Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ROPA applicability

    If we are storing special categories of data for our own employees only and personal data of customers should we maintain ropa ? 

    Yes, you should. ROPA is one of the most important accountability instruments that the GDPR offers in case of inspection from the Surveillance Authority.

    "And is processing of personal data of employees such as payroll processing is considered " ocassional" ? "

    No, it is periodical, so it is not occasional.

    The European group of experts who developed the GDPR and gave interpretation on the previous directives, the so-called WP29, stated that a processing activity can only be considered as “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor.

    Therefore, payroll is not occasional processing.

  • Internal audit

    1 - In the ***, there is only one person actively working, but he is (of course) also shareholder. Would it be okay if he does the internal audit? In ***, we want to have the CTO as internal auditor. He doesn’t have shares, but he is part of Management. Would this be okay?

    ISO 27001 does not prescribe who must perform the internal audit, only requires this person to have the proper competencies for auditing, and that any situations that can lead to a conflict of interest are avoided (e.g., a person should not audit his/her own work).

    Considering that:

    • for your first scenario, you should consider hire an external auditor or send a trained employee to perform the audit of the work performed by this single person
    • for your second scenario, you should consider hire an external auditor, or use a trained employee to perform the audit on the processes the CTO works on

    This article will provide you a further explanation about internal audit:

    This material will also help you regarding internal audit:

    2 - What would be the cost of an online training for these internal auditors?

    Advisera’s ISO 27001 Internal Auditor course is free to enroll (you only have to pay in case you want the course’s certificate). For more information about this course, please see:

  • List of Legal Regulatory

    Please note that ISO 27001:2013 defines as the top-level policy the "Information Security Policy", however the old 2005 revision of ISO 27001 called this document "ISMS Policy".

    So, the ISMS Policy and the Information Security Policy are the same document.

    For more information, see:

  • Process vs internal audit

    When you think about audits you can think about product audits, process or horizontal audits, departmental or vertical audits.

    When you think about audits you can think about first party (internal) audit, second party (auditing a supplier) or third party (certification audit).

    You can make different combinations. Use this matrix:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/04c1039d-326b-4764-8696-b93c773b32bf 

    You can find more information below:

  • ISO 27001 questions about implementation of the standard

    1 - Is it a fundamental prerequisite for certification in the standard?

    Process mapping is not a prerequisite for ISO 27001 certification, although it is useful to facilitate understanding of the context and the identification of risks. 

    2 - How deep should the mapping and documentation for the scope be?

    Since this is not a mandatory requirement, just a good practice for understanding the context and establishing the scope, the process mapping does not need to be done, or documented in the scope document.

    If the organization decides to carry out the mapping, its level of detail will depend on what the organization considers sufficient to decide that the scope is properly defined.

    3 - Overall, I still have a lot of questions about the topic "Organization context" and everything it should cover ...

    First is important to note that the context of the organization do not need to be documented.

    Considering that, the context of the organization is any internal or external factor that can affect the ISMS, and concrete examples of elements of organizational context are:

    • for external issues: geographical location, public infrastructure available, political, economic, social, and technological trends, etc. 
    • for internal issues: organizational culture, processes, and procedures, equipment, financial resources, etc.

    Based on these you can identify elements that can help you understand how information security must be considered.

    This article will provide you a further explanation about the Context of the organization for 27001:

    These materials will also help you regarding the Context of the organization for 27001:

  • ISO 27001 dúvidas sobre implementação da norma

    1 - É um pré-requisito fundamental para a certificação na norma?

    O mapeamento de processos não é um pré-requisito para a certificação ISO 27001, embora ele seja útil para facilitar o entendimento do contexto e a identificação de riscos.

    2 - Quão profundo deve ser o mapeamento e documentação para o escopo?

    Uma vez que não se trata de um requisito mandatório, apenas uma boa prática para entendimento do contexto e estabelecimento do escopo, o mapeamento de processo não precisa ser feito, ou documentado no documento do escope.

    Caso a organização decida realizar o mapeamento, seu nível de detalhamento vai depender do que a organização considera suficiente para que decidir que o escopo está adequadamente definido.

    3 - No geral, ainda tenho muitas dúvidas sobre o tópico "Contexto da organização" e tudo o que ele deve abranger...

    Em primeiro lugar, é importante observar que o contexto da organização não precisa ser documentado.

    Considerando isso, o contexto da organização é qualquer fator interno ou externo que pode afetar o SGSI. Exemplos concretos de elementos do contexto organizacional são:

    • para questões externas: localização geográfica, infraestrutura pública disponível, tendências políticas, econômicas, sociais e tecnológicas, etc.
    • para questões internas: cultura organizacional, processos e procedimentos, equipamentos, recursos financeiros, etc.

    Com base neles, você pode identificar elementos que podem ajudá-lo a entender como a segurança da informação deve ser considerada.

    Este artigo fornecerá uma explicação adicional sobre o contexto da organização para 27001:

    Esses materiais também irão ajudá-lo com relação ao contexto da organização para 27001:

  • GDPR vs 27001

    First is important to note that using ISO 27001 is not mandatory for fulfilling GDPR requirements. To perform risk assessment, you can use any approach your organization sees fit for its purpose.

    Additionally, ISO 27001 does not prescribe any method to perform risk assessment, only defines requirements to be fulfilled by the adopted risk assessment process.

    Considering that, the purpose of GDPR is the protection of personal information from being accessed, modified, or destroyed in an uncontrolled manner, so an example of risk assessment considering the elements you mentioned are: 
    - an unattended computer storing biometric data can be stolen or invaded
    - an untrained employee can inadvertently delete biometric data 
    - a biometric reader can fail during a data-gathering section  

    This material will also help you regarding risk management:
    - ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Document content

    First of all, sorry for this inconvenience. Every time you find such discrepancies between the tutorials and documentation, please consider the information in the templates as the correct one, because they are the most updated version.

  • GDPR vs 27001

    First is important to note that using ISO 27001 is not mandatory for fulfilling GDPR requirements. To perform risk assessment, you can use any approach your organization sees fit for its purpose.

    Additionally, ISO 27001 does not prescribe any method to perform risk assessment, only defines requirements to be fulfilled by the adopted risk assessment process.

    Considering that, the purpose of GDPR is the protection of personal information from being accessed, modified, or destroyed in an uncontrolled manner, so an example of risk assessment considering the elements you mentioned are:

    • an unattended computer storing biometric data can be stolen or invaded
    • an untrained employee can inadvertently delete biometric data 
    • a biometric reader can fail during a data-gathering section  

    This material will also help you regarding risk management:

  • Becoming accredited ISO 27001 auditor or implementer

    Please note that organizations that issue certifications are certification bodies. An accreditation body is another type of organization, the organization which authorizes organizations to act as certification bodies.

    Considering that, to certify an organization your company has to be accredited by an accreditation body (e.g., UKAS for the UK, or ANAB for the USA), and for this purpose, your organization has to be certified by an accreditation body against ISO/IEC 17065. You can have an overview of this standard here: https://www.iso.org/obp/ui/#iso:std:iso-iec:17065:ed-1:v1:en

    This article will provide you a further explanation about accreditation and certification:
Page 178-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +