Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Transfer personal data outside the EU
Answer:
It is legal to transfer personal data outside the EU if specific safeguards are implemented to ensure an adequate level of protection of the personal data.
If you want to find out more about cross border data transfers check out this free webinar How to make personal data transfers to other countries compliant with GDPR ( https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/). -
ISO 27001 and application security
(Hello, my question is the following: I use ISO 27001 to propose a security scheme in a mobile application ... or which standard you would recommend for the security scheme (mobile app).)
Answer: ISO 27001 can provide you a general security scheme, but for more detailed guidance on mobile application we recommend you to take a look at ISO 27034, an ISO 27001 supporting standard covering specifically application security. You can have a preview of this standard at this link: https://www.iso.org/standard/44378.html
You can also consider the OWASP project to built a robust application.
This article will provide you further explanation about OWASP:
- How to use Open Web Application Security Project (OWASP) for ISO 27001? https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/ -
Certification process
Answer: ISO 27001 certifcations are issue by organizations know as "certification bodies", which follow strict procedures to audit and report audit results to provide confidence on audit findings to interested parties (e.g., the organization itself, its customers, regulation bodies, etc.).
The choice of the certification body is an organization's decision, based on its strategies and business objectives and alignment with certification body practices.
This article will provide you further explanation about certification body:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/ -
SMS scope change
Answer:
Sure, you can change scope of the SMS. That's even, in some particular cases, advisable. For example, large organization, complex (service/technology) landscape, etc. Rule is - start small and expand in a pace you can control.
There is a negative size of a s "small" scope - many elements are external to the SMS. So, you have to decide where to start and how to expand.
Here is the article to help you with the scope " How to define the scope of the SMS in ISO 20000" https://advisera.com/20000academy/blog/2015/06/02/how-to-define-the-scope-of-the-sms-in-iso-20000/
When changing the scope, you need to talk to your certification body and get an agreement i.e. confirmation from them. -
Sharing documents
Answer:
Since this sharing is a legal requirement, this would not be a breach in the license use of our documentation. To protect your own information included in these polices, we recommend you to provide these with a warning to third parties that these policies should be shared only with personnel that needs them to perform their own work. -
Planning internal audit
Answer:
You do not have to audit you certified ISMS against all clauses each year. For certification purposes you only have to ensure that all ISO 27001 requirements had been audited at least once before the next certification audit. Considering that, you can audit only part of the requirements on each annual internal audit, provided that at the next certification audit all requirements had been audited at least once. It will be acceptable for surveillance audits.
The best approach would be for you to check the surveillance audits schedule to verify which requirements will be covered by the next surveillance audit, so you can focus on them.
These articles will provide you further explanation about internal and surveillance audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Describing ISO clauses
Answer
Normally, the paragraph is not mentioned. So, an auditor would refer to clause 4.4.1, item b).
The following material will provide you information about non writing audit nonconformities:
- Article – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
- ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Internal audit scope
When performing an audit the auditor compares what is done in reality with the audit criteria:
Auditors go into reality. Collect audit evidences and compare them with audit criteria. From that comparison they develop audit findings. Audit findings indicate conformity or nonconformity.
So, the internal auditor uses the procedure as audit criteria to set the reference and to develop its checklist. Then, using the checklist the auditor verifies if practices are according to the reference. -
GDPR Data Controller or Data Processor
Thanks a lot Andrei -
Process, procedures and documentation
Answer
Let us start by the second question about the difference between processes and procedures. A process is a set of activities taken in order to achieve a particular end. A documented procedure is a written description about how to perform certain activity or activities. So, process and procedure are two different things. About the first question the answer is yes. One can document a 9001 process in a procedure but remember a process is much more than a procedure.
The following material will provide you information the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
- Free course - ISO 90 01:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/