Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Assets of IaaS

    Answer:

    In situations where you cannot change service conditions presented by the provider you should evaluate if your organization can accept the risks not properly covered by the provided service agreement,and if there are alternative providers you can consider.

  • Risk assessment and BIA

    1. Which one would I do first and why? Answer: Actually, there is no definitive order to perform risk assessment and business impact analysis, and the choice for one or another will depend on your expectations: - By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services. - By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e. the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks. Particularly, we prefer to do risk assessment first because this way, you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the busine ss impact analysis (which focuses on consequences of those incidents). This article will provide you further explanation about BIA and risk assessment: - Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/ 2. Do I include the BIA risks in my risk register and if yes then do I reference the BC plans for the treatment plan? As an example, would a fire be raised as a risk in the risk register as well as in the the BC plans? Answer: If the risks used to support the BIA process are related to information you want to protect with your ISMS (i.e., risks that impacts information), then you need to include them in the risk register for ISO 27001. These article will provide you further explanation about risk treatment and SoA: - Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  • Grading nonconformities


    Answer:
    ISO 9001:2015 does not mention audit findings categorization. ISO 19011:2018 in clause 6.4.8 states that nonconformities can be classified according to the context of the organization and its risks. This classification can be quantitative (e.g. 1 to 5) or qualitative (e.g. minor, major). Grading nonconformities (as separate categories) is generally used only in certification audits (not so often in internal audits).

    About your concerns with subjectivity, remember that this grading is based on the auditor’s judgment and experience.

    Minor nonconformity – a nonconformity that does not affect the capability of the management system to achieve the intended results.
    Major nonconformity – a nonconformity that affects the capability of the management system to achieve the intended results. For example, if the company completely failed to fulfill a certain requirement; if a proce ss has completely fallen apart; or if you have several minor nonconformities that are related to the same process or to the same element of your management system.

    The following material will provide you information about audits:
    - Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
    - Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
    - Book – ISO Internal Audit: A Plain English Guide – https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • Toolkit content


    Answer: You can describe only services in your scope, but it is not recommended, since services are delivered by processes, and you cannot define location in the scope without considering the processes related to the services. For example, in your case, the central processing of a service is performed in the datacenter, while employees interact with the service in rooms and offices outside the datacenter, and these rooms and offices also must be include as locations in your scope, so all environments where the service runs are protected by the ISMS.

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    2. ISMS Scope Document, Locations: The office is in Belgium and the datacenter is in The Netherlands. Is this a fine way how to write how they are separated?

    Answer: If only your datacenter is in the scope, there is no need to include the location of the office. You must specify means of separation only when elements that are inside and outside of the scope are in the same location (for example, the datacenter is in the same building but is located on a separated floor).

    3. Which fields are obligatory in the Risk Treatment Plan?

    Answer: ISO 27001 does not prescribe the content of a risk treatment plan, but all fields defined in the Risk Treatment Plan template must be filled because they will help you not only to ensure controls are implemented (by means of Description of activities, Responsible person, Start and completion deadlines, and Status) but will also help you evidence fulfillment of standards clauses (Necessary financial and other resources for clause 7.1, Training and awareness programs for clause 7.2, and Method for evaluation of results for clause 9.1)

    This article will provide you further explanation about evidencing resources:
    - How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

    4. Inventory of assets: If we choose not to do asset labeling, then I assume we only have 2 obligatory fields which are Asset Owner and Asset Name right?

    Answer: ISO 27001 does not prescribe which details must be listed in the asset inventory, so you can list only the asset name and its owner, but you should also consider to fill the other fields, because they will be useful for managing the assets.

    This article will provide you further explanation about asset register:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    5. A.7.2.3 Disciplinary process: Can this be really basic defined or do you have any examples of how it could be defined?

    Answer: ISO 27001 does not prescribe which details must be included in the disciplinary process, so an organization is free to define it the way it better suits them (you can use the disciplinary process you already have in your own organization).

    6. Training and Awareness Plan: Is reading the established policies also a way of training?

    Answer: Reading policies can be considered a way of awareness and training, to ensure a person knows a policy exists and what it is about. But for some policies you also have to consider that the person must practice to perform properly which is required by the policy.

    These articles will provide you further explanation about awareness and training:
    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

  • Data subject rights under the EU GDPR


    Answer:

    You should file a complaint to the local Supervisory Authority. You can find a list of Supervisory Authorities at https://edpb.europa.eu/about-edpb/board/members_en .

    If you want to find out more about your rights, check out this free webinar Data Subject Rights under the EU GDPR (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ )

  • Data subject


    Answer:

    It is the company`s concern to get the employees to delete their accounts where they have used the work email address. From your perspective the request must come from the data subject.

  • Processing special categories of data


    Answer:

    Depends on what you collect as part of the employment process. Usually for employment purposes, if special category data is collected from the employee, this is because it is a legal requirement usually under either Labor Law or laws related to health and safety in the workplace.

    So, I genuinely think that you should rely on legal obligation and not consent for any processing of special category data.

  • ISO 27001 Implementation

    We want to buy https://advisera.com/27001academy/iso-27001-22301-premium-documentation-toolkit/
    For example risk department want to make risk assessments and treatment is it true?

    Answer:

    In general, the Chief Risk Officer (CRO) role is to identify, analyze and treat significant risks to business considering its various segments (e.g., quality, legal, financial, environmental, information, etc.). This is an independent role in organizations where there are multiple processes that require risk management and it is necessary to ensure a systemic approach.
    So the CRO role in implementation of ISO 27001 is to help identify and analyze (by means of risk assessment), and treat significant risks to business regarding information security.
    Since this role is separated in your organization, I understand that it has the prerogative to perform the risk assessment and treatment (the project team implementing ISO 27001 would be a customer to this "service"), to ensure the use of the general approach on risk management adopted by the organization, and the application of few adjustments where and when necessary.
    Regarding the purchase of the ISO 27001 and 22301 Premium Documentation Toolkit, you should consider it only if you intend to also implement ISO 22301 (for the management system for business continuity). The content of ISO 27001 Documentation Toolkit is sufficient to cover the requirements of ISO 27001, including those related to business continuity.

    These articles will provide you further explanation about ISO 27001 and risk management:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

    These materials will also help you regarding ISO 27001 and risk management:
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Keeping information about risks


    Answer:
    First, remember that ISO 9001:2015 does not make mandatory to keep records about risk determination and classification. Keeping records is an option that organizations can and normally follow.
    Your organization can identify a set of situations where risks are determined (for example: during process performance review meetings, after complaints, when starting product or service development projects) and define how risks and opportunities are recorded, evaluated, and by whom.

    You can find more information about risk management at:
    - How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
    - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Free webinar on demand – How to implem ent risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - Free enroll at ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Page 584-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +