Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 applicability
(I have a question the ISO 27000 and its annexes can be integrated in a computer equipment optimization procedure or is only integrated for data security?)?
Answer:
ISO 27001 controls from Annex A cover a wide range of controls to protect information, and some of them can be used in a procedure for computer equipment optimization (e.g., A.6.2.1 Mobile device policy, A.11.2.9 Clear desk and clear screen policy, and A.12.5.1 Installation of software on operational systems).
These articles will provide you further explanation about ISO 27001 controls for computer equipment:
- Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ s-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/ -
DPO and Data breach
Answer:
Appointing a DPO is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.
If you want to find out more about the role of the DPO check out this free webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/).
2. Can the Security Officer be also the DPO?
Answer:
In theory, yes. However, I would advise against such an approach as the roles would be conflicting in certain areas. The role of the Security Officer is to protect the company information assets using whatever means necessary but the DPO needs to ensure that the means of processing personal data are lawful, transparent and proportionate.
3. In a case of a data breach now do I know if I notify the data protection authority?
Answer:
You first need to assess the severity of the data breach taking into account how that breach can affect the rights and freedoms of the data subjects involves. There are three scenarios:
a) If the breach does not affect the rights and freedoms of the data subjects the breach does not need to be reported;
b) If the breach poses a risk to the rights and freedoms of the data subjects the breach needs to be reported to the Supervisory Authority;
c) If there is a high risk then ten both the data subject and the Supervisory Authority needs to be notified.
If you want to learn more about data breaches check out this webinar “A How-to Guide for GDPR Data Breach Notifications” (https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/).
4. Does the data breach need to happen in the EU or it can be outside EU as well?
Answer:
Yes, it does. If the data subjects affected by the data breach are in the EU the breach needs to be notified as described in question 3. This is one of the instances where the extraterritorial reach of the GDPR kicks in. -
Document control in ISO 9001:2015
Answer
Yes, document control is required in ISO 9001:2015. Document and record control are now in clause 7.5 as Documented Information. ISO 9001:2008 had eight different clauses, the 2015 version consist of ten clauses. Now, ISO 9001, ISO 27001; ISO 45001; ISO 14001 have all a common core structure. This structure is called a High-Level Structure. The intent is to make the integration of management systems a lot easier.
The following material will provide you more information about documented information:
New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- book – Discover IS O 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Mandatory documents in ISO 45001
Answer:
The use of the word “shall” in the requirement is indicating that you need to perform this function or activity, but this does not indicate that the ISO 45001:2018 standard requires you to document anything. Many processes which are required do not need to be documented, or have documented records. It is the use of the term “documented information” which indicates that there is a mandatory documentation requirement from the standard. Where the standard does not use the term “documented information”, but many companies include this in their OHSMS, we have included this in the document about mandatory documents of ISO 45001.
There is no one best way to document what is requi red in the OHSMS, so the best advice is to determine what will work best for you to be able to locate the information when needed. For larger companies, there is a good documentation structure discussed in the link below.
For more on structuring documentation in the ISO 45001:2018 OHSMS, see the article: How to structure ISO 45001 documentation, https://advisera.com/45001academy/blog/2018/11/08/how-to-structure-iso-45001-documentation/ -
Audit questions
GRR acceptance crriteria is 10%. In case of GRR for attributes Kappa value acceptance criteria is 0.75. That means in simple comparison method we have min. 90% acceptance. So why Kappa value of 0.75 is accepted and it means 25% rejection is accepted. No able to understand the statistical acceptance in case of attribute study.
-
ISO 27001 benefits
Answer:
The most common topics you can consider regarding lowering expenses are related to the impact of information security incidents: the decreasing of their quantity, of their effective impact, or on the resources involved in their handling.
Additionally, you can consider the decrease on fines related to non compliance with legal requirements. -
Measurable quality objectives
Answer
If you write a quality objective that can be countable you ensure that it is measurable. For example:
* Our organization want to increase the number of corporate clients by 5% by the end of the year;
* Our organization want to reduce the number of clients lost to the competition by 7% by the end of the year;
* Our organization wants to reduce by 10% the customer wait time in line by the end of next quarter.
* Our organization wants to reduce employee turnover by 10% by the end of the year.
For each example you can count the number of corporate clients, the number of clients lost, …"
The following material will provide you more information about quality objectives:
How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Enroll for free course - ISO 9001:2015 Lead Auditor Course - https://advisera.com/training/iso-9001-lead-auditor-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Surveillance audit and auditors
Answer
Surveillance audits are performed by certification bodies. Certification bodies use the same criteria that they have for certification audits. Normally, certification bodies try to keep one or more auditors from the certification audit in the following surveillance audits.
The following material will provide you more information surveillance audits:
What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
[free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Course and cerification bodies
Answer:
Your question is not complete because we do not know your purpose, what aim you want to meet by enrolling in the course.
If you want to become an internal auditor, it is enough (and very expensive).
If you want to become an external lead auditor doing internal audits, it is enough (and very expensive).
If you want to become a lead auditor for a certification body, after the course when you get the certificate, you have to contact the certification body to know what their particular requirements are. They may want evidence of your experience as auditor, what your professional experience is because of the economic sectors that you can audit. Each certification body will have different requirements and different contract requirements.
The following material will provide you more information about audit courses whe re you can enroll for free at your own pace and time and recognized by Exemplar Global:
- ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/ -
Risk Assessment and Risk Treatment template
Answer: The main difference between these three documents are:
- Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018.
- Risk Assessment and Risk Treatment Methodology Premium covers not only requirements for ISO 27001, but also specific requirements applicable for business continuity defined by ISO 22301.
- Risk Assessment and Risk Treatment Methodology Integrated covers not only requirements for ISO 27001, but also specific requirements applicable for protection of personal data defined EU GDPR.
You can see the specific requirements covered in each document in its own section 2 - Reference Documents.
2 - Also, based on security practices risk is calculated by multiplying likelihood with im pact. However in this methodology you are adding them.
Answer: ISO 27001 does not prescribe how risk is calculated, and the most used practices are multiplying or adding likelihood with impact, and we chose for our template the last mentioned approach. However you can adjust the template approach for multiplying likelihood with impact if you wish so. This is perfectly acceptable by ISO 27001 requirements ( both methods are suggested in ISO 27005).
For further information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
3 - Please let me know if Advisera has any documentation on how to perform risk assessments on third parties and cloud providers .
Answer: You can use the same risk assessment approach adopted by your organization to perform risk assessments on third parties and cloud providers. Please note that to assess risks on cloud providers you should consider the Risk Assessment and Risk Treatment Methodology Cloud.