Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Templates for software development
Do you any that would be of use for us ?
Answer:
Included in the toolkit you bought you have the following templates that cover software development:
- Secure development policy
- Specification of information system requirements
Both are located in folder 08 Annex A Security Controls, sub folder A.14 System Acquisition Development and Maintenance
In case you find these are not enough to fulfill your needs you can edit them to include the information you want or create a new document using the blank template included in the root folder of your toolkit. In both cases you can contact us to support you.
This article will provide you further explanation about security on software development:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/ -
Questions about certification
Answer: ISO 27001 does not require the implementation of Business Continuity Management. A Disaster Recovery Plan will be enough to cover 27001 requirements.
For more information, see:
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
2. May personal employees laptops and smartphones be excluded from the ISMS scope ?
Answer: Personal assets from employees must not be included in the organization's ISMS scope (after all they do not belong to the organization). The point with such assets is that if they process or store information included in the ISMS scope you have to assess the involved risks in such access, and if the risks are identified as unacceptable you have to consider how to treat them (e.g., forbid such assets to access the organization's information, or regulate their use thr ough controls such acceptable use of assets or mobile and teleworking policy).
For more information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
3. In the template of Risk Assessment and Treatment report, can you explain me more in details what is expected for the section « Time period » ?
Answer: In the "time period" section you must document:
- When the risk assessment activity presented in the report has started and ended
- When the risk treatment activity presented in the report has started and ended
- When the elaboration of final report has started and ended
With this information it can be evaluated if risk assessment took enough time considering the complexity of scope assessment, if risk treatment was performed in due time, and if the report presents current or old information, which helps to support decision making.
This article will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ -
Scope and certificate
Answer:
Any ISO certificate has a description of the scope of the management system. Please check if the scope of the QMS of the main campus includes your facilities. Sometimes management decides that certification is just for one part of the activities (like a hotel that does not include the restaurant and the pool), sometimes the same certificate is applicable to one organization with different sites.
The following material will provide you more information about the scope:
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- [free course] ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Toolkit content and SoA
method of identification of the other party
authorizations to access information
ensuring non-repudiation
technical standards for data transfer
incident response
labeling and handling sensitive information
copyright
Answer: These items aim to ensure specific clauses in information exchange agreements are included to protect information sent to other parties. General examples of clauses related to these bullets are:
- method of identification of the other party: "representative of organization's partner authorized to receive information must present as identification functional badge with his name and job title"
- authorizations to access information: "only personnel authorized by partner's -
Rules for identification, collection and preservation of evidence
In which part of the document: Validity and document management;
What is my question: What criteria must be considered for the effectiveness and appropriateness of the document?
Answer:
Regarding the rules for identification, collection and preservation of evidence, the criterion to be considered, among those included in this section of the template, is the "number of incidents for which evidence for legal action was inadequate", where the target number of incident must take into account the incident history of your organization, or a number considered a reference by your industry. -
Certification as a Lead Implementer and Lead Auditor
With that background information, I have a question about certification as a Lead Implementer and Lead Auditor: is there an order in which one of these two certifications should be obtained before the other? I believe that in the immediate future Lead Implementer would be the more useful of the two for me, but is Lead Auditor certification a prerequisite for Lead Implementer?
Answer:
There is no mandatory order to pursuit Lead Implementer and Lead Auditor certifications (in fact you can go for one certification and not for the other, because there is no prerequisite relation between them), so you must consider your personal and business obj ectives to define the proper approach.
If you plan to implement an ISMS, then you should go for Lead Implementer certification, but if you plan to work as an auditor, then Lead Auditor would be probably better for you.
These articles will provide you further explanation about ISO 27001 certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
GDPR Data Consent and Storage
Answer:
Visitors shouldn't be able to see who has signed in books before. This would mean that the personal data of the individuals signing in the books is disclosed to unintended recipients and the situation is considered a data breach.
2. What happens if somebody walks off with your visitors’ book? I’m afraid this is also a breach of data security and confidentiality.
Answer:
Walking off with the register will be considered a data breach.
3. If a visitor exercises their GDPR ‘Right to be forgotten’, verbally or in writing, you must erase/delete their personal information. How do you achieve this in your visitors’ book? Rip out a whole page?
Answer:
You could just redact the name of the visitor using a black marker or move to an electronic register.
4. How long does your visitors’ sign-in book sit in your reception?
Answer:
As mentioned before, the registry should not just sit in the reception to be consulted by everyone as that in itself is a data breach. The retention period in this case is something you need to establish by yourself depending on the types and categories of personal data you hold and the reasons for keeping the data. For example you could refer to the statute of limitations period in your local legislation.
5. How is it stored? What happens to the book when it’s full? If used visitors’ books are stored in a desk or cupboard, you’re in breach of GDPR because you’ve kept the information longer than necessary after the visitor has left, especially if they’re unlikely to return.
Answer:
When the register is full you just switch to a new one and archive the old one. Both registers, the one in use and the one which is archived should be kept secure and not made available to unauthorized persons.
6. Do you explain to each visitor how their information will be used, then gain the permission required under GDPR’s ‘Data consent and storage’ requirements before visitors sign your book?
Answer:
You can display a printed Privacy Notice at your reception so everyone can see it and consult. There is no need to verbally inform everyone. You can find more information about Privacy Notices in our free webinar Privacy Notices under the EU GDPR: https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/
7. Can you prove that each visitor has given their consent before they signed?
Answer:
You won't be relying on consent as a lawful ground for processing the data of the individuals borrowing or consulting your books. I strongly recommend that you use legitimate interest and in this case providing an adequate Privacy Notice will most likely suffice.
8. Do you need all the information that is stored in your visitors’ book? GDPR stipulates that you can only collect required information. Does the information you need about each person vary according to visitor type? How does your visitors’ book help you manage this? Or does it hold the same information about each person who visitsyour premises?
Answer:
I don't know what information you are asking from the visitors so I cannot provide you with an accurate answer. However, you need to consider the reason for asking the information. For example, if you only collect the information to be able to count how many people visited you, most likely name and surname will suffice.
If you collect the information to be able to identify with certainty who borrowed a specific book to be able to take legal action to recover the book you may need to collect more information.
All the purposes for which you collected personal data must be clearly explained in your Privacy Notice.
If you want to find out more about the EU GDPR requirements then check out the this free EU GDPR Foundation Course: https://advisera.com/training/eu-gdpr-foundations-course// -
ISMS measurement
Answer:
Without more details about the nonconformity, what I can suggest you is to check which objectives were defined for the ISMS (see clause 6.2) and how you can ensure if they are being achieved (see clause 9.1):
- Which monitoring methods were defined?
- When monitoring must be performed?
- Who must perform the monitoring?
- When the results of monitoring must be analyzed and evaluated?
- Who must analyze the results of monitoring and evaluation?
These articles will provide you further explanation about measurement:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Incident management procedure
Record: Rules for the identification, collection and preservation of evidence
My question: What is the storage duration? The template doesn’t say anything about it.
Answer:
Retention time for evidences will depend mostly on laws and regulations your organization has to comply with, so you must consult those identified on the list of legal requirements to have a precise definition for this retention time, but a good start is to retain evidences for at leas three years (the period of a ISO 27001 certification)
This article will provide you further explanation about record management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
Cloud Services Agreement Guidelines
Answer:
I'm sorry about this confusion - the "Cloud Services Agreement Guideline" is not a document in the toolkit."
The term "Cloud Services Agreement Guidelines" refers to definitions (i.e., clauses) you can find in cloud services agreements you have signed with your hosting providers, applicable to a control (e.g., a clause defining how backup must be executed or where backup copies must be stored), so it can refer to one or more documents.
In the toolkit the document that can help you to include such guidelines in cloud service agreements is the Security Clauses for Suppliers and Partners: https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/
This article will provide you further explanation abou t security clauses:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/