Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Appointing a representative
You may contact the German Supervisory Authority where the data subjects were located. Article 60 GDPR established a cooperation mechanism between Supervisory Authorities that help to assess similar situations and there is mutual recognition of the validity of decisions. Therefore, if a data breach occurs you can notify only one Supervisory Authority (i.e., in Germany).Here you can find more information about Supervisory Authorities:
- EU GDPR: What is it and how does it work? https://advisera.com/eugdpracademy/what-is-eugdpr/
- The obligations of controllers towards Data Protection Authorities according to GDPR https://advisera.com/eugdpracademy/blog/2017/12/11/the-obligations-of-controllers-towards-data-protection-authorities-according-to-gdpr/
- Useful resources for complying with EU GDPR https://advisera.com/eugdpracademy/knowledgebase/useful-links/
If you are interested in implementing EU GDPR compliance, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
-
Microsoft tools for compliance
We are not experts in MS Compliance tool, so what we can suggest you is to ask your IT department to demonstrate how this tool covers each mandatory clause of ISO 27001 (clause 4 to 10) and Controls from Annex A. From this assessment, you can identify if this tool can cover all your needs or if an additional solution is required.
For example, how does MS Compliance cover the definition of the ISMS scope? Does MS Compliance handle information security competence and awareness? How MS Compliance handles controls A.7.1.1 Screening and A.7.1.2 Terms and conditions of employment?
From MS Compliance documentation made available by Microsoft, it seems that this tool covers a lot of clauses and controls from ISO 27001, but not all of them.
You can also sign up for a free trial in Advisera's ISO 27001 compliance software Conformio https://advisera.com/conformio/ and double-check how the Microsoft tool compares to it.
-
ISO 27001 certification
For certification against ISO 27701, please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002.
Considering that, the most common approaches for implementation are implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you:
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approachWhen considering DIY approach, using a specialized platform can help you a lot, and for that I suggest you take a look at our Conformio platform at this link: https://advisera.com/conformio/
If you decide to use a consultant, this article will help you: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
-
Asset to Vulnerability Error
Please note that the Person Responsible for treating a Nonconformity is defined on a case-by-case basis in the Nonconformity register, because for each nonconformity you may have different persons with interest/skill/ authority to solve it. In the Nonconformity register you will be able to add a person responsible for a particular nonconformity.
In the Procedure for Nonconformities and Corrective Actions, you only define in a generic way that a person needs to be in charge of the nonconformity, so the specific person is defined in each nonconformity.
For further information, see:
- Case study: How to solve nonconformities using online ISO 27001 compliance software https://advisera.com/conformio/blog/2020/08/12/case-study-how-to-solve-nonconformities-using-online-iso-27001-compliance-software/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/ -
Is maintenance required to have a critical parts list?
According to IATF 16949:2016 standard, article 8.5.1.5; critical spare parts should be kept and followed up with a minimum stock level.
When equipment failure and part replacement is required, if the item to be replaced is a hard-to-find and critical item, spare parts should be in stock of the organization. -
BIA - The time after which the resource is needed
Your understanding is correct.
When considering all three scenarios at the same time, then you need to adopt the shortest one to ensure all scenarios can be handled in case of disruption.
-
Register of Requirements
1 - Quick question, why is there no ability to have people review the register of requirements like there are for the other documents?
Please note that the register of requirements is not in fact a document, but a list of entries referring to laws, regulations, contracts, and other legal requirements, where each entry can have its own frequency of review (because their deadlines and changes are not defined by the organization) and responsible person, so the application of the review and approval flow used for other documents does not make sense for this register.
2 - Also, same issue with permissions again. Only one person can work on this doc at a time.
At this moment Conformio does not allow collaborative editing of documents, so to maintain document integrity, only one user can be the document owner. During the document review, the customer can use the discussion tab to involve other users during the edition step. As a workaround to this, you can create a shared account and document who is allowed to use it and for which purpose.
-
Document handling in Conformio
Thank you for your question and feedback. We are currently working on updating this section of the document in order for this to be possible. Our support team will follow up via email once this document is updated so that you can finalize it.
-
Document references
Controls A.12.4.1 Event logging, and A.12.4.3 Administrator and operator logs are covered by template Security Procedures for IT Department (section 3.7 System monitoring), located in folder 08 Annex A Security Controls >> A.12 Operations Security.
Control A.12.4.2 Protection of log information is a technical control, which means its implementation is performed directly in the systems, not in the documentation.
For further information, see:
- Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
Regarding controls from section A.12.6 Technical vulnerability management, control A.12.6.2 Restrictions on software installation is covered by template IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management
Control A.12.6.1 Management of technical vulnerabilities is more of a technical control, which means its implementation is performed directly in the systems, not in the documentation.
For further information, see:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
Regarding control from section A.12.7 Information systems audit considerations, and control A.18.2.3 Technical compliance review, they are implemented by means of the Internal Audit Procedure, located in folder 10 Internal Audit, during the audit planning phase.
For further information, see:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/