Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Third party requirement

    A third-party working for an ISO 27001 company does not need to be ISO 27001 certified unless the company defines the certification as a requirement for the third party

    This article will provide you with further explanation about requirements identification:

    • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    • ISO standads for Waste composition analysis

      This is a very specific question not related to management systems. So, I’m not an expert. However, I recommend you to explore this ISO page - 13.030 WASTES - https://www.iso.org/ics/13.030/x/

    • Minimum requirements for A.17 controls

      My doubt is how to attend or what are the minimum at the document level, that I must have from information security to attend to the controls that correspond to A.17 in ISO 27001:2013

      At the document level, to be compliant with ISO 27001:2013 Annex A.17 controls you only need to document disaster recovery plans.

      To see how a Disaster recovery plan compliant with ISO 27001 looks like, please take a look at this template demo: https://advisera.com/27001academy/documentation/disaster-recovery-plan/

      This article will provide you with a further explanation of Disaster Recovery:

    • Is SOC mandatory for ISO 27001?

      The Security Operation Centre (SOC) is not a concept of ISO 27001, so it is not mandatory to have a SOC to be compliant with ISO 27001.

      This article will provide you with further explanation of the mandatory requirements for ISO 27001:

    • GDPR Scope and applicability

      As per article 3 GDPR, Territorial scope, GDPR applies to non-EU organizations that either offer goods or services to data subjects in the Union or that monitor their behavior as far as their behavior takes place within the Union. In your case, however, from your input, you don’t offer goods and services to people in the EU, you offer services to organizations in the EU. In this case, you should act as a Data Processor for personal data that you process on behalf of your customers. However, as per Chapter V GDPR - Transfers of personal data to third countries or international organizations and per European Data Protection Board’s Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, there is a transfer of personal data between your EU customers and your US company. So, per Article 44 – General principle for transfers and per Article 46 – Transfers subject to appropriate safeguards, you should use an appropriate legal mechanism for the compliant personal data transfer between EU and US. You might choose to use Standard Contractual Clauses (SCCs) templates, the latest version issued by European Commission, but you must take into consideration that after the European Union Court of Justice Schrems II decision, you should make sure that the transferred personal data has the same level of protection as it is offered under GDPR, by taking the right technical and organizational measures needed to protect the data.

      Part of our EU GDPR Toolkit, we have a Cross Border Personal Data Transfer Procedure template and the EU SCCs with comments that help you fill in the template. 

      Please also consult these links:

    • ISMS Scope Extension

      First is important to note that the steps you mentioned are related to information security risk management and before you need to perform first the evaluation of organizational context from the finance dept. point of view, so you can identify business and legal requirements that may impact this new element of your scope.  

      The best course of action is for you to follow the implementation steps explained in a previous answer, only to ensure you do not forget any step. In case you identify that a step does not rise changes in your ISMS (e.g., review of organization structure), you can simply skip it.

      Regarding step 3, please note that only part of Annex A controls is technical (for example, controls from section A.6.1 Internal organization are administrative controls).

      Considering that, the main role of the risk owner is to ensure that risks are properly managed. This person does not need to define all the controls by himself. He can count on the support of experts from his own area (e.g., a process key user), or from other areas (e.g., IT department) to help him define which controls to apply.

      For further information, see:

      Regarding step 4, you do not need another SoA. Since you are extending the certification scope, a single SoA is sufficient.

    • The difference between QMS and TQM

      It is difficult for me to provide you with what you are searching for, “clarification”.

      Why do I say that? Because I don’t have an ISO 9000 definition of what is TQM. Sure the internet is full of definitions, but I would like to work with an authoritative one.

      Some authors say that QMS has a wider scope than TQM and others say the exact opposite. In my opinion, and this is just my opinion, TQM and a QMS seek to achieve the same kind of result. However, TQM focuses much more on improvement projects aimed at continually improving performance and customer satisfaction.

    • Auditing suppliers - ISO 27001/Data Protection

      Hello.

      One "lighter" audit you can perform is to check if the supplier is ISO27001-certified, if they have a SOC2 audit report to read through and penetration test reports as a way of evaluating their security posture and to see if they fulfill your security requirements. In SOC2 audit reports usually list any deficiencies identified, the fact that the supplier is ISO27001-certified means that they have passed both an internal audit and external audit, with no Major Non-Conformity which is a good sign in itself, penetration test reports can show what sort of vulnerabilities were identified and you can ask the supplier how and when they addressed these vulnerabilities.

      This "lighter" audit is a valid option especially in the case when you have signed standard agreements with SaaS-based or cloud providers that don't give you the option of signing a tailored agreement with your specific security clauses and so restrict you from performing onsite or remote audits.

      If they don't have anything, then unfortunately, the only thing you can resort to are Information Security Questionnaires that they need to fill out and read their replies. Since anything written can potentially be a lie unless you verify it, you can also request samples of evidence for any claims they have in terms of control and evaluate this.

      If they don't even provide that, then maybe you should flag this supplier as risky and bring it up to management whether arrangements and plan to replace the supplier with another supplier should be considered.

    • KPIs to measure results

      I don’t know if I understood your question correctly.

      You have a set of KPIs. You monitor and measure performance according to those KPIs. Periodically, your organization analyzes and evaluates performance to make conclusions and take decisions.

      Establish a frequency for those activities and record them.

      My only concern is that those KPIs may be such high level that they do not include all process indicators. Your organization should monitor process performance.

      Please check this free webinar on demand

Page 68-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +