Search results

Treatment and management of risks

Hello, I have the following questions in reference to the treatment and management of risks: can you help me with the answer? Thanks in advance!!

1. In the same asset can I have already applied an existing control or security measures and at the same time, can I decide to apply a new control?

Asset: serverVery high-risk levelExisting security measures: Currently there is a redundant device and in case of failure, it would be operational, the safety of the data center where the equipment is located needs to be improved.To apply: This is where we should apply the DOMAIN or the control / controls?

You can apply as many controls to an asset as you understand is needed, and worthy,  to decrease related risks to an acceptable level. However, considering your stated scenario, it is not clear if you intend to apply new controls to the server, or to the datacenter (which would be another asset).

For further information, please read:- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Exactly taking the same example as in the previous question, the domain applied could be A9, but only apply control A.92. That is, to what extent should I specify if I apply the domain or control or controls necessary for each asset?

The controls to be applied will depend on the results of risk assessment (the unacceptable risks related to the asset will give you an orientation on which controls to apply), and legal requirements (e.g., laws, regulations and contracts) (a specific clause on one of them may require a specific control to be applied).

3. The security measures that the company already has applied in the critical assets, must be specified exactly in reference to control or can they be detailed in the document, without relating it to a specific domain or control?

Controls already implemented before the standard implementation must be specified in the results of Risk Assessment, because they help explain the risk value for assets they are related to and in the Statement of Applicability, because they are applied in your ISMS scope.

For further information, please read:- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

4. We have selected only assets with high and very high risk. These assets may have:

Security measures applied and need to be increased with new controlsSecurity measures applied and NOT need new controls, is this correct?Having no measure to reduce the risk and requires controls.

It is right?

All scenarios are valid for ISO 27001:- You can have security measures applied and need to add new controls to lower risks to acceptable levels.- You can have security measures applied and no need to add new controls, either because the risks are on acceptable levels, or it is not worthy not to add new controls (the cost would be greater than if the risk occurred).- You can have assets with no unacceptable risks related to them, but you still have to implement controls because some legal requirement (e.g., laws, regulation, or contract) demands the implementation of such controls.

For further information, please read:- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

5. The assets with resulting risk: low and medium, is accepted by the organization. What to do with them? Taking into the account that we will only treat the high and very high risks and apply controls to these assets, does the rest of the assets disappear from the treatment and management? This is a risk that is assumed but no measures are applied to reduce it or is it necessary to apply and detail the measures for all assets, whatever the resulting level of risk?

Please note that in the Risk Assessment and Treatment Methodology approach used in the toolkit you bought, the risks considered accepted as a result of the risk assessment phase won't be transferred to the risk treatment, but they will continue to be managed (i.e., during risk review they would be reassessed in the risk assessment phase).

Risks considered accepted won't need any further treatment. You have to apply and detail controls only to risks considered unacceptable.

6. Of the 4 defined ways to deal with risk, you would only apply controls in the option to apply controls, in the other 3 eligible options, no controls are applied, is that correct?

Example, asset: fire in the CPD / high risk

There are safety measures for fire detection but not for fire extinguishing. In case of fire, the information is in the cloud and would not be affected….

Could we choose to transfer the risk to the insurance company because, in case of fire, they assume the cost of the operation? It is right?)

Implementation of controls are required when you decide to mitigate or transfer risks. In case of risk transfer (which is a valid option in your scenario) you either implement control by buying insurance, or by defining security clauses for a third-party that will handle the risk in your behalf (e.g., your cloud provider). But please note that on risk transfer your organization is still accountable for the impacts in case risks occur.

For further information, please read:- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

GDPR Compliance

1. We have an internal collaboration application in our Organization (that each employee has his/her own Profile, Posts …etc.) that is connected to Active Directory that access some employees personal data. This application is accessing all our internal systems such as Travel System, Suppliers System, Compensation & Benefits, HR systems ..etc.
Based on this case, do you believe that we need to ask our employees to sign a consent for processing their personal data, taking into consideration that the employment contract includes a section for Confidentiality of Information that doesn’t include any sentence related to personal data processing only copyrights and confidentiality of project/company-related information disclosure.

I would not recommend using consent when processing personal data of employees as most likely the consent will not be considered freely given due to the imbalance between the position of the employee and the employer. I suggest using legitimate interest as a lawful ground for processing if appropriate.

2. Our Internal Systems (HR, are using cookies, Do we need to create/add a pop-up message with a link to our Cookies Policy in the pop-up box message?

For the cookies that are not strictly necessary for the functioning of the website, I strongly recommend obtaining consent, especially for tracking and advertising cookies.

3.  As mentioned above, we have Confidentiality of Information section stated in the employment contract, Is this section sufficient or do we need to ask our Employees to Sign NDA (non-disclosure agreement) that include a special section for GDPR Compliance requirements specifically.

Including confidentiality clauses that include a reference to personal data is the same as signing NDAs.

ISO 9001 sub elements

Normally, with ISO 9001:2015 one uses the terms clauses and sub clauses. So, my interpretation is that sub elements are the same as sub clauses.

For example, clause (or element) “9.3 Management review” has a sub clause (or sub element) “9.3.2 Management review inputs”

The following material will provide you more information about elements in ISO 9001:2015:

- Article - ISO 9001 Requirements and Structure - https://advisera.com/9001academy/knowledgebase/iso-9001-requirements-and-structure/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Understanding the organizational knowledge clause

Your management system is a set of interrelated processes. Each process requires people to operate it (ISO 9001:2015 clause 7.1.2). These people must be competent (ISO 9001:2015 clause 7.2).

ISO 9001:2015 clause 7.1.6 – Organizational Knowledge is about setting your internal requirements for being competent to operate in a particular process. For each process ask yourself what kind of knowledge does each participant in a process need, to perform each activity proficiently, and to make good decisions? Keep and share this knowledge when needed.

ISO 9001:2015 clause 7.1.6 – Organizational Knowledge has a second part about new knowledge to address changing needs and developments in know-how or market conditions, for example, it is like defining a radar of knowledge to watch and monitor in order to discover the new.

The following material will provide you more information about organizational knowledge:

Article - How to manage knowledge of the organization according to ISO 9001 - https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/

- Article - How to ensure competence and awareness in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/

- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

EU GDPR and data processor

1. it better if a company contracts to me as a person, me as a contractor, or my company if passing me data? I want to offer interview coaching to job applicants for free, and only ask that they donate to charity in return.

It would not make a difference in terms of data protection legislation such as the GDPR, either way, you as a sole trader or a company would be acting as a data processor. However, companies would rather contract other companies because companies usually have better guarantees than individuals.

2.  The recruitment firm I'm talking to is hesitant because of GDPR. How can I best allay their concerns?

I would explain to them that the requirements of art. 28 of the GDPR applies the same and a Data Processing Agreement between you and the company will regulate the processing of candidate data.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//).

Risk-based audit program

influence the possibility of meeting the audit program objectives 

Answer:

Not having enough resources to execute the audit program (time and or competent and independent internal auditors). 

interfere with auditees’ activities

Answer:

For example, wanting to audit an employee when he or she is performing a critical task that requires full attention. Or wanting to audit an employee with questions while he or she is interacting directly with a customer.

interfere with auditees’ processes

Answer:

This is similar to the last one. A process is a set of activities performed by one or more actors.

ISO 9001-Purchasing procedure

Most likely, in the current situation, the procedure is not being followed as there are new “actors” and authorities and responsibilities are no longer centralized.

If the present situation is acceptable and delivering good results, your organization can simply update the Purchasing procedure to reflect the present situation. Do not forget to check if job descriptions and competence requirements also need an update because of the new situation.

I as an auditor always like to see updates in documents, a sign that the system is alive.

The following material will provide you more information about document control:

New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
QMS Change Management in 7 steps - https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
- Enroll for free course - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
 

In which of our offices to start with the implementation of EU GDPR

You can start in whichever office you want, this is not something that is regulated by the GDPR. However, at the end of the day, all group companies need to be compliant.

I suggest that you start with the company which has the most complex processing activities.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

Security Master Plan

Security Master Plane is not a concept used by ISO 27001, but considering the following definition from SGW Consulting:

"The Security Master Plan" is a document which comprises of a report, drawings, and illustrations that set out the organization's security strategies, goals, plans, policies, and procedures. It is used to provide a detailed outline of the security risks and mitigation plans agreed between stakeholders."

The closest ISO 27001 related documents are:
- Risk assessment and risk treatment report: outline of the security risks
- Statement of applicability: plans, policies, and procedures
- Risk treatment plan: security strategies (i.e., treatment options)

Studying for certification

Regarding ISO 27001, there is no prerequisite to attend the courses required to take the exams for ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certifications, so you can just enroll in courses with accredited exams, like our ISO 27001 Lead Auditor course (https://advisera.com/training/iso-27001-lead-auditor-course/)

This article will provide you a further explanation about the lead auditor course:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/

Regarding PCI-DSS, CISM and CISSP, these aren't our area of expertise, but generally speaking, you have to provide evidence of experience and take an exam (you can study on your own or take a course, this will depend on the time you can dedicate and your discipline to study). For further information, including options for training, I suggest these links:
- PCI-DSS: https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification
- CISM: https://www.isaca.org/CERTIFICATION/CISM-CERTIFIED-INFORMATION-SECURITY-MANAGER/Pages/default.aspx
- CISSP: https://www.isc2.org/Certifications/CISSP#