Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO/IEC 27001/2 Harmonization

    There still is no official date for starting the review of both ISO 27017 and ISO 27018 considering the new ISO 27002. The expectation is that this timeline will be published together with the information about the update of ISO 27001.

  • DMS/Apps - information/content delineation questions

    1. What we are getting confused over is, what information/content can stay in Fibery and Hubspot (and other Collaborative apps like Confluence – which we will be using) and what we need to move into the DMS.  Is there any guidance on how to approach this? For example, if we leave ISMS related content in Fibery and point the hyperlink to the content is that OK ...

    ISO 27001 does not prescribe where to store documents and files, so organizations can adopt the approach that better suits their needs, provided the standard’s requirements for creation, update, and control of documents are fulfilled.

    Considering that, your approach of leaving ISMS-related content in Fibery and pointing the hyperlink to the content is acceptable, provided you fulfill the standard’s requirements for the creation, update, and control of documents.

    For further information, see:

    2. Another question is, most 3rd party apps provide features to create documents. For example, Fibery has a document function to create docs to their standards. However, they do not have the fields to store many of the ISO Document standards, like control info. and classification type. And access can be open to anyone authorised. Would it be fair to say, that any ISMS related documents and records should not be stored in such an App. ? 

    Your understanding is correct. You should avoid the use of apps that cannot allow document management according to ISO 27001 requirements.

  • Question regarding Data Breach Response Team

    A data breach is defined in Art 4 GDPR – Definitions – as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. According to Article 33 GDPR - Notification of a personal data breach to the supervisory authority – the data breach should be reported to the Supervisory Authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. When you assess the risks related to the rights and freedoms of data subjects, you need to ask what could happen to the data subject if the compromised data would be exposed.

    If an email account is compromised, there are significant risks for conversations to be exposed, for email addresses to be exposed, attacked, or abused. All these risks need to be assessed and documented before deciding to report them to the authority. Anyway, the supervisory authority is requesting each data controller that reports a data breach to give all the details related to the data breach, including likely consequences for the affected data subjects.

    In the EU GDPR Premium Documentation Toolkit, in directory 12 – Personal Data Breaches – there are two templates to help you: a procedure for Data Breach Response and Notification and a Data Breach Notification Form to the Supervisory Authority. If you fill in all the details in these two documents, you will know better whether to report the incident to the supervisory authority or not.

    Please consult also these resources:

  • ISO 27002 changes

    Please note that ISMS audits are based on ISO 27001, not on ISO 27002. 

    Considering that, until changes made in the new ISO 27002 are incorporated in ISO 27001 Annex A, ISMS audits can be based on the valid version of ISO 27001 standard.

    This article will provide you a further explanation about new ISO 27002:

    - 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • Undocumented Controls

    Please note that by “All required ISO 27001 documents” we mean that our ISO 27001 Documentation Toolkit covers all mandatory documents and some documents that are not mandatory. The controls you listed do not need to be documented according to the standard, and in our opinion, it would be an overhead to document each and every one of them in a small company. 

    Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork; for larger companies that require more documents, we recommend getting some other solution.

    This article will also help you: 

  • Continuous responsibilities

    Please note that “continuous responsibilities” refers to tasks without a specific deadline (i.e., they must be performed while the ISMS is being used) that must be performed on demand.

    Considering that, you should consider such tasks as done for a specific demand when you generate the related evidence that it was performed.

    For example, the task “Identify all legal, regulatory, contractual, and other requirements related to interested parties that can affect or be affected by information security management.”, is considered “done” when you update the Register of Requirements module.

  • Task Link Issue

    Please note that regardless of whether you use the wizard to review or approve the document or not at the time of receiving the document review task, the checkpoint for the definition of the date of the next review is the date of approval of the document.

    This means that the tasks are created every x months (depending on what you have defined as the update frequency in the properties tab) from the date of approval.

    For example, if you have approved the document on March 1, 2021, and the update frequency is 6 months, then a new review task will be created every 6 months from March 1, regardless if you proceed with the review through the wizard or not.

  • Document Set

    The Advisera GDPR toolkit includes all the necessary documents needed for you to complete your GDPR-compliance journey. Since you are processing special categories of personal data (health data), I recommend performing a Data Protection Impact Assessment, per Article 35. As part of the Advisera GDPR Toolkit, there is a DPIA Methodology document that can help you. Also, you need to consider informing the data subjects affected by these transfers. As part of the GDPR Toolkit, there are templates for Privacy Notices.

    As an American company, you need to check whether you are subject to FISA 702 US Regulation. If yes, you need to take additional measures in order to protect EU data, according to Chapter V in GDPR - TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS. The best transfer mechanism to use in this case is the EU Standard Contractual Clauses, per art Article 46 – Transfers subject to appropriate safeguards, but you need to take additional measures such as encryption of data-at-rest and in-transit, with a key stored on a server in EU.

    The risks would be clearly reduced if you have full storage of data on EU servers managed by an EU organization.

    Please also consult these resources:

  • Risks registered is not effectives

    Thanks for the tips and points to enhance risks registered , however 140 risks is huge no to maintained the risks regardless the treatment, i'm expecting something around 20 risks max to be easly maintainted especiallty the main dimensions for security control under CIA , in addition ISO is not need inssist to include asset on risks handling, 

     

     

  • ISMS

    1. Within the document of the scope of the ISMS in point 3.3 Networks and IT infrastructure, should the network segments, IT Infrastructure (routers, switches, etc.) be fully detailed or is it enough to place a graphic of our diagram network?

    A general description of networks and IT infrastructure, like a diagram network, is enough to include in the ISMS scope document.

    For further information, see:

    2. In the ISMS implementation project plan Doc, point 3.1 Project objective, can the date that is set as a limit be changed as the ISMS implementation progresses, or should that date not be changed once? what has been defined?

    The information in the Project Plan document, such as the implementation date deadline, can be changed as the ISMS implementation progresses. You only need to ensure to get proper approvals and communicate with people affected by the changes.

    3. In the ISMS Implementation Project Plan Doc, point 3.4.2 Project Manager, can two or more people be designated as project manager, or can it only be one person?

    For small projects, only a single project manager should be considered as the main alternative (in many cases there won’t be enough work to justify designating more than one project manager). When more than one is designated, you need to make clear their responsibilities and authorities, to avoid overlap.

    For further information, see:

    4. In the ISMS implementation project plan Doc, point 4 Management of saved records, within the table is only the project plan document detailed or should all the documents that are of the ISMS be detailed (e.g. scope document , security policy, etc.)?

    In section 4 of the Project Plan document, you need to include only the documents related to the management of the project, not the project’s deliverables. Project progress reports are examples of records related to this section.
Page 104-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +