Search results

Career on information security

Considering your background in IT and as a Business Analyst, and specifically ISO 27001 career available, you can pursue a career as:
- ISO 27001 Lead Implementer – a professional who has competency in the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – a professional who has competency in auditing an ISMS against ISO 27001 requirements. This professional also can pursue a career as a certification auditor.

These articles will provide you a further explanation about ISO 27001 personnel certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

For courses related to these certifications, please see:
- ISO 27001:2013 Lead auditor course https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Lead implementer course https://advisera.com/training/iso-27001-lead-implementer-course/

Questions regarding 27001 implementation

1. In the data center we run there is a service called Remote hands, in which customers having their equipment there under a regime of collocation, meaning we have no logical access to data, we may do some wiring, etc. I know that other similar companies leave this service out of the scope. I understand this is the correct approach, but can you give me a good justification for this?

The justification in this case is that you do not control the information on such equipment, therefore you are excluding it from your ISMS scope.

For further information, see:- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

2. In our Spanish office (not the datacentre) we have a person who is a relative of our boss, whose activity has nothing to do with the company but he acts as a contact person for some administration duties. He shares a connection to the internet with us but we set up a separate VLAN so he can´t access our networks. Of course, he has physical access to all resources in this office. Should we leave him out of the scope or otherwise include him?

If this person has access to information included in the ISMS scope, for small and medium-sized companies it is better to include him/her in the ISMS scope, because the effort to segregate this person of the ISMS scope may not be worthy.

For further information, see:- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

3. We have an extensive asset inventory that we use to calculate amortization but the woman in administration refuses to give me a copy so I can include it in the documentation. Management is not supporting me with this because this woman is not easy to deal with and no one wants to fight her. Any solution? Is it mandatory to have the inventory as a separate document in the IS system or we can refer to it as it is now?

First is important to note that an asset inventory is required for ISO 27001 only if:

- there are unacceptable risks which treatment demands such inventory - there are contracts, laws or regulations you have to follow which demands such inventory - there is a top management decision demanding such inventory

If none of the above-mentioned situations occurs, then there is no need to keep such inventory.

In case the inventory is required, referring to an existent inventory is acceptable to be compliant with this control. However, if it is not feasible to use an existing inventory in some other department, you can always develop a new inventory of assets.

For further information, see:- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

4. Security records. What happens if we don´t have any (as such format) prior to the certification audit?

Some security records are mandatory for ISO 27001 (e.g., results of risk assessment and treatment), and without them, your organization won't be able to be certified.

For further information, see:- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

5. Legal requirements doc: should all customers be listed? How often should it be updated then? Can we refer this item to our CRM software?

You need to list all customers who have security requirements. If some customers have the same security requirements, then you can group them together as a single entry into the list. 

Regarding updates, this list of legal requirements should be updated at least once a year or sooner if there are any significant changes in the organizational context.

If you already have the information required by the standard in your CRM software you can only refer to it and still be compliant with the standard.

Treatment and management of risks

Hello, I have the following questions in reference to the treatment and management of risks: can you help me with the answer? Thanks in advance!!

1. In the same asset can I have already applied an existing control or security measures and at the same time, can I decide to apply a new control?

Asset: serverVery high-risk levelExisting security measures: Currently there is a redundant device and in case of failure, it would be operational, the safety of the data center where the equipment is located needs to be improved.To apply: This is where we should apply the DOMAIN or the control / controls?

You can apply as many controls to an asset as you understand is needed, and worthy,  to decrease related risks to an acceptable level. However, considering your stated scenario, it is not clear if you intend to apply new controls to the server, or to the datacenter (which would be another asset).

For further information, please read:- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Exactly taking the same example as in the previous question, the domain applied could be A9, but only apply control A.92. That is, to what extent should I specify if I apply the domain or control or controls necessary for each asset?

The controls to be applied will depend on the results of risk assessment (the unacceptable risks related to the asset will give you an orientation on which controls to apply), and legal requirements (e.g., laws, regulations and contracts) (a specific clause on one of them may require a specific control to be applied).

3. The security measures that the company already has applied in the critical assets, must be specified exactly in reference to control or can they be detailed in the document, without relating it to a specific domain or control?

Controls already implemented before the standard implementation must be specified in the results of Risk Assessment, because they help explain the risk value for assets they are related to and in the Statement of Applicability, because they are applied in your ISMS scope.

For further information, please read:- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

4. We have selected only assets with high and very high risk. These assets may have:

Security measures applied and need to be increased with new controlsSecurity measures applied and NOT need new controls, is this correct?Having no measure to reduce the risk and requires controls.

It is right?

All scenarios are valid for ISO 27001:- You can have security measures applied and need to add new controls to lower risks to acceptable levels.- You can have security measures applied and no need to add new controls, either because the risks are on acceptable levels, or it is not worthy not to add new controls (the cost would be greater than if the risk occurred).- You can have assets with no unacceptable risks related to them, but you still have to implement controls because some legal requirement (e.g., laws, regulation, or contract) demands the implementation of such controls.

For further information, please read:- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

5. The assets with resulting risk: low and medium, is accepted by the organization. What to do with them? Taking into the account that we will only treat the high and very high risks and apply controls to these assets, does the rest of the assets disappear from the treatment and management? This is a risk that is assumed but no measures are applied to reduce it or is it necessary to apply and detail the measures for all assets, whatever the resulting level of risk?

Please note that in the Risk Assessment and Treatment Methodology approach used in the toolkit you bought, the risks considered accepted as a result of the risk assessment phase won't be transferred to the risk treatment, but they will continue to be managed (i.e., during risk review they would be reassessed in the risk assessment phase).

Risks considered accepted won't need any further treatment. You have to apply and detail controls only to risks considered unacceptable.

6. Of the 4 defined ways to deal with risk, you would only apply controls in the option to apply controls, in the other 3 eligible options, no controls are applied, is that correct?

Example, asset: fire in the CPD / high risk

There are safety measures for fire detection but not for fire extinguishing. In case of fire, the information is in the cloud and would not be affected….

Could we choose to transfer the risk to the insurance company because, in case of fire, they assume the cost of the operation? It is right?)

Implementation of controls are required when you decide to mitigate or transfer risks. In case of risk transfer (which is a valid option in your scenario) you either implement control by buying insurance, or by defining security clauses for a third-party that will handle the risk in your behalf (e.g., your cloud provider). But please note that on risk transfer your organization is still accountable for the impacts in case risks occur.

For further information, please read:- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

GDPR Compliance

1. We have an internal collaboration application in our Organization (that each employee has his/her own Profile, Posts …etc.) that is connected to Active Directory that access some employees personal data. This application is accessing all our internal systems such as Travel System, Suppliers System, Compensation & Benefits, HR systems ..etc.
Based on this case, do you believe that we need to ask our employees to sign a consent for processing their personal data, taking into consideration that the employment contract includes a section for Confidentiality of Information that doesn’t include any sentence related to personal data processing only copyrights and confidentiality of project/company-related information disclosure.

I would not recommend using consent when processing personal data of employees as most likely the consent will not be considered freely given due to the imbalance between the position of the employee and the employer. I suggest using legitimate interest as a lawful ground for processing if appropriate.

2. Our Internal Systems (HR, are using cookies, Do we need to create/add a pop-up message with a link to our Cookies Policy in the pop-up box message?

For the cookies that are not strictly necessary for the functioning of the website, I strongly recommend obtaining consent, especially for tracking and advertising cookies.

3.  As mentioned above, we have Confidentiality of Information section stated in the employment contract, Is this section sufficient or do we need to ask our Employees to Sign NDA (non-disclosure agreement) that include a special section for GDPR Compliance requirements specifically.

Including confidentiality clauses that include a reference to personal data is the same as signing NDAs.

ISO 9001 sub elements

Normally, with ISO 9001:2015 one uses the terms clauses and sub clauses. So, my interpretation is that sub elements are the same as sub clauses.

For example, clause (or element) “9.3 Management review” has a sub clause (or sub element) “9.3.2 Management review inputs”

The following material will provide you more information about elements in ISO 9001:2015:

- Article - ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Understanding the organizational knowledge clause

Your management system is a set of interrelated processes. Each process requires people to operate it (ISO 9001:2015 clause 7.1.2). These people must be competent (ISO 9001:2015 clause 7.2).

ISO 9001:2015 clause 7.1.6 – Organizational Knowledge is about setting your internal requirements for being competent to operate in a particular process. For each process ask yourself what kind of knowledge does each participant in a process need, to perform each activity proficiently, and to make good decisions? Keep and share this knowledge when needed.

ISO 9001:2015 clause 7.1.6 – Organizational Knowledge has a second part about new knowledge to address changing needs and developments in know-how or market conditions, for example, it is like defining a radar of knowledge to watch and monitor in order to discover the new.

The following material will provide you more information about organizational knowledge:

Article - How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/

- Article - How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/

- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

EU GDPR and data processor

1. it better if a company contracts to me as a person, me as a contractor, or my company if passing me data? I want to offer interview coaching to job applicants for free, and only ask that they donate to charity in return.

It would not make a difference in terms of data protection legislation such as the GDPR, either way, you as a sole trader or a company would be acting as a data processor. However, companies would rather contract other companies because companies usually have better guarantees than individuals.

2.  The recruitment firm I'm talking to is hesitant because of GDPR. How can I best allay their concerns?

I would explain to them that the requirements of art. 28 of the GDPR applies the same and a Data Processing Agreement between you and the company will regulate the processing of candidate data.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Risk-based audit program

influence the possibility of meeting the audit program objectives 

Answer:

Not having enough resources to execute the audit program (time and or competent and independent internal auditors). 

interfere with auditees’ activities

Answer:

For example, wanting to audit an employee when he or she is performing a critical task that requires full attention. Or wanting to audit an employee with questions while he or she is interacting directly with a customer.

interfere with auditees’ processes

Answer:

This is similar to the last one. A process is a set of activities performed by one or more actors.

ISO 9001-Purchasing procedure

Most likely, in the current situation, the procedure is not being followed as there are new “actors” and authorities and responsibilities are no longer centralized.

If the present situation is acceptable and delivering good results, your organization can simply update the Purchasing procedure to reflect the present situation. Do not forget to check if job descriptions and competence requirements also need an update because of the new situation.

I as an auditor always like to see updates in documents, a sign that the system is alive.

The following material will provide you more information about document control:

New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
QMS Change Management in 7 steps - https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

In which of our offices to start with the implementation of EU GDPR

You can start in whichever office you want, this is not something that is regulated by the GDPR. However, at the end of the day, all group companies need to be compliant.

I suggest that you start with the company which has the most complex processing activities.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)