Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Guest
First, it is important to note that no controls or technologies are mandatory by ISO 27001. You can apply those you consider will resolve particular risks.
Considering that, both RDP (Remote Desktop Protocol) and MDM (Mobile Device Management) are good and common applied solutions to help protect the organization's information on employees' personal devices.
Now, considering you are referring to personal devices, the main topics to support this decision are legal requirements regarding privacy and labor relations your organization has to follow. Our suggestion is for you to seek expert legal advice on these matters to understand the risks related to the application of these controls and see if by implementing them you will not be incurring on risks higher than the ones you are trying to mitigate regarding your own information.
This article will provide you further explanation about BYOD:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
I would strongly recommend that you delete all the pictures or videos from the event or alternatively get back to the participants and ask for their consent.
If you want to find out more consent check out this free webinar "How to handle consents under GDPR" (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/).
Thanks
Please note that most recent versions of these standards are:
This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts requirements defined by the ISO 27001:2013. Considering that, Conformio set of documents is also compliant with this British version of ISO 27001.
This article will provide you further information about this 2017 version:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/
1. Are there any available GDPR certifications?
So far there are no certifications available in the sense of art. 40 of the GDPR. However, you need to keep an eye on the Supervisory Authorities websites and see if there is any news since is the Supervisory Authorities that need to endorse such certifications.
2. How do I start with mapping my processing activities?
My suggestion is to have a process-based approach. For example, you can split HR activities into several processes such as recruitment, on-boarding, etc. and record these into your Records of processing.
You can find readily available Inventories of processing activities in this "EU GDPR Data Mapping & DPIA Toolkit" (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/).
3. Is there any video surveillance policy available in the toolkits?
No, unfortunately not. However, you do not necessarily need one if you provide adequate privacy notice and explain the extent of the video monitoring and the purposes.
4. I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?
Usually, Insurance companies act as independent data controllers so you would need Controller to Controller Clauses in place.
5. How can I best present a privacy notice? Do clients need to sign the notice?
Some of the best way to present a privacy notice are:
What important aspects of ISO 27001 can I include for logical security in a company in which I work?
First, it is important to note that, to follow the logic of ISO 27001 to apply security controls, you first have to perform a risk assessment to identify which information security risks are more relevant to your company's context. Without this assessment, you may apply unnecessary controls while not implementing relevant controls.
Considering that, controls related to most common risks raised on a risk assessment regarding logical security are:
- Access control
- Backup
- Network segregation
- Clear desk and clear screen
- Controls against malware
These articles will provide you further explanation about selecting controls and structuring documents:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
If I understood your template correctly, "Risk plan implemented" refers to the status of any action defined to implement controls to treat the risk:
For low-level risk general option is N.A., since low-level risks are accepted.
For high-level risk, the option Yes/No will depend on when the implementation is checked and the plan due date. The N.A. option is used when the high-level risk is accepted (e.g., when it is identified that the cost to implement the control is higher than the impact, if the risk occurs)
These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
Regarding ISO 27001 implementation, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
About implementation costs, there are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:
Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.
These articles can provide you more information:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
An example of how you can fill in this part of the text are:
1. I purchased your Risk Assessment Table and Risk Treatment Table. I have completed this phase of the planning for our ISO Certification. Now, once I have filled out the excel Spreadsheets does that count as my "Risk Report" for purposes of satisfying the mandatory document for Certification audit?
My next step is the SOA correct?
First is important to note that a "Risk Report" is not a mandatory document for ISO 27001. The standard requires retention of some documents as evidence that risk assessment and treatment was performed, and for that purpose the Risk Assessment Table, the Risk Treatment Table, the Statement of Applicability (yes, this is the next step of the risk assessment and treatment process), and the Risk Treatment Plan, are enough.
This article will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
2. What course do you recommend so I can be prepared to do an internal audit and improvement for the ISMS for my company?
As a course for internal audit I suggest you to take a look at our ISO 27001:2013 Internal Auditor Course at this link: https://advisera.com/training/iso-27001-internal-auditor-course/
In this online course, you’ll learn all the requirements and best practices of ISO 27001, but also how to perform an internal audit in your company. The course is made for beginners. No prior knowledge in information security and ISO standards is needed.