Search results

ISO 22301 book

thanks a lot - if possible please inform me as soon as you publish it

ISMS documentation

Please note that ISO 27001 does not require Business Impact Analysis to be performed or documented, and it does not require the register of risks and opportunities related to clause 6.1.1. Only risks related to information security need to be recorded (see clauses 6.1.2 and 6.1.3). To try to convince your management to document this information you need to show them that there is some added value for your organization (e.g., it can be used to support other processes, not related to your ISMS scope).

To help you with ISO 27001 implementation, I suggest you take a look at our ISO 27001 documentation toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit contains templates covering the mandatory requirements of the standard, and the most commonly used documents. Additionally, each template is almost 90% complete (you only have to include the details of your organization). As part of the toolkit, you have access to expert advice in the form of our Expert community and online meetings.

These articles will provide you further explanation about ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/

DPIA Policy

The policy is not mandatory however, it is mandatory to perform DPIAs when the processing activities can pose a high risk to the rights and freedoms of the data subjects.

Banks and data processing agreement

Usually, banks are acting as independent data controllers in these cases. The GDPR does not expressly require any documents to be signed between independent data controllers however this is a best practice.

You can find readily available templates for a Controller to Controller agreement in our EU GDPR Premium Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/).

GDPR applicability

@Guest user

1. As a software company do we need to comply whit the provisions of Art. 30 of the GDPR?

Art. 30 Records or Inventory of Processing Activities are only mandatory if (a) the company has more than 250 employees, or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.

@Guest user

2. Do we need to perform DPIA for all the processing activities? Are there any criteria to be considered?

No, you don`t. DPIAs are only compulsory for processing activities that are considered to be high risk to the rights and freedoms of the individuals. You can find a DPIA screening questionnaire in our EU GDPR Data Mapping & DPIA Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/).

@Guest user

3. How do we manage marketing communications? Are we required to obtain consent?

You can usually use consent for processing personal data for marketing purposes or alternatively you can use legitimate interest. The most common lawful ground used is however consent. When using consent keep in mind that consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant individual.
If you want to learn more about consent check out this free webinar How GDPR affects marketing practices (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/).

@Guest user

4. Are there any specific requirements for software development?

The EU GDPR is meant to be cross-industry so there are no industry-specific requirements. What I can mention is that when developing software you need to consider the “privacy by design” and “privacy by default” principles.

@Guest user

5. How about websites? Any advice on how to make a website compliant?

If you are processing personal data through your website then you need at least three documents: Website Terms and Conditions, Privacy Notice and Cookie Policy (if you are using cookies). You can find readily available templates in this EU GDPR Mini Toolkit for Websites (https://advisera.com/eugdpracademy/eu-gdpr-mini-toolkit-for-websites/).
 

ISO 45001:2018 legal requirements?

The legal requirements for Iso 45001:2018 will differ from company to company, and location to location, however they are any Occupational Health & Safety Laws that are relevant to your company. You likely already meet these laws in order to be in business, but the ISO 45001 standard asks that you ensure you have identified all applicable laws and then keep up to date when these laws change.

For more on this topic you can see the article: How to identify and comply with legal requirements in ISO 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/

Top Management

ISO 9000:2015, the standard about vocabulary, defines top management as a person or group who commands and controls an organization at the highest level. So, each organization should consider what is, in their own case, the highest level. In a small organization, top management can be the owner. In a big corporation, top management can be a member of the board, nominated to be the top authority about the quality management system.

The following material will provide you with information about risks and opportunities:
- Article - How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/

- Article - To what extent should top management be involved in your QMS? - https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/

- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Template content - List of Legal, Regulatory Contractual requirements

OK, thank you for your answer Rhand!

Templates content

Controls A.8.3.1 and A.12.5.1 are covered by the following templates:

• A.8.3.1: Information Classification Policy, located on folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
• A.12.5.1: IT Security Policy, located on folder 08_Annex_A_Security_Controls  >> A.8_Asset_Management

Regarding control A.12.6.1, there is no template covering this specific clause.

Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:
1) ISO 27001 does not require each and every control to be documented
2) If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:
All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

Templates content - RTO and RPO

The RTO value can be found on cell C40 (4 hours), and this value is defined by results in sections 3 (Impacto general del incidente disruptivo) and 4 (Impacto financiero del incidente disruptivo).

For section 3, the first major consequence (level 3) occurs after 4 hours and the first massive financial impact (over 4k) occurs after 24. The RTO is based in the shortest period (i.e., 4 hours)

The RPO value can be found in section 10 (Pérdida máxima de datos), and is based on the shortest period for which you have a major consequence regarding data loss for the items you included in the questionnaire (i.e., 24 hours).