Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11271 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 and DRI practices
I am participating in implementing BCP for a Insurance Organisation. My Colleague who leads the team is a trained DRI and hoods DRI certification of ABCP . I am certified DRI - ABCP and ISO 22301 Lead Implementer. My preference is to use the ISO standard for the implementation. My colleague being the Lead Consultant had his way and the implementation is ongoing according to DRI professional practice standard. In the course of our implementation, the Management of the Insurance Company informed us that they will go for certification on completion of the project.
In our implementation process, there was no reference to the ISO standard, there was no training conducted using ISO 22301. None of the staff of the organisation is ISO 22301 certified though they have ABCP of DRI.
I was in a serious argument with my colleague, insisting that though the organisation may request for certification, they may not get certified because it is not automatic and implementation mus t be conducted strictly to the standard. My colleague continue to maintain that DRI standard is superior to ISO 22301 standard and I should be rest assured that the company will be certified. I don't want to lead the company through a blind alley and am concerned about my professional integrity. Please, giving the scenarios painted above, is it wise to for the company to proceed for certification? The project is on going but nearing completion. Giving the status of the project, what can we do to bring the project to ISO standard? For a future occurrence, will it be sufficient for me to insist that the company purchase the ISO STANDARD and insist that we comply to the standard even though the project is being implemented using DRI professional practice standard.
Answer:
In terms of project management, once the requirement for certification was defined by the company, the proper course of action would have been to evaluate ISO 22301 requirements against what was already implemented, and what will be implemented, and report which adjustments should be performed. This practice is still valid even if your project is nearing completion (only any potential rework will be greater). So my advice before the organization goes for the certification audit is to perform this diagnostic, and based on its results, implement the adjustments that will ensure compliance with ISO 22301.
For future reference, you should include in your project management approach that critical modifications on project requirements (i.e., modifications that can lead to not finish the project on expected time and/or cost) must be evaluated and approved by the project sponsor or customer. -
ISO 27001 implementation challenges
Answer: Regardless of the industry, the first step is to obtain management support for information security initiatives, because without this you won't have the minimal resources and engagement to implement the required controls. Second, you have to establish a systematic approach for the implementation, because you have to coordinate several people to perform dozens of activities, and without a methodology you will finish inside a huge mess with no security at all. Finally, the start of your journey has to define what you will protect and what you will not, i.e. the information security scope, so you can focus on what really matters.
This article will provide you additional information:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
2. Once the initial Risk Assessment is done, what approach would you recommend to continue?
Answer: Once Risk Assessment is done, and you have your relevant risks prioritized, you have to define how risks are to be treated. The most common alternatives are mitigate the risk, transfer the risk, avoid the risk, and accept the risk. After risk treatment definition you have to define which security controls you have to implement (e.g., backup to mitigate a data loss risk, outsource processes for which you do not have the proper expertise to run them, stop a process or activity to avoid a risk, or simply do nothing and accept the impacts of the risk in case it occurs). The treatment selection will depend on your available resources, time to implement and tolerance to risk.
These materials will provide you additional information:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
3. Which key documents do you suggest a company should publish in initial stages of InfoSec process ? One of the challenges that I have is writing procedures/policies. It might sound ridiculous, but coming from a Technical background, I always had issues with the legalese writing and putting processes things in writing. I often requested about purchasing the template kit from Advisera, but never got around to having an approval for funding. Instead I have to scrape around various models and try to make use of the many university templates around the web. But the fact that the processes are vastly different with my situation remains a challenge.
Answer: Not considering ISO 27001, the minimal documents and records you should consider to start an information security process would be:
- Scope of the information security
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Risk treatment plan
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Acceptable use of assets
- Access control policy
- Incident management procedure
- Monitoring and measurement results
- Results of corrective actions
With these you can ensure a PDCA cycle is established and that the minimal (really minimal) information security process is in place and will be kept relevant to the business. I didn't mention other polices and controls because this will depend on the results of risk assessment.
Regarding documents elaboration, trying to put together a document from pieces of other documents in fact is not a good approach for at least two reasons:
- If you do not have the proper information security expertise, probably some gaps will be left on your documentation, compromising your security efforts.
- Creating such documents takes time, and if you are not paying for them directly, the working hours involved in this activity probably will cost more then buying templates with general parts already ready for use, leaving behind only to include the details of your organization. In our experience, documents elaboration takes from 4 to 16h to be developed (depending upon their complexity).
These articles will provide you further explanation about developing documents:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/ -
Evidencia requisitos auditor interno
Respuesta:
Los auditores externos suelen comprobar la independencia y los conocimientos del equipo auditor interno, normalmente pidiendo a la organización el currículum de los miembros del equipo auditor.
Es importante resaltar que si la organización decide que la auditoría sea realizada por una persona de la empresa debe demostrar que no tiene ningún tipo de interacción con los procesos que intervienen en el sistema de gestión de calidad. En caso de ser una empresa pequeña para asegurar que ésto no ocurre se recomienda que para que el auditor sea completamente objetivo e imparcial se contrate de manera externa.
Para más información sobre los requisitos del auditor interno puede ver estos materiales:
- Artículo - Cinco grandes pasos en la auditoría interna de ISO 9001: https://advisera.com/9001academy/es/knowledgebase/cinco-grandes-pasos-en-la-auditoria-interna-de-iso-9001/
- Curso de auditor interno ISO 9001:2015: https://advisera.com/es/formacion/curso-auditor-interno-iso-9001/
- Libro - Auditoría interna ISO: una guía en un lenguaje sencillo: https://advisera.com/books/auditoria-interna-iso-una-guia-en-un-lenguaje-sencillo/ -
Marketing emails and EU GDPR
Answer
In theory, yes but you will also need to provide the data subjects with appropriate privacy notice and if you didn't collect the data yourself you also need to indicate the source of the data.
If you want to find out more about email marketing, check out our webinar: How GDPR affects market practices (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/) -
ISO 45001 Scope of the OHSMS
Answer:
It is hard to give an example because the scope statement is very specific to the organization it is written for. It is important to remember that the purpose of the scope for the OHSMS is to identify where your OH&S rules, policies and procedures need to be applied within your organization. So, it needs to include the information of activities, products & services, locations, etc. which can affect your OH&S performance, and therefore will indicate exactly what your OH&S rules apply to. For instance, if you have a main plant with many satellite locations (such as a contractor firm) all of this should be included in your scope since the PH&S rules and processes will apply in all locations.
For more information on OH&S sc ope, see this article, How to determine scope of the OH&SMS, https://advisera.com/45001academy/blog/2015/12/09/how-to-determine-scope-of-the-ohsms/ -
ISO 45001 internal audit questions
The management system audit is intended to compare what is actually happening in the process against the requirements of what is supposed to be happening in the process. If requirements are met this is a conformity, and if not this is a nonconformity. This is the main purpose of the process audit.
However, the audit (especially internal) should also point out opportunities for improvement as well as potential unidentified risks. So, you should definitely identify a hazard that is not identified, but this may not be considered a nonconformity. These additional identifications are one of the biggest benefits of the internal audit.
-
Risk assessment and risk register
Answer:
Risk assessment is the process to identify, analyze and evaluate risks, while the risk register is the record where the results of risk assessment process are filled in. Our Risk Assessment template is a risk register. The steps to perform the risk assessment are described in the Risk Assessment and Risk Treatment Methodology template.
The Risk Assessment template is enough to be compliant with ISO 27001 requirements, so you do not need to combine it with other documents.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you rega rding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Marketing activities and GDPR
Answer:
This depends how and where did you get the email addresses from. Usually, when collecting personal data a Privacy Notice needs to be presented to the data subjects. The Privacy Notice informs data subjects, among other things, for what purposes the data will be processed and which is the lawful ground for processing. Usually, for marketing purposes the lawful ground is either consent of legitimate interest. If you want to find out more about consent and legitimate interest, check out our webinar “How GDPR Affects Marketing Practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/). -
GDPR and company size
Answer:
This is not entirely true as the company is still the controller in regards to the personal data of its employees regardless of their number. The fact that you are using a third party supplier as a data processor requires you to have a Data Processing Agreement in place with the external company pursuant to Article 28 of the EU GDPR. If you want to find out more about the EU GDPR, check out this free EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//). -
Transfer of data
Answer: In order to be able to transfer personal data outside the EEA to countries without an adequacy decision such as India, as a data processor, first you need the authorization from the controller to do so and you have to have in place one of the safeguards required by Chapter V of the EU GDPR.
2. Also, the data is originating from India and is being returned to India. Individuals are applying (sending personal) info to the controller. We are then processing the data and replying directly to the individual in India. Is this even classified as a transfer to a third country if the da ta is coming from India and returned to India?
Answer: If the data exporter is an entity established in India, the transfer outside India to the EU or anywhere else does not constitute a cross border data transfer in the sense of the EU GDPR. If you want to find out more about cross border data transfers, check out our webinar “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).