Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR officer
Answer:
Not necessarily although it would be useful. The EU GDPR does not require a specific background for the DPO.
You can check out this webinar for more information "The role of the DPO according to the EU GDPR" (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/) -
SoA information
1 - In your video, which is accessible in video tutorials, in examples you mentioned in “Justification for selection/ non-selection” the risks. Does it means that in “Justification for selection/ non-selection” should be only risks from the risk assessment document? If not, what else can/should be there?
Answer: As “Justification for selection/ non-selection” you can use the results of risk assessment, compliance with legal requirements (e.g., laws, contracts and regulations), and top management decision (e.g., the Top management considers that the adoption of the control will bring advantages to the organization).
2 - And one other question. Can I fill in that field only for non-selection case?
Answer: ISO 27001 clause 6.1.3 d) requires justification not only for control inclusions, but also for exclusions of controls from Annex A.
This article will provide you further explanation a bout SoA content:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Competencies for ISO 27001
Answer:
It is not mandatory by the standard to have any personal certifications to be an implementer of ISO 27001, but with no doubt the knowledge related to them can help you during the implementation process.
These articles will provide you further explanation about personal certifications and ISMS:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
This material will also help you regarding ISO 27001 implementer:
- ISO 27001:2013 Lead Implementer course https://advisera.com/training/iso-27001-lead-implementer-course/ -
Integrating multiple systems
Answer:
Since you are already implementing ISO 9001 and GDPR, and they are business requirements, you left the implementation of specific requirements of ISO 27001 for later.
ISO 9001 and ISO 27001 share many requirements in common (e.g., document control, internal audit, management review, etc.), so you can speed up your ISO 27001 implementation by considering these common requirements in your ongoing ISO 9001 implementation.
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/
Regarding integration of GDPR wit h ISO 27001, I suggest you to take a look at the "Lst of documents" file of our EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/
Since you already have bought the ISO 27001 and the GDPR toolkits separately, this file will help you identify which documents from the GDPR Toolkit you can use for covering ISO 27001 requirements.
This article will provide you further explanation about implementing integrated systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/ -
Control A.8.3.2 and commercial shredders
I know the ISO Standard doesn’t specify anything about that but we don’t want to buy a shredder and afterwards the shredder doesn’t fulfill the requirements of the ISO standard. Maybe you as an expert can share some experience with us.
Answer:
Commercial shredders are normally classified in security levels that can range from a low-security P-1 up to a maximum-security P-7, the higher the value, the smaller the pieces produced.
P-4 shredder is the minimum security level for sensitive information, while a high security shredder is either a Micro-Cut (P-5), Super Micro-Cut (P-6), or a High Security-Cut shredder (P-7). P-6 and P-7 are most used by security firms and government agencies.
So, you have to evaluate which types of information you will use on the shredder to define the proper specification.
This article can provide you further information:
- 5 practical tips for media dis posal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/ -
GDPR & Brexit
Answer:
Depends on whether it will be a hard Brexit or not. In case of an agreement, the GDPR will most likely still be applicable in the UK together with the Data Protection Act 2018, as currently. However, in case of a hard Brexit most likely the UK will be considered a third country like all others outside the EEA and safeguards would be needed to transfer data to the UK.
To find out more about data transfers, check out our webinar: How to make personal data transfers to other countries compliant with GDPR (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/). -
Data transfer from EU to US
Answer:
The EU GDPR does not impose any transfer protocols when sending personal data outside the EU. The only requirement is to have certain safeguards in place such as Privacy Shield, Standard Contractual Clauses, etc.
If you want to find out more about these safeguards, check out this webinar: How to make personal data transfers to other countries compliant with GDPR (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/). -
Privacy Shield and EU
Answer:
Currently, Privacy Shield is considered a valid safeguard to be used when transferring data to the US. There is, nevertheless, an action against the Privacy Shield at the European Court of Justice so let's see the ruling first.
If you want to find out more about cross border data transfers, check out our webinar: How to make personal data transfers to other countries compliant with GDPR (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/). -
Certification of cloud based business
Answer:
Organizations of any size or kind can be certified against ISO 27001, provided they fulfill the standard's requirements.
In cases like yours, where operations are performed on third-party cloud services, what happens regarding controls is that most of them are operated by the provider, but you still have to be aware of them (by means of risk assessment) and treat them properly (in this case by means of security clauses on your service agreement with the provider). Many of our clients are smaller companies that operate through the cloud, and they have implemented the standard and got certified successfully.
These articles will provide you further explanation about ISMS scope considering cloud services and management of suppliers:
- Defining the IS MS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/ -
Documenting significant environmental impacts
Answer:
ISO 14001:2015 according to clause 6.1.2 requires three kinds of documents:
* a list of the determined environmental aspects and impacts;
* an explanation of the criteria used by the organization to evaluate and distinguish significative environmental aspects and impacts; and
* a list of the significative environmental aspects and impacts after applying the criteria.
Many organizations use an environmental aspects and impacts register where they log all the determined environmental aspects and impacts, then they put in columns each of the criteria used to evaluate, and finally, they use a column to indicate if the aspect and impact are significative or not.
The following material will provide you with information about the assessment of environmental interactions:
- ISO 14001 – 4 steps in the identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
- List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/