Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Implementing regulatory requirements against cyber-threats


    Answer:

    When implementing regulatory requirements overall points you must focus on are:
    - identification of which requirements you must comply to, so you can map requirements that must be fulfilled, related cyber-threats, and required controls (this will save you time, effort and costs).
    - prioritization of requirements implementation, considering related cyber-threats, needed resources and impacts of non compliance.
    - records you need to gather to evidence the requirements are fulfilled.

    This article will provide you further explanation about controls implementation:
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Mandatory and non-mandatory documents


    Answer:

    In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
    - Scope of the ISMS (clause 4.3)
    - Information security policy and objectives (clauses 5.2 and 6.2)
    - Risk assessment a nd risk treatment methodology (clause 6.1.2)
    - Statement of Applicability (clause 6.1.3 d)
    - Risk treatment plan (clauses 6.1.3 e and 6.2)
    - Risk assessment report (clause 8.2)
    - Records of training, skills, experience and qualifications (clause 7.2)
    - Monitoring and measurement results (clause 9.1)
    - Internal audit program (clause 9.2)
    - Results of internal audits (clause 9.2)
    - Results of the management review (clause 9.3)
    - Results of corrective actions (clause 10.1)

    Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
    - There are unacceptable risks that justify the application of the control
    - There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
    - There is a top management decision to implement the control, by considering it as good practice.

    If none of the above conditions happen, there is no need to implement a document related to that control.

    Besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

    These articles will provide you further explanation about ISO 27001 documents and selection of controls:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Physical access controls


    Answer:

    ISO 27001 does not prescribe controls for access to physical premises. Controls only must be implemented if you have related unacceptable risks or legal requirements demanding their implementation. The following articles can provide you an overview about physical protection:
    - Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
    - How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

  • Controller vs Processor roles

    We've received other questions:

    >5. Might be the solution is to specify for each part roles (controller/processor/joint controller) defined on specific and explicit functions?
    >I mentioned, that sometimes the school acts as a controller – the school decides what/why/how to do with some data. But, sometimes, it acts as a processor – i.e. state ministery of education force schools to do something and provides technical resources as a state database for registering children, etc. – how to be?

    Answer:

    I still see the school as an independent data controller even if uses a database provided by the ministry of education.

    >6. Should we state in the Privacy policy, that for one (to be specified wich one) processing and data categories in this processing the school is controller, for another one (also, to be specified) – the school is a processor on behalf of noted controller?
    >Maybe I am digging to complex or deep?

    Answer:

    You will need to mention in your Privacy Notice that the data collected by the school will be passed to other independent data controllers.

  • GDPR obligation in case of occasional service


    Answer:

    Usually, the personal information which is needed to be in an invoice is described in tax/accounting legal provisions. So as long as you only process data for invoicing purposes you should be fine.

  • SOP versus work instruction


    Answer:
    Different countries, different traditions. For example, some countries use the word registration and others use the word certification for the same thing.

    So, one can say that SOP and work instruction are different designations for the same thing. Basically, a SOP or work instruction answer to the question: how do we do it? The focus is in the how, a detailed description of the sequence of activities. That is why I like to use pictures with signs to convey the message.

    Procedure and SOP are not necessarily the same thing. Procedures can be at a more abstract level than a SOP. A procedure answer to several questions: Why do we do it? What do we do? When do we do it? Who does what? Without going into much detail about the “how”.

    The following material will provide you information about documentation structure:
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    · - book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Data Controler VS Data Processor in cloud services


    Answer:

    Your company will be acting as a data processor as regards to the data of the companies that use the billing software

    2. Do my application need all the feature(Right to obtain, right to be forgotten, consent many more) of data controller since controller is using my application to bill their customer?

    Answer:

    Yes, the applications should allow the data controller to comply with all the data subjects requests.

    3. what are my responsibility as data processor since most of the GDPR article talks only about controller and less about processor?

    Answer:

    The responsibilities of data controllers are set out in Art. 28 - "Processors" of the EU GDPR. These obligations include:
    • The processor may only use a sub-processor with the consent of the controller. That consent may be specific to a particular sub-processor or general. Where the consent is general, the processor must inform the controller of changes and give them a c hance to object (art. 28(2),art. 28(3)(d));
    • The processor must ensure it flows down these obligations to any sub-processor. The processor remains responsible for any processing by the sub-processor (art. 28(4));
    • The processor must assist the controller to comply with requests from individuals exercising their rights to access, rectify, erase or object to the processing of their personal data (art. 28(3)(e));

    This obligations are usually found in the Data Processing Agreement that should be signed between the controller and processor.

  • Benefits from the certification of governmental entities


    Answer:
    Simply implementing the management system should bring benefits for an organization. Giving the extra step and going for certification, even for a governmental entity can bring extra benefits.
    * Certification can be a marketing tool to give more trust and better image to citizens.
    * Certification can help compliance.
    * Certification can be a useful Internal pressure. In some organizations, these kinds of projects will never finish unless there is powerful pressure like a clear deadline. So, if you agree with the certification body on a fixed date for the certification audit, both your management and your employees will have a much stronger sense of urgency for implementation.
    * Certification can help in maintaining a continued Discipline. Certification is not an event; it must be maintained with annual audits. For many organizations, those audits represent a press ure to comply with internal procedures and minimize the erosion of discipline.

    The following material will provide you information about certification:
    - ISO 9001 – Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Change control management in Advisera Toolkit


    Answer:

    Change control management is incorporated into critical procedures in ISO 13485 such as control of documentation, control of design and development changes. You can refer to 06_Procedure_for_Risk_Management as well as 00_Procedure_for_Document_and_Record_Control.
    For each procedure in the toolkit, there are details for the company to incorporate their own method of change control.

  • Questions about assets

    I have couple of questions about inventory of assets.

    1. Who is owner of asset “People”. Is it HR Manager or the person with whom the contract is signed?

    Answer: ISO 27001 does not prescribe who should be the asset owner, but in general, if by contract you refer to an employment contract with an organization, then the asset owner is his/her superior in the organization. On the other hand, if this contract refers to a hired freelancer, consultant or similar, that will work for the organization only for a defined time, and for a specific work, then the asset owner should be the person with whom the contract is signed.

    2. As “Asset Owner” can we use Position Name (like CEO, HR Manager) or it should be personalized (John Smith, CEO)

    Answer: ISO 27001 does not prescribe how to name the asset owner, so both approaches are acceptable, but in case you have a significant turnover on personnel related as asset owners then you should consider using roles not personal names, because this will reduce the need to update the inventory every time t he responsible person changes.

    3. We are paperless company and all our contracts are in electronic form, which are stored on reputable cloud solution. Should we include all contracts in Inventory of Assets in that case?

    Answer: Regardless if your contracts are stored on a third-party cloud solution, the contracts still belong to the organization, and if they are relevant to the ISMS scope then they should be listed on the inventory of assets.

    4. If we have cabinets/drawers in the office where we do not store any document, should it be included in Inventory of Assets?

    Answer: If an asset is not related to the information you want to protect, then it does not need to be included in the inventory of assets.

    5. We rent office in technological hub and we are using theirs printer and scanner. Should we include it in inventory?

    Answer: If the printers and scanners are part of the service delivered by the technological hub, and are relevant to the ISMS scope, then they should not be included in the inventory as equipment but as a third-party service (e.g., like a printer service), since these equipment are managed by a third-party.

    This article will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Page 571-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +