit process forward until the 3 months have elapsed, or does it restart after we have resubmitted the evidence that proves we have corrected it.

The certification audit is not resumed after the nonconformity is corrected. The auditor will verify if the nonconformity is resolved (after the official part of the certification audit is completed) and the evidence is sent to him.

For further information, see:

• Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

Implementation of ISO-27001

According to ISO 27001, the ultimate actions and decisions to be considered for the ISMS are those from the top management, not those from the owner of the company - of course, if the owner of the company is also its CEO then this person will have full power to make decisions.

In practice, the top management will have to act and decide on how to support the ISMS with resources and ensure security policies and procedures are followed, if not, the company might lose its certificate.

In case the top management wants to change some security objectives/controls/priorities/resources, etc. this must be in writing, taking into account risks and requirements of interested parties (e.g., the company’s owner, customers, suppliers, government, etc.) - in other words, such decisions must be made taking into account the security needs.

Video of A17 (ISO 27001 lead implementer course)

The IT disaster recovery refers to point 4 – Redundancies, which is covered by controls A.17.1.2 - Implementing information security continuity, and A.17.2.1 - Availability of information processing facilities.

This article will provide you a further explanation about Disaster Recovery:

• Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

ISO 27001 / ISO 27002 Update

First is important to note that as of this date (4-Mar-2022) a new version of ISO 27001 has yet to be published.

Considering that, some templates in the current ISO 27001 Documentation Toolkit will need to be updated to become fully compliant with the new ISO 27001.

We will update the toolkits as soon as the new revision of the standard is published, and customers that bought the toolkit in the last twelve months from the release of the new ISO 27001 will receive the updated documents, as well as information about what has changed and guidance on what change in other documents.

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

Risk Assessment - Must Risk Assessments include business processes and activities?

You need to perform the Risk assessment over all the elements defined in the ISMS scope (e.g., information, processes, or locations).

Please note that business systems and IT asset groups are only some categories you need to consider for the Risk assessment. For example, you also may need to consider human resources, facilities, and external services, when assessing information security risks.

These articles will provide you a further explanation about risk assessment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

ISO 27001 certifications

1. Is it worth it for me to obtain the ISO 27001 Foundations certification? I would like to get it in April 2022.

 Answer: ISO 27001 certification certainly is worthy for professionals, and it will give you a comprehensive view of the standard, but it is not mandatory for your company to get certified.

For further information, see:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- Is ISO 27001 the right path for your career? https://advisera.com/27001academy/blog/2021/06/07/is-iso-27001-the-right-path-for-your-career/

2. Are “Lead Implementer” and “Lead Auditor” certifications still adequate?

Answer: These certifications are still adequate as proof of competence on ISO 27001, but they are most recommended for professionals that want to work as consultants.

For further information about these certifications, see:

What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

Question regarding ISO Process

Please note that in the ISO 27001 risks assessment and treatment process the risk treatment needs to be performed before developing the Statement of Applicability.

Broadly speaking, these are the steps:

• ISO 27001 risk assessment methodology
• Risk assessment implementation
• Risk treatment implementation
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

These articles will provide you a further explanation about risk assessment and risk treatment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/ (top of the article) 
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment