Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IR35 compliance and ISO 27001
I’m assuming you are referring to the UK legislation to combat tax avoidance by workers, and the firms hiring them.
We are not legal experts, so you should seek local expert advice for a more definitive answer, but provided the contractors only need to follow rules related to information security applicable to all contractors (either they are a personal services company or not), and do not need to follow other rules applied to your own employees (e.g., defined working hours), you may be able to classify them as not employees.
Some conditions you should consider to evaluate IR35 applicability are:
- Control: what degree of control does the client have over what, how, when, and where the worker completes the work (the less control the client has the less applicable is IR35)
- Substitution: is personal service by the worker required, or can the worker send a substitute in their place? (in case substitution is possible less applicable is IR35)
-
Grouping of Assets in Risk Assessment Table
Both approaches are accepted by the standard. As a tip for planning on how to group assets, you should consider assets that share similar risks.
For example, you can have development PCs, Sales PCs, etc. In case all desktops share the same risks, you can use your PC's Office x” approach.
This article will provide you with a further explanation about the register of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
-
A.15 Control section
I’m assuming that by Y2005 and Y.2013 you are referring to versions 2005 and 2013 of ISO 27001.
Considering that, there is no official explanation for this change, but most probably the change was made to make the application of the control clearer.
ISO generally uses the term “third party” for an entity that is independent of the organization, like customers, suppliers, business partners, government, etc.
Since the controls from ISO 27001 Annex A are related to suppliers, it makes more sense to change the section name to reflect this situation.
This article will provide you a further explanation about supplier security management:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
-
Naming of ISO 27001 Annex
ISO 27001 Annex A is directly related in numbering to ISO 27002 (a non-mandatory standard which provides guidance for implementation of Annex A controls), and sections 1 to 4 in ISO 27002 do not cover controls:
0 Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Structure of this standard
From section 5 onwards, the section title is the same from the respective ISO 27001 Annex A section. For example, both ISO 27001 Annex A.5 section and ISO 27002 section 5 are titled A.5 “Information security policies”
This article will provide you a further explanation about ISO 27001 and ISO 27002:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
-
GDPR and drones
Yes, GDPR applies to drones usage when drones record images of people. If this recording is for scientific research, according to article 89 (2) GDPR you might qualify for a derogation from GDPR requirements, related to processing for scientific research. However, recital 156 requires you to make sure you implemented the necessary controls to ensure data minimization and data pseudonymization or even anonymization of personal data once the purpose of processing is fulfilled.
Find more details about GDPR requirements at the following links:
- A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
- Full text of article 89 in GDPR: https://advisera.com/eugdpracademy/gdpr/safeguards-and-derogations-relating-to-processing-for-archiving-purposes-in-the-public-interest-scientific-or-historical-research-purposes-or-statistical-purposes/
-
Question regarding ISO 27001 Lead Auditor training & Certification
Hi, I also want to know which training provider holds good market value is it EXEMPLAR GLOBAL, IRCA or any other training centre from where one can get honest review and feedback for the same.
-
Lead Auditor Exam
The ISO 27001 Lead Auditor Course provided by Advisera is accredited by Exemplar Global, and it is all you need to be able to take the Lead Auditor Exam to obtain the Certificate.
For further information, see:
- ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
-
Instruction on how to revise a manual
In this article - List of mandatory documents required by ISO 9001:2015 – https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ - you can see the mandatory documents and records according to ISO 9001:2015
-
Question-MDR
Yes, you are right, we did not have in our documentation toolkit GSPR list. We are just preparing it and it will be issued by the end of this year. So, if you have given this one, feel free to use it.