Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Controls for BYOD

    First, it is important to note that no controls or technologies are mandatory by ISO 27001. You can apply those you consider will resolve particular risks.

    Considering that, both RDP (Remote Desktop Protocol) and MDM (Mobile Device Management) are good and common applied solutions to help protect the organization's information on employees' personal devices.

    Now, considering you are referring to personal devices, the main topics to support this decision are legal requirements regarding privacy and labor relations your organization has to follow. Our suggestion is for you to seek expert legal advice on these matters to understand the risks related to the application of these controls and see if by implementing them you will not be incurring on risks higher than the ones you are trying to mitigate regarding your own information.

    This article will provide you further explanation about BYOD:
    - How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

  • Consent for taking pictures and videos

    I would strongly recommend that you delete all the pictures or videos from the event or alternatively get back to the participants and ask for their consent.


    If you want to find out more consent check out this free webinar "How to handle consents under GDPR" (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/).

  • Remote internal audits – an increasing possibility

    Thanks 

  • Standards new versions

    Please note that most recent versions of these standards are:

    • ISO 27001:2013 - this standard was last reviewed and confirmed in 2019, so it remains current and there is no need for changes in webinars and documentation.
    • ISO 27002:2013 - this version is now under review, so until the release of a new version there is no need for changes in webinars and documentation.
    • ISO 22301:2012 - a new version of this standard will be released by this month (October 2019), and like all transitions of ISO management standards, there will be a period by which documents related to the previous standard will be accepted (normally this period is of 2 years).

    This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts requirements defined by the ISO 27001:2013. Considering that, Conformio set of documents is also compliant with this British version of ISO 27001.

    This article will provide you further information about this 2017 version:
    - European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

  • Privacy questions

    1. Are there any available GDPR certifications?

    So far there are no certifications available in the sense of art. 40 of the GDPR. However, you need to keep an eye on the Supervisory Authorities websites and see if there is any news since is the Supervisory Authorities that need to endorse such certifications.

    2. How do I start with mapping my processing activities?

    My suggestion is to have a process-based approach. For example, you can split HR activities into several processes such as recruitment, on-boarding, etc. and record these into your Records of processing.

    You can find readily available Inventories of processing activities in this "EU GDPR Data Mapping & DPIA Toolkit" (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/).

    3. Is there any video surveillance policy available in the toolkits?

    No, unfortunately not. However, you do not necessarily need one if you provide adequate privacy notice and explain the extent of the video monitoring and the purposes.

    4. I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

    Usually, Insurance companies act as independent data controllers so you would need Controller to Controller Clauses in place.

    5. How can I best present a privacy notice? Do clients need to sign the notice?

    Some of the best way to present a privacy notice are:

    • Layering - Provide the individual with a short summary of the important or unusual uses of their personal data and provide a link to a full privacy policy for those who want the detail
    • Just in time - Consider using additional notices for particular interactions with the individual. For example, if signing up for a new service means their personal data will be processed for additional purposes.
  • ISO 27001 security aspects for logical security

    What important aspects of ISO 27001 can I include for logical security in a company in which I work?

    First, it is important to note that, to follow the logic of ISO 27001 to apply security controls, you first have to perform a risk assessment to identify which information security risks are more relevant to your company's context. Without this assessment, you may apply unnecessary controls while not implementing relevant controls.

    Considering that, controls related to most common risks raised on a risk assessment regarding logical security are:
    - Access control
    - Backup
    - Network segregation
    - Clear desk and clear screen
    - Controls against malware

    These articles will provide you further explanation about selecting controls and structuring documents:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

  • Risk assessment and risk treatment

    If I understood your template correctly, "Risk plan implemented" refers to the status of any action defined to implement controls to treat the risk:

    • Yes - the risk plan is already implemented
    • No - the risk plan is not implemented yet
    • N.A. - No Applicable action is needed to be implemented

    For low-level risk general option is N.A., since low-level risks are accepted.

    For high-level risk, the option Yes/No will depend on when the implementation is checked and the plan due date. The N.A. option is used when the high-level risk  is accepted (e.g., when it is identified that the cost to implement the control is higher than the impact, if the risk occurs)

    These articles will provide you further explanation about risk assessment and treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • ISO 27001 implementation and budget

    Regarding ISO 27001 implementation, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:

    • defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties
    • development of risk assessment and treatment methodology
    • perform risk assessment and define the risk treatment plan
    • controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)
    • people training and awareness
    • controls operation
    • performance monitoring and measurement
    • perform internal audit
    • perform management critical review
    • address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you further explanation about ISMS implementation:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

    About implementation costs, there are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:

    • Training and literature
    • External assistance
    • Technologies to be updated/implemented
    • Employee's effort and time
    • The certification process

    Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

    These articles can provide you more information:
    - How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
    - 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
    - How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

  • Filling template

    An example of how you can fill in this part of the text are:

    • "connecting to communication networks and data exchange must reflect the sensitivity of data and is performed by using encrypted channels for transfer of all information classified as "confidential", as defined in procedure XYZ for using encrypted channels. Information classified as "restricted" or "public" can use regular communication channels"
    • "connecting to communication networks and data exchange must reflect the sensitivity of data and is performed according to the Information Classification Policy"
  • Information security risk management and internal audit

    1. I purchased your Risk Assessment Table and Risk Treatment Table. I have completed this phase of the planning for our ISO Certification.  Now, once I have filled out the excel Spreadsheets does that count as my "Risk Report" for purposes of satisfying the mandatory document for Certification audit?
    My next step is the SOA correct?

    First is important to note that a "Risk Report" is not a mandatory document for ISO 27001. The standard requires retention of some documents as evidence that risk assessment and treatment was performed, and for that purpose the Risk Assessment Table, the Risk Treatment Table, the Statement of Applicability (yes, this is the next step of the risk assessment and treatment process), and the Risk Treatment Plan, are enough.

    This article will provide you further explanation about risk assessment and treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    2. What course do you recommend so I can be prepared to do an internal audit and improvement for the ISMS for my company?

    As a course for internal audit I suggest you to take a look at our ISO 27001:2013 Internal Auditor Course at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

    In this online course, you’ll learn all the requirements and best practices of ISO 27001, but also how to perform an internal audit in your company. The course is made for beginners. No prior knowledge in information security and ISO standards is needed.

Page 499-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +