Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling SoA
Answer:
Your understanding about referencing risks on SoA is correct, but I'd like to comment that incorporating the Risk Assessment and Risk Treatment in a single spreadsheet is not a recommended approach. Although it may simplify documentation, it also creates a bigger document that is more difficult to read and work with, besides the fact that it leaves open information about risk treatment to personnel that only is required for risk assessment. For example, most people can participate in the risk assessment process, but definition of risk treatments and controls may be restricted only to personnel who will work on the implementation of such treatment. You should evaluate this situation to verify if using a single spreadsheet will not raise significant risk. -
Information security in organizational chart
Answer:
Since your organization has a CRO (Chief Risk Officer), and I'm assuming that by that there is an organizational-wide risk management process, you have two options:
- Leave CRO in charge of the Information security risk management, and the CISO will provide the criteria by which information security risks will be evaluated considering the CRO risk management process approach.
- Leave CISO in charge of the Information security risk management, and the CRO will provide the requirements the information security risk management process will have to follow to stay compliant with the organizational-wide risk management process approach. -
Implementation steps
Answer:
Your assumption is correct. Policies, procedures and other documents included in Annex A folder will be implemented according to the results of risk assessment and the definition of the Risk Treatment Plan.
This article will provide you further explanation about implementation steps:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
Template content
Answer: Please note that included with the toolkit you bough you have access to a video tutorials that can help you fill in the most critical documents (e.g. risk assessment and risk treatment tables, risk assessment methodology, etc.) These videos have examples with real data.
2 - How are cloud providers treated in risk and asset inventory?
Answer: Cloud providers can be treated in the category of Outsourced services on both risk and asset inventory. -
Internal Auditor Courses and SQF
Answer
No, Advisera’s Internal Auditor Courses do not include the SQF standard, only ISO 9001, ISO 14001 and ISO 27001. Besides that, Advisera’s Internal Auditor Courses include good auditing practices for preparing, performing and reporting an audit, applicable for auditing SQF standard.
The following material will provide you more information about internal audits:
13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
Free webinar – How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Asset inventory content
Answer:
Sorry, but I think there is a misunderstanding here. The comment on column F of the asset inventory mentions the Risk Assessment Table, not the Risk Treatment, and on the Risk Assessment Table you have all assets considered in your ISMS scope.
As a last note, listing the consequences in the Asset inventory is not mandatory (it is only a best practice so you can quickly verify the impacts related to an asset without having to open another document. -
GDPR and data processing
Answer:
I would advise against using consent as a lawful basis for the processing of personal data especially considering the latest fine issued by the Greek Supervisory Authority. As a general rule, you should be avoiding consent when processing employee data.
2. Is processing of bank details for payments allowed by GDPR?
Answer:
Yes, it is. The GDPR does not forbid certain data to be processed however you would need to set up additional security measures to protect bank details. You should also check if you need to be PCI compliant as well.
3. As a real estate company do I need to have a Data Protection Officer?
Answer:
It is quite unlikely unless (a) the company has more than 250 employees, or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial o r ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offenses.
4. Can I ask clients for a declaration that they are not alowed to contact the owner directly ?
Answer:
This is not necessarily related to the GDPR so you should check this with a lawyer that knows your local laws.
If you want to find out more about consent and other lawful grounds for processing check out this webinar: Privacy Notices under the EU GDPR https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
ISO 20k risk management process for BCMS
Am I able to use this same risk document for BCMS?
Answer:
If you consider a BCMS based on ISO 22301 you can use the same risk document based on ISO 20k. You only have to make adjustments to fulfill specific requirements from ISO 22301. For example for a BCMS you have to consider risks that can cause disruption on business services and process in a general manner (i.e., not only related to IT related services)
This article is a little bit off-topic, but can provide you a view of the concept: https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/ -
System/App Retirement & Decommissioning
Great answer; thanks. -
What is the role of the process owner?
Answer:
A Process Owner is a person who is given the responsibility and authority for managing a particular process. A process owner is responsible for the design of the process, how it is carried out, how it interacts with other processes, and how it is measured. Process owner identifies process documentation and training requirements, identifies risks and opportunities with the current process. Of course, this responsibility is an ongoing task.
For more information on the process approach, you can see the following article. This article is written for ISO 9001, but the process approach described is also fully applicable for ISO 13485.
ISO 9001: The importance of the process approach https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/