Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Assessment Questions

    1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?

    You do not need to list individual laptops and servers in the Risk Assessment Table.

    You can adopt a generic term like “laptop” or “server” if they share similar risks. In case there are laptops with specific risks, you can use specific assets like "laptop", "development laptop ", and "finance laptop ". The same concept applies to servers.

    For further information:

    2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?

    The devices only need to be listed as risks in your Risk assessment table if you have control over them (i.e., the outsourced datacenter only provides the physical facilities, and you need to handle the risks related to the devices).

    In case they are controlled by the provider, then you should list the outsourced data center as an asset in your Risk Assessment Table (in this case you need to look for risks related to the supplier not protecting the devices).

    For further information, see:

    3. I am assuming that much of the risk will be transferred to the outsourcer?

    This decision will depend on which part has control over the assets. For example, if you have control over the servers (e.g., you need to configure them), then it does not make sense to transfer the risks for the outsourcer. In case you only use the services provided by the servers, which are controlled by the outsourcer, then the risks related to them can be transferred to the outsourcer.

    This article will provide you a further explanation:

  • Toolkit content

    First of all, we're sorry about this misunderstanding. 

    In the context of ISO 27001, "analysis" means the assessment of consequences and likelihood to define how big a risk is, and there is no need to perform any additional analysis. The Methodology document in your toolkit explains the criteria for assessing consequences and likelihood, and the Excel sheet enables you to do it quickly by selecting the values and the risks are calculated automatically.

    For further information, see:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  • Implementation process

    Roughly speaking, ISO 27001 implementation steps can be resumed in:

    1. getting management buy-in for the project;
    2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
    3. development of risk assessment and treatment methodology;
    4. perform a risk assessment and define the risk treatment plan;
    5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    6. people training and awareness;
    7. controls operation;
    8. performance monitoring and measurement;
    9. perform internal audit;
    10. perform management critical review; and
    11. address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you a further explanation about ISMS implementation:

    ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
    To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    These materials will also help you regarding the ISO 27001 implementation:

    Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    Regarding the selection of a consultant, the process needs to consider their experience & skills, reputation, and customized service.

    For more information, please read this article:
    - 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/ 

  • Implementation duration

    The duration from starting implementation to achieving accreditation depends on the size of the scope of work to be accredited and the resources available for the project. Typically it can take from 12 to 24 months. The process involves adopting and implementing all the mandatory activities and documenting the mandatory procedures to meet the  requirements of ISO 17025. Then it involves actively recording evidence using forms and having records available before applying for accreditation.

    For more information on ISO 17025 see What is ISO 17025?at https://advisera.com/17025academy/what-is-iso-17025/ and the Free webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/

  • Acting as DPO

    It is better to avoid any conflict of interest, but if you work in a small company, and you are the only person that has the knowledge to act as a Data Processor Officer (DPO), your company may take some organizational measures to avoid any conflict of interest (i.e., implementing authorization process for some decision that may conflict with your role as DPO).

    Here you can find some information about the DPO role:

    If you need to understand how to act as a DPO, you may consider enrolling in our EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

  • Cancellazione dati positivi in corso presenti nelle banche dati sic (crif. ctc. experian)

    No, la base giuridica del trattamento nelle banche dati pubbliche è da rinvenirsi nella legge e nell'interesse pubblico. Il diritto di cancellazione, di cui all'articolo 17 GDPR, consente all'interessato di ottenere la cancellazione dei propri dati in alcune circostanze e a condizione che non si applichino le eccezioni. Tra le eccezioni, l'art. 17 paragrafo 3 lett. b) GDPR include l'interesse pubblico ed è il motivo per cui non è possibile ottenere la cancellazione.

    Se vuoi sapere di più sui diritti dell'interessato, qui puoi trovare un articolo:

    Se invece vuoi saperne di più su come implementare il GDPR, puoi iscriverti al corso EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

  • Annex A.8.3.1 to 8.3.3

    In your second paragraph, I’m assuming you are referring to control A.8.3.2, instead of A.8.2.3.

    Considering that, please note that these controls have different coverages:

    • control A.8.3.2 (Disposal of media) focuses on the proper disposal of media that contains information, regardless it is physical or digital media.
    • control A.11.2.7 (secure disposal or reuse of equipment) focuses on the proper disposal or reuse of equipment that contains media with sensitive information.  

    You can think of control A.11.2.7 as a specific application of control A.8.3.2, although these controls can be applied independently of each other.

    For further information, see:

  • Can the Procedure for Design and Development be applied in my company?

    First, design and development are not something only applicable to products. It is also applicable to services.

    You wrote “sale of electronic products and provides technical assistance services”. I think that the answer to your question

    “I would like to know if the procedure for design and development can be applied in my company?”

    Depends on how your organization writes the scope of the management system. If the scope is closed, it lists all the technical assistance services provided under the management system, all services are already designed and developed. Any new services provided will not be included under the scope. In that case, design and development are not applicable. However, if your scope is open, if it is more generic, to be applicable to new services to be designed and developed in the future, then design and development are applicable.

    For more information about exclusion, the right ISO wording is applicability, consider the following:

     

  • Eddy Current Testing or Electromagnetic Testing

    To meet ISO 17025 requirements, the testing laboratory must label, code or identify in some way that allows the user of the equipment to identify the calibration status or period of validity. As long as this is very clear to the user, there is no mandatory need to have a sticker placed by the third party calibration laboratory. The relevant documention (calibration certifcate) must also be available to the user.

    For more information see What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/

     

  • GMP license

    There are differences in requirements for ISO 17025 accreditation and GMP certification. It is outside of the scope of the ISO 17025 Academy to comment on regulatory requirements, for example that of Health Canada. I suggest you contact the regulatory body.

    For more information on ISO 17025, have a look at What is ISO 17025 at

    https://advisera.com/17025academy/what-is-iso-17025/
Page 146-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +