Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Protection against abuse of rights
Additional controls you can consider are access control (i.e., people only have access to what is needed for doing their job), and segregation of duties (i.e., any critical/sensitive task cannot be performed by a single person).
For further information, see:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
- Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
-
04.1_Information_Security_Policy_Cloud_EN
1. Actually, my concern is not about the cloud document. the title of the 2 documents is different. In the toolkit it is "INFORMATION SECURITY POLICY" but in the video, it is "INFORMATION SECURITY MANAGEMENT SYSTEM POLICY". I would like to make sure that they are the same documents.
The two documents are the same. Wherever you find a discrepancy between the videos and the toolkit templates, please consider the templates the most updated versions.
Furthermore, I see other templates online that have additional content than your document. Should they not be included in this policy as well?
If you refer to the top-level Information Security Policy, please note it needs to be short and should not be confused with a more detailed IT Security Policy that is also part of the toolkit. The templates in Advisera's toolkit are designed for smaller and mid-size companies, are fully compliant with the standards, accepted by certification auditors, and are not too lengthy so as not to create an overhead. Of course, feel free to add any further text that you feel would fit well for your company.
-
ISO 27001 package question regarding risk assessment
If you already have implemented controls you need to take them into account when analyzing the risks, so your understanding is correct. In the Risk Assessment Table, in the last column, you can describe which controls are already implemented.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
-
PESTEL analysis in ISO 14001
Organizations are not closed systems. External issues are relevant topics that can influence the future of an organization. For example, governments can issue legislation that will affect the activity of an organization. Social trends can influence consumers' or clients’ priorities. You can use the PESTEL analysis to help in systematically determining external issues. After the PESTEL analysis, I recommend collecting positive external issues as opportunities and negative external issues as threats and organizing the information in a SWOT matrix that allows us to determine potential risks and opportunities. Please check these two free webinars where I demonstrate the use of the technique (they are about ISO 9001, but applicable also to ISO 14001):
- ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
The following material will provide you with more information:
- Determining the context of the organization in ISO 14001 -https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
- Enroll for free in the course - ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
-
Conciliation between Iso 13485 and EU MDR
I want to understand all the requirements of EU MDR and their conciliation with ISO 13485 and FDA 21 CFR -
Cloud services auditability
Thanks for this… quite timely too as I am in the middle of undertaking research for a professional doctorate degree in information security. My research is around the auditability - or lack of - of cloud service providers by cloud customers. As a 3rd party assurance consultant we are getting more and more resistance from suppliers/partners of cloud services to audit them. My research aims to review existing cloud audit frameworks and draw out any gaps – and propose a new framework that allows CSP auditability. The proposal is to develop an audit authority that can perform audits of cloud service providers using the proposed framework. The audit reports can then be made available to businesses so they do not have to audit the CSPs themselves. I have contacted the CSA for their input and hoping to get their feedback soon. 1 - Would you happen to have mapping of cloud audit frameworks that highlights common controls and differences? 2 - Also what is your opinion on the Cloud Audit Authority proposal? -
Implantación SGC
No, any mandatory documents and records from a clause not applicable to an organization are not relevant to that organization’s quality management system. For example, if clause 8.3 is not applicable, no records from that clause are required.
Please check the following information:
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
-
Does Zoom need to be considered as a processor
Whenever a call on Zoom is initiated, Zoom Video Communications, Inc. processes personal data. Mp4 of all video, audio, whiteboard, captions and presentations, audio transcript files, attendee information (screen name, join/leave time), etc, they are all personal data according to the definition of personal data that can be found in Article 4 (1) GDPR: “any information relating to an identified or identifiable natural person”. Zoom Video Communications, Inc. processes personal data on behalf of its customers and acts as a Data Processor according to the definition from Article 4 (8). Since Zoom Video Communications, Inc is a US-based company, the new EU Standard Contractual Clauses should be signed. Zoom Video Communications, Inc, offers a Data Processing Agreement which also includes EU Standard Contractual Clauses requirements, at https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf
You can find more details at these links:
- Article 4 GDPR, Definitions: https://advisera.com/gdpr/definitions/
- Chapter V GDPR, Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
-
Risk assessment Vs SoA
Please note that the risk assessment, risk treatment, and elaboration of the Statement of Applicability have very different steps, so you do not repeat the same activities. And you cannot go directly to the controls because the standard requires all defined steps for risk assessment and risk treatment to be performed.
In risk assessment you identify, analyses and evaluate risks. As output you have a prioritized list of risks, and which ones require treatment or not.
In risk treatment you define treatment options, applicable controls, elaborates the SoA and the risk treatment plan, approves the risk treatment plan and the accept the residual risks.
Statement of Applicability is different from risk treatment because there you need to take into account (besides the results of the risk assessment) also legal and regulatory requirements, as well as management decisions. On top of this, SoA keeps track of the implementation method and implementation status - these are not mentioned in the risk treatment.
In Conformio, the Statement of Applicability is created automatically based on the results of the Risk Register module. You only need to add some items up in case of need, like justifications based on legal and contractual requirements, or management decisions, or specific information about implementation methods.
For further information, see:
- How to automate the creation of the Statement of Applicability https://advisera.com/conformio/blog/2021/01/20/how-to-automate-the-creation-of-statement-of-applicability/