Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Physical access controls


    Answer:

    ISO 27001 does not prescribe controls for access to physical premises. Controls only must be implemented if you have related unacceptable risks or legal requirements demanding their implementation. The following articles can provide you an overview about physical protection:
    - Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
    - How to protect against external and environmental threats according to ISO 27001 A.11.1.4 https://advisera.com/27001academy/blog/2016/01/25/how-to-protect-against-external-and-environmental-threats-according-to-iso-27001-a-11-1-4/

  • Controller vs Processor roles

    We've received other questions:

    >5. Might be the solution is to specify for each part roles (controller/processor/joint controller) defined on specific and explicit functions?
    >I mentioned, that sometimes the school acts as a controller – the school decides what/why/how to do with some data. But, sometimes, it acts as a processor – i.e. state ministery of education force schools to do something and provides technical resources as a state database for registering children, etc. – how to be?

    Answer:

    I still see the school as an independent data controller even if uses a database provided by the ministry of education.

    >6. Should we state in the Privacy policy, that for one (to be specified wich one) processing and data categories in this processing the school is controller, for another one (also, to be specified) – the school is a processor on behalf of noted controller?
    >Maybe I am digging to complex or deep?

    Answer:

    You will need to mention in your Privacy Notice that the data collected by the school will be passed to other independent data controllers.

  • GDPR obligation in case of occasional service


    Answer:

    Usually, the personal information which is needed to be in an invoice is described in tax/accounting legal provisions. So as long as you only process data for invoicing purposes you should be fine.

  • SOP versus work instruction


    Answer:
    Different countries, different traditions. For example, some countries use the word registration and others use the word certification for the same thing.

    So, one can say that SOP and work instruction are different designations for the same thing. Basically, a SOP or work instruction answer to the question: how do we do it? The focus is in the how, a detailed description of the sequence of activities. That is why I like to use pictures with signs to convey the message.

    Procedure and SOP are not necessarily the same thing. Procedures can be at a more abstract level than a SOP. A procedure answer to several questions: Why do we do it? What do we do? When do we do it? Who does what? Without going into much detail about the “how”.

    The following material will provide you information about documentation structure:
    - ISO 9001 – How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    · - book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

  • Data Controler VS Data Processor in cloud services


    Answer:

    Your company will be acting as a data processor as regards to the data of the companies that use the billing software

    2. Do my application need all the feature(Right to obtain, right to be forgotten, consent many more) of data controller since controller is using my application to bill their customer?

    Answer:

    Yes, the applications should allow the data controller to comply with all the data subjects requests.

    3. what are my responsibility as data processor since most of the GDPR article talks only about controller and less about processor?

    Answer:

    The responsibilities of data controllers are set out in Art. 28 - "Processors" of the EU GDPR. These obligations include:
    • The processor may only use a sub-processor with the consent of the controller. That consent may be specific to a particular sub-processor or general. Where the consent is general, the processor must inform the controller of changes and give them a c hance to object (art. 28(2),art. 28(3)(d));
    • The processor must ensure it flows down these obligations to any sub-processor. The processor remains responsible for any processing by the sub-processor (art. 28(4));
    • The processor must assist the controller to comply with requests from individuals exercising their rights to access, rectify, erase or object to the processing of their personal data (art. 28(3)(e));

    This obligations are usually found in the Data Processing Agreement that should be signed between the controller and processor.

  • Benefits from the certification of governmental entities


    Answer:
    Simply implementing the management system should bring benefits for an organization. Giving the extra step and going for certification, even for a governmental entity can bring extra benefits.
    * Certification can be a marketing tool to give more trust and better image to citizens.
    * Certification can help compliance.
    * Certification can be a useful Internal pressure. In some organizations, these kinds of projects will never finish unless there is powerful pressure like a clear deadline. So, if you agree with the certification body on a fixed date for the certification audit, both your management and your employees will have a much stronger sense of urgency for implementation.
    * Certification can help in maintaining a continued Discipline. Certification is not an event; it must be maintained with annual audits. For many organizations, those audits represent a press ure to comply with internal procedures and minimize the erosion of discipline.

    The following material will provide you information about certification:
    - ISO 9001 – Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/
    - Free course – ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Change control management in Advisera Toolkit


    Answer:

    Change control management is incorporated into critical procedures in ISO 13485 such as control of documentation, control of design and development changes. You can refer to 06_Procedure_for_Risk_Management as well as 00_Procedure_for_Document_and_Record_Control.
    For each procedure in the toolkit, there are details for the company to incorporate their own method of change control.

  • Questions about assets

    I have couple of questions about inventory of assets.

    1. Who is owner of asset “People”. Is it HR Manager or the person with whom the contract is signed?

    Answer: ISO 27001 does not prescribe who should be the asset owner, but in general, if by contract you refer to an employment contract with an organization, then the asset owner is his/her superior in the organization. On the other hand, if this contract refers to a hired freelancer, consultant or similar, that will work for the organization only for a defined time, and for a specific work, then the asset owner should be the person with whom the contract is signed.

    2. As “Asset Owner” can we use Position Name (like CEO, HR Manager) or it should be personalized (John Smith, CEO)

    Answer: ISO 27001 does not prescribe how to name the asset owner, so both approaches are acceptable, but in case you have a significant turnover on personnel related as asset owners then you should consider using roles not personal names, because this will reduce the need to update the inventory every time t he responsible person changes.

    3. We are paperless company and all our contracts are in electronic form, which are stored on reputable cloud solution. Should we include all contracts in Inventory of Assets in that case?

    Answer: Regardless if your contracts are stored on a third-party cloud solution, the contracts still belong to the organization, and if they are relevant to the ISMS scope then they should be listed on the inventory of assets.

    4. If we have cabinets/drawers in the office where we do not store any document, should it be included in Inventory of Assets?

    Answer: If an asset is not related to the information you want to protect, then it does not need to be included in the inventory of assets.

    5. We rent office in technological hub and we are using theirs printer and scanner. Should we include it in inventory?

    Answer: If the printers and scanners are part of the service delivered by the technological hub, and are relevant to the ISMS scope, then they should not be included in the inventory as equipment but as a third-party service (e.g., like a printer service), since these equipment are managed by a third-party.

    This article will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Is the course enough for certification?


    Answer:

    I'm not sure to which course you are referring to, but our online courses (e.g. ISO 27001 Foundations Course, Internal Auditor Course, Lead Auditor Course, Lead Implementer Course) give you an overview of all the requirements of the standard + necessary skills for e.g. auditing or implementing.

    If you want to get certified as an individual, these courses will be enough for you to get ready for the exam & certification.

    If you want to get certified as a company, you will also need the documentation and detailed guide for each of the implementation steps - these items are not included in the course - for that purpose see this ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

    See also: ISO 27001 certification for persons vs. organizations https://advisera.com/27001academy/iso-27001-certification/

  • Is Inventory of assets a document or a record?

    https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/"

    Answer:

    The purpose of a record is to evidence a previous situation, that an action was performed, and/or a result was achieved, so to be of use it cannot be changed over time (at least it shouldn't). On the other hand a document contains information that can be changed over time, and an inventory of assets is a living document that must be continuously updated to be of value for an organization.

    This article will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Page 572-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +