Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification of the EU GDPR consultant
Answer:
The EU GDPR does not require such certifications, it only requires that whoever is acting as a Data Protection Officer to be knowledgeable of the regulation as well as other privacy related pieces of legislation.
We have developed a specific course meant to enhance the knowledge of the Data Protection Officer, you can find it here: https://advisera.com/training/eu-gdpr-data-protection-officer-course/ -
EU GDPR representative
Answer:
Where the extra-territorial provisions of the EU GDPR apply, the controller or processor must appoint a representative in the EU. That representative must be based in a Member State in which the relevant individuals are based. There is a limited exemption to the obligation to appoint a representative where the processing is occasional, it's unlikely to be a risk to individuals and does not involve large scale processing of sensitive personal data. So, you need to appoint such a representative. The representative will have to face off to the relevant supervisory authorities and accept liability for breach of the Regulation, which could now be substantial.
If you want to learn more about the EU GD PR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//) -
Internal auditor and ISO 20000 certification costs
Answer:
There are various parameters on which mentioned costs depend so it's hard to talk about numbers. I would suggest you to check with local training organizations and certification bodies.
You can also check our online ISO 27001 training "ISO 27001:2013 INTERNAL AUDITOR COURSE" https://advisera.com/training/iso-27001-internal-auditor-course/
This article will help you understand implementation costs "How much does ISO 20000 implementation cost?" https://advisera.com/20000academy/blog/2016/08/23/how-much-does-iso20000-implementation-cost/ -
Defining an ISO 27001 implementation project
Answer:
In a general manner, to determine the time needed for each step individually you need to:
1 – Identify which result you have to deliver (e.g., information security policy)
2 – Identify which tasks are required to produce that result (e.g., interview top management, elaborate a policy draft, submit draft for evaluation, update draft if needed, approve final version, etc.)
3 – Identify how much time you need to perform each task
4 – Identify the sequence in which the tasks should be executed
After the sequencing you only have to sum the times of the most long sequence to know how much time you will spent for achieve that result. Of course this is a great simplification of t he method, but for small and medium implementations it works well.
When you consider all the steps as a whole, you can roughly consider that the steps before the risk management will take you ca 10% of the time, risk assessment ca 30% of the time, implementation of controls ca 50% of the time, and final activities (internal audit, management review, corrective actions) ca 10% of the time.
Included with the toolkit you bought you have access to Conformio platform, where you'll find ISO 27001 Step-by-step guide that also can help you.
To get an estimated duration of the whole project you can use our Duration calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
These materials will also help you regarding ISO 27001 schedule development:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ This Foundations course will give you the basics about the standard.
For more advanced knowledge I also suggest the Lead Implementer course for details on how to run the project: https://advisera.com/training/iso-27001-lead-implementer-course/ -
Business strategies
Answer:
I'm assuming you are referring to business continuity strategies. Considering that, the main variables you have to consider together with the results of business impact analysis and risk assessment are the available resources (e.g., personnel, capital, equipments, etc.), potential solutions (e.g., build/rent facilities/equipment, adopt new technologies, modify processes, etc.), business objectives, and risk tolerance. The business continuity strategies to be adopted will have to balance all this variables. For example, if technical solutions are too expensive, you may have to rely on a strategy based on administrative controls, and maybe increase your risk to lerance. On the other hand, you may identify that lowering risk tolerance is not an option (e.g., because of legal requirements), and you may have to adjust business objectives.
These articles will provide you further explanation about formulating strategies:
- Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/
- Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/ -
Concept definition
Answer:
For the purposes of ISO 27001, "Information system" is defined by ISO 27000 (Overview and vocabulary for Information security management systems) as "set of applications, services, information technology assets, or other information-handling components".
As examples we can mention the modules of an ERP system and the MS Office Suite. -
B2B Sales
Answer:
If you use the customer database to communicate with them about the contracts you have in place, for example to send them invoices, there is no problem to get in touch with the customers. Regarding the account managers being able to do that or not this is a matter of internal company rules on communication. You can also reach out to customers asking them if they want to be targeted by marketing campaigns but once a customer refuses you should not get back to him with a similar request.
If you want to find out more abut the EU GDPR and marketing check out this webinar “How GDPR Affects Marke ting Practices” (https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/). -
Becoming auditors
Answer:
For an organization to become able to audit ISO standards it has to be compliant with ISO 17021 (the standard for organizations which want to get accredited for certifying management systems) recognized by the accreditation body of the country in which it wants to work
This article will provide you further explanation about accreditation:
- Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
Becoming ISO 27001 lead auditor
Answer:
I think there is misunderstanding here. The requirement of 4 years of experience, 2 of which is InfoSec, refers to someone that wants to work as an auditor for an certification body. This requirement is not applicable for the Lead Auditor certification purposes, so you can get the certification if you pass the ISO 27001 Lead Auditor exam. -
Frequency for surveillance audits
Answer: Normally certification bodies establish an one year interval between surveillance audits, but in specific cases this interval can be shorter.
When surveillance audits are annual, in year 3 only the recertification audit is needed.