Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Training on business continuity
I need an advice as to which Certification course can I first start to enroll with the academy.
I have looked at your prices compared to BCI, I have found them cheaper as I have to pay it myself
Answer: Since you mentioned BCI (Business Continuity Institute), I'm assuming you are looking for business continuity training. Considering that, unfortunately at this time we do not have available courses related to this topic. If you want to consider the ISO 22301, the ISO standard for business continuity, I'd suggest you first to take a foundations course to understand the standard and its requirements.
This article will provide you further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
These materials will also help you regarding ISO 22301 BCMS:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
- Writing a business continuity plan according to ISO 22301 [free webinar] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/ -
Design and development applicability
Answer
Changing parameters of an established product is not necessarily the outcome of design and development. If the company does not launch new products design and development is not applicable. But in our days it is difficult to stay in the market without periodically launch new products.
The following material will provide you more information about applicable clauses:
What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://community.advisera.com/topic/design-and-development-applicability/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Certification options for persons
Answer:
The best pathway will depend on your professional objectives. If you plan to work on an Information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification. Considering your current work, Lead Implementer certification seems more appropriated.
These articles will provide you further explanation about ISO 27001 certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look l ike? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 certifications:
- ISO 27001:2013 Lead auditor course https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Lead implementer course https://advisera.com/training/iso-27001-lead-implementer-course/ -
Filling SoA
Answer:
Your understanding about referencing risks on SoA is correct, but I'd like to comment that incorporating the Risk Assessment and Risk Treatment in a single spreadsheet is not a recommended approach. Although it may simplify documentation, it also creates a bigger document that is more difficult to read and work with, besides the fact that it leaves open information about risk treatment to personnel that only is required for risk assessment. For example, most people can participate in the risk assessment process, but definition of risk treatments and controls may be restricted only to personnel who will work on the implementation of such treatment. You should evaluate this situation to verify if using a single spreadsheet will not raise significant risk. -
Information security in organizational chart
Answer:
Since your organization has a CRO (Chief Risk Officer), and I'm assuming that by that there is an organizational-wide risk management process, you have two options:
- Leave CRO in charge of the Information security risk management, and the CISO will provide the criteria by which information security risks will be evaluated considering the CRO risk management process approach.
- Leave CISO in charge of the Information security risk management, and the CRO will provide the requirements the information security risk management process will have to follow to stay compliant with the organizational-wide risk management process approach. -
Implementation steps
Answer:
Your assumption is correct. Policies, procedures and other documents included in Annex A folder will be implemented according to the results of risk assessment and the definition of the Risk Treatment Plan.
This article will provide you further explanation about implementation steps:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Template content
Answer: Please note that included with the toolkit you bough you have access to a video tutorials that can help you fill in the most critical documents (e.g. risk assessment and risk treatment tables, risk assessment methodology, etc.) These videos have examples with real data.
2 - How are cloud providers treated in risk and asset inventory?
Answer: Cloud providers can be treated in the category of Outsourced services on both risk and asset inventory. -
Internal Auditor Courses and SQF
Answer
No, Advisera’s Internal Auditor Courses do not include the SQF standard, only ISO 9001, ISO 14001 and ISO 27001. Besides that, Advisera’s Internal Auditor Courses include good auditing practices for preparing, performing and reporting an audit, applicable for auditing SQF standard.
The following material will provide you more information about internal audits:
13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
Free webinar – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Asset inventory content
Answer:
Sorry, but I think there is a misunderstanding here. The comment on column F of the asset inventory mentions the Risk Assessment Table, not the Risk Treatment, and on the Risk Assessment Table you have all assets considered in your ISMS scope.
As a last note, listing the consequences in the Asset inventory is not mandatory (it is only a best practice so you can quickly verify the impacts related to an asset without having to open another document. -
GDPR and data processing
Answer:
I would advise against using consent as a lawful basis for the processing of personal data especially considering the latest fine issued by the Greek Supervisory Authority. As a general rule, you should be avoiding consent when processing employee data.
2. Is processing of bank details for payments allowed by GDPR?
Answer:
Yes, it is. The GDPR does not forbid certain data to be processed however you would need to set up additional security measures to protect bank details. You should also check if you need to be PCI compliant as well.
3. As a real estate company do I need to have a Data Protection Officer?
Answer:
It is quite unlikely unless (a) the company has more than 250 employees, or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial o r ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.
4. Can I ask clients for a declaration that they are not alowed to contact the owner directly ?
Answer:
This is not necessarily related to the GDPR so you should check this with a lawyer that knows your local laws.
If you want to find out more about consent and other lawful grounds for processing check out this webinar: Privacy Notices under the EU GDPR https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/