Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Multi controllers
Answer:
“Controllers in common” or “independent controllers” are both processing personal data but independently and for different purposes and there is no requirement to have a document stating their obligations as they are both bound by the controller obligations under GDPR. The GDPR only requires to have such document between controllers and processors or between joint controllers.
This is the reason for which we don`t have such a document in the toolkit. Please no te that the Supplier Data Processing Agreement is not suited to be used in a controller to controller situation. -
Incident management procedure - treatment of minor events (3.3)
Answer:
ISO 27001 is not specific on how to record the incidents, which means you can do it in any way that you see fit. This means you could log minor incidents that happen the first time in the Incident log, but in such case I would recommend that you mark separately first-time incidents from those that are happening repeatedly. -
SoA - A.6.1.3 - Incident Response Plan
Answer:
Incident response plan is a document needed only if you want to become compliant with ISO 22301, it is not needed for ISO 27001. Therefore, it is not part of ISO 27001 Toolkit (it is a part of ISO 27001 & ISO 22301 Premium Toolkit).
To become compliant with ISO 27001 control A.6.1.3 (Contact with authorities) it is enough to specify in your Statement of Applicability who in your company will be in contact with e.g. police, regulatory agencies, etc. - the standard does not require you to have an extra document for that purpose. -
Are Annex A.11 controls mandatory?
Answer:
ISO 27001 says that none of the controls are mandatory, and that you have to apply a control only if there is a reason to do so. The reasons could be risk assessment, contractual or regulatory requirement, or e.g. business decision from your management.
So physical and environmental controls are not mandatory, and you should apply them only if the risks are too high, if you have some client asking you to do this, or if there is some other business reason to do so.
This article will help you: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment and contr ols:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Ensuring contractual and regulatory requirements are met
We received these questions:
>1- Is this documentation mandatory?
Answer: According to ISO 27001, clause 7.5.1 b), documents considered by the organization as necessary for the effectiveness of the ISMS must be considered mandatory.
Said that, contracts, regulations, and laws that may be used as inputs to the risk management process or to define requirements for security controls must be considered mandatory.
>2 - Does this need to be stated in the security policy or can it be left out?
Answer: You can include an overall statement about complying with legal and contractual requirements, but I recommend that you keep this information separate from the Information Security Policy, because otherwise you might need to update the Policy too often. -
Business continuity documents for ISO 27001
Answer: Yes, this document is completely enough to become ISO 27001 compliant regarding business continuity.
The document: "operating processes for information and communication technology" in folder 12 of the toolkit talks about a business continuity management strategy as an referential document. There isn’t any template about that strategy, right? Can we delete this referential document about the business continuity management strategy?
Answer: There is no Business Continuity Strategy template in the ISO 27001 Toolkit - feel free to delete this reference. This strategy is part of ISO 27001 & ISO 22301 Toolkit, and is needed only if you want to become ISO 22301 compliant. -
Duration of the ISO 22301 review
Answer:
The time of the review of ISO standards varies greatly, but this usually takes between 1 and 3 years. -
Lead Implementer Course
Answer:
If you want to develop skills to be a future implementer of a QMS I would like to invite you to start a free online training that Advisera will be launching next September. That training is called Lead Implementer Course. That course is for those that want to develop a management system either as consultants or working inside an organization.
In the meantime the following material will provide you information about ISO 9001 foundations:
- free online training ISO 9001:2015 Foundations Course
- https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Tools required by ISO 14001:2015
Answer:
No, ISO 14001:2015 does not require the use of turtle diagrams.
The following material will provide you information about internal audits:
- ISO 14001 – Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
- ISO 14001:2015 Internal Audit Toolkit - https://advisera.com/14001academy/iso-14001-2015-internal-audit-toolkit/
- free online training ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Platforms and documents managements
Answer:
I already worked with several SME that used Google Documents to manage documents and records. I consider it adequate for the task. Perhaps, with bigger organizations and more demanding requirements of security Google Documents is no longer adequate.
The following material will provide you information about managing documents:
- ISO 9001 – What kind of Document Management System (DMS) do you need for handling ISO documents? - https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/