Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Integrating multiple systems


    Answer:

    Since you are already implementing ISO 9001 and GDPR, and they are business requirements, you left the implementation of specific requirements of ISO 27001 for later.

    ISO 9001 and ISO 27001 share many requirements in common (e.g., document control, internal audit, management review, etc.), so you can speed up your ISO 27001 implementation by considering these common requirements in your ongoing ISO 9001 implementation.
    - Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
    - ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

    Regarding integration of GDPR wit h ISO 27001, I suggest you to take a look at the "Lst of documents" file of our EU GDPR & ISO 27001 Integrated Documentation Toolkit at this link: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

    Since you already have bought the ISO 27001 and the GDPR toolkits separately, this file will help you identify which documents from the GDPR Toolkit you can use for covering ISO 27001 requirements.

    This article will provide you further explanation about implementing integrated systems:
    - How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

  • Control A.8.3.2 and commercial shredders


    I know the ISO Standard doesn’t specify anything about that but we don’t want to buy a shredder and afterwards the shredder doesn’t fulfill the requirements of the ISO standard. Maybe you as an expert can share some experience with us.

    Answer:

    Commercial shredders are normally classified in security levels that can range from a low-security P-1 up to a maximum-security P-7, the higher the value, the smaller the pieces produced.

    P-4 shredder is the minimum security level for sensitive information, while a high security shredder is either a Micro-Cut (P-5), Super Micro-Cut (P-6), or a High Security-Cut shredder (P-7). P-6 and P-7 are most used by security firms and government agencies.

    So, you have to evaluate which types of information you will use on the shredder to define the proper specification.

    This article can provide you further information:
    - 5 practical tips for media dis posal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/

  • GDPR & Brexit


    Answer:

    Depends on whether it will be a hard Brexit or not. In case of an agreement, the GDPR will most likely still be applicable in the UK together with the Data Protection Act 2018, as currently. However, in case of a hard Brexit most likely the UK will be considered a third country like all others outside the EEA and safeguards would be needed to transfer data to the UK.
    To find out more about data transfers, check out our webinar: How to make personal data transfers to other countries compliant with GDPR (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Data transfer from EU to US


    Answer:

    The EU GDPR does not impose any transfer protocols when sending personal data outside the EU. The only requirement is to have certain safeguards in place such as Privacy Shield, Standard Contractual Clauses, etc.
    If you want to find out more about these safeguards, check out this webinar: How to make personal data transfers to other countries compliant with GDPR (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Privacy Shield and EU


    Answer:

    Currently, Privacy Shield is considered a valid safeguard to be used when transferring data to the US. There is, nevertheless, an action against the Privacy Shield at the European Court of Justice so let's see the ruling first.
    If you want to find out more about cross border data transfers, check out our webinar: How to make personal data transfers to other countries compliant with GDPR (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Certification of cloud based business


    Answer:

    Organizations of any size or kind can be certified against ISO 27001, provided they fulfill the standard's requirements.

    In cases like yours, where operations are performed on third-party cloud services, what happens regarding controls is that most of them are operated by the provider, but you still have to be aware of them (by means of risk assessment) and treat them properly (in this case by means of security clauses on your service agreement with the provider). Many of our clients are smaller companies that operate through the cloud, and they have implemented the standard and got certified successfully.

    These articles will provide you further explanation about ISMS scope considering cloud services and management of suppliers:
    - Defining the IS MS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  • Documenting significant environmental impacts


    Answer:
    ISO 14001:2015 according to clause 6.1.2 requires three kinds of documents:
    * a list of the determined environmental aspects and impacts;
    * an explanation of the criteria used by the organization to evaluate and distinguish significative environmental aspects and impacts; and
    * a list of the significative environmental aspects and impacts after applying the criteria.

    Many organizations use an environmental aspects and impacts register where they log all the determined environmental aspects and impacts, then they put in columns each of the criteria used to evaluate, and finally, they use a column to indicate if the aspect and impact are significative or not.

    The following material will provide you with information about the assessment of environmental interactions:
    - ISO 14001 – 4 steps in the identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 implementation steps -     https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/

    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Risk management approach


    My first idea was that it would be very interesting for us to have a well-defined method, which wouldn't depend on people. The asset-vulnerability-threat approach is very intuitive and really easy, but not at all methodological, meaning that it is the opposite to a checklist or a detailed approach and depends much more on a somehow deep knowledge of the business. We need a person-independent method.

    So, after having a look around and considering our small size and so on, I´m thinking on both CCM (CSA Star) and specially BSI methods. IT-Grundschutz looks like a good approach as it claims itself to be a complement to ISO standard. The idea is not to get certified on 27001 on the basis of IT-Grundschutz, (at least not for now) but to use it for the practical implementation (the “how”) of the ISMS. But I still need to know which one of the three levels of protection we should aim for at this point, and how to optimize the method to our case. C5 looks out of reach at the moment, and probably unnecessary.

    So, I would like to have a clue on what method we could best use in order to have a systematic approach to RA for a small private cloud provider. My main concern is where to focus considering our case. Can you guide me on this please?

    Answer:

    Since you stated that you are a small private cloud provider, it seems to me you are spending too much effort on defining your RA and RT approach. If you do not have any legal requirement (e.g., contract, law or regulation), demanding the use of an specific or otherwise more elaborated methodology, you should kept it as simple as possible.

    Considering your scenario, you could use a mix of qualitative and quantitative approaches. The qualitative approach (based on people perception) will help you quickly identify risks relevant to your organization (elaborating checklists will consume time and effort, and may not cover all possible situations). After that you can perform a quantitative approach (based on probabilities and potential costs) to justify your risks based on how much they may cost you if they occur.

    These materials will provide you further explanation about risk management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Toolkit content


    Answer:

    The clause A.13.1.2 is covered by template "Operating Procedures for Information and Communication Technology", which can be found on folder 08 Annex A A.12 Operations security of your toolkit.

    By the way, included in your toolkit there is a List of Documents file you can use to find out which clause is covered by which document.

  • Metrics for Incident management


    Answer:

    The SLA is one way to ensure incident resolution in a timely manner, but if an organization has other ways to ensure performance (e.g., number of incidents reported in a period), it is achieving the expected results and the customers are satisfied, there is no need to implement SLAs (neither ISO 9001 or ISO 27001 require the establishment of SLAs).

    These articles will provide you further explanation about performance measurement:
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
    - How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
Page 616-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +