Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mandatory documents


    1 - Definition of security roles and responsibilities (A.7.1.2, A.13.2.4) I understand that these must be covered by clauses in the (labour) contracts with the employees and contractors or an appendix to the contract with existing employees/contractors. Is there a specific place where this must be documented or recorded?

    2 - Acceptable use of assets (A.8.1.3) Is this covered by the Advisera document 11 A.8.2?

    3 - Operating procedures for IT management (A.12.1.1) Is this also covered in the Advisera document 11 A.8.2?

    4 - Secure system engineering principles (A.14.2.5) Is this covered in the Advisera documents 11 A.14 and 11 A.14.1?

    Answer: Included in your toolkit there is a List of Documents file that maps which templates cover which clauses and controls of ISO 27001. In this document you will identify tha t:
    - Control A.7.1.2 is covered by templates A.7.1 Confidentiality Statement, A.7.2 Statement of Acceptance of ISMS Documents, Supplier Security Policy, Supplier Data Processing and Security Clauses for Suppliers and Partners, all located in folder 11 Security Controls.
    - Control A.13.2.4 is covered by template A.7.1 Confidentiality Statement, located in folder 11 Security Controls.
    - Control A.8.1.3 is covered by template A.8.2 IT Security Policy, located in folder 11 Security Controls.
    - Control A.12.1.1 is covered by template A.12.1 Security Procedures for IT Department, located in folder 11 Security Controls.
    - Control A.14.2.5 is covered by template A.14 Secure Development Policy, located in folder 11 Security Controls.

    Regarding contracts, ISO 27001 does not specify where roles and responsibilities are to be placed, so you can define where to document or record them as best to fulfil your needs (as contract clauses or appendix to contracts), or according already defined templates.

  • Asset and Risk management


    Answer: An asset should have only one owner. The owner is normally a person who operates the asset and who makes sure the information related to this asset is protected. You can define a role as the asset owner and make a link to an external competence matrix.

    This article will provide additional information:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    2 - Different kinds of contracts, Supplier contracts, rental contracts, parking contracts, customer contracts… Do we have to list all of these contract groups ? or can we list them as contracts ?

    Answer: If these cont racts have similar clauses you can list them only as contracts. For those which have specific clauses you should list them separately, because such different clauses may require different approaches when defining risk treatment.

    3 - What are common combinations for documents in the threats and vulnerability ?

    Answer: Common threats and vulnerabilities related to documents, either for paper or electronic documents, are:
    - Compromising confidential information (threat)
    - Destruction of records (threat)
    - Disclosure of information (threat)
    - Falsification of records (threat)
    - Industrial espionage (threat)
    - Disposal of storage media without deleting data (vulnerability)
    - Inadequate or irregular backup (vulnerability)
    - Inadequate physical protection (vulnerability)
    - Inadequate segregation of duties (vulnerability)

    Any combination of above threats and vulnerabilities may mean a risk for your organization's information.

    These articles will provide you more information about threats and vulnerabilities:
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  • Supplier evaluation

    If you check ISO 9001:2015 clause 8.4.1, you will see that you have just mentioned 8.4.1 a). You can have also 8.4.1b) and 8.4.1 c)

  • Personal Data Transfer Kit points 6.2 and 6.3


    Answer:

    First of all you need to check if you are processing personal data because if it is only company data (legal entities) this does not constitute personal data.

    Document 6.2 "Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)" is to regulate the transfer of personal data from a controller in the EEA sending personal data to another controller outside in the EEA.

    Document 6.3 "Standard contractual clause for transfer to processors" is meant to be a safeguard to regulate the transfer of personal data from a controller in the EEA sending personal data to a processor outside in the EEA.

    To learn more about personal data transfers check out our webinar "How to make personal data transfers to other countries compl iant with GDPR" (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Registration to a local Data Protection Authority


    The second question is how to register as a data controller.

    Answers:

    1. This is subject to local data protection laws. The EU GDPR only requests for the appointing of a representative but does not describe how this would work from an administrative perspective. For sure you would need to have a written document in place to prove that you have appointed a representative in the EU.

    2. Registration to a local Data Protection Authority is also subject to local law, just to give you an example the ICO requires controllers to register (https://ico.org.uk/for-organisations/data-protection-fee/) while other authori ties such as the one in Poland don`t.

    To learn more about the EU GDPR check out our free "EU GDPR Foundations Course" (https://advisera.com/training/eu-gdpr-foundations-course//)

  • Utilization of 11.A.15.2 and 11.A.15.1 documents

    Here is the full link:
    https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

  • CISO role


    Answer: ISO 27001 does not prescribe the role of CISO for implementation of an ISMS. The standard requires the definition and assignment of responsibilities related to information security, but not to a specific role, nor its position on organizational chart. Considering that, you can define any existing role, or create a new one, to assume the responsibilities for information security, provided it can fulfill them, but as closer its position gets to CEO the better, because the communication of information security needs and results will be faster.

    These articles wil l provide you further explanation about CISO role:
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    - Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

  • Integrated inventory of assets


    I am looking into the CIS information security top 20 controls, as a place to recommend beginning to shore up our defenses.

    But I am searching for a resource that discusses the information that a team working to build inventories need to identify and register per hardware and software asset.

    And how much effort should go into integrating the need for this information into a technology asset management system? Should the information security data be maintained separate from the ITAM system?

    Where would I find good resources to learn about this topic?

    Answer: First it is important to understand that ISO 27001 only requires the implementation of an inventory of assets if you have unacceptable risks or applicable legal requirements requiring such control (A.8.1.1 - Inventory of Assets).

    Considering that, this control does not require an inventory of assets related to information security to be separated of other inventory systems, like an ITAM system (in fact, if you already have an inventory system implemented, by using the same system you would be optimizing your resources usage). To use the same system you only have to ensure the information is properly protected, and most of today's systems have functionalities to ensure such protection.

    These articles will provide you further explanation about inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
    - Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/
    - Three main activities to set up ITIL Service Asset and Configuration Management https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/

  • Risk management process


    1 - Does a company usually has to realize all of the 114 controls (I know you can choose other controls beside the 114 controls of the iso 27001)? Is the main idea behind annex a that these controls should be implemented (if you can’t exclude them)? You said beside the risk treatment table we should check things like legal and contractual requirements when we try to fill out the SoA. I just would like to get a feeling if companies usually have to implement a high percentege of annex a (on average of all companies and industry sectors). If this is the main idea of this annex a. I know that it's different from company to company and that it depends from industry sector to industry sector.)

    Answer: Normally companies implement only part of the controls of Annex A (specially in case of small and mid-sized companies), as result of risk assessment, or identification of legal requirements. The main purpose of Annex A is not to be fully implemented, but to ensure relevant aspects of information security are not forgotten during the risk assessment (sometimes, only by looking at a control, someone can identify a relevant risk related to it).

    2 - I just don’t know how to handle annex a after being done with the risk assessment table and almost with the risk treatment table. If our company can’t explain why this control didn’t touch our company (cause we accept the specific risk for example) we should implement it? If you start reading annex a it says: annex a must be used in the context of 6.1.3 (risk treatment).

    An example: some of our employees got a laptop and a smartphone from the company to work with. In our risk assessment the risk level for these assets are under 3 and 4 and right now these assets are falling in the category „accepted risk“. With this identification and in this specific example we are able to ignore (for example) the control A.6.2.1.

    Another example: our human resources security doesn’t have to be added in the risk treatment plan either. This means, if there should be no other legal or contractual regulations, we can ignore A.7.2.3 in this specific example? I know their might be a few more assets where this control have to be used. Let’s assume we consider just this asset and the others are out of contemplation.

    Answer: If after risk assessment you do not identify unacceptable risks, or legal requirements , to justify implementing some controls you do not need to implement them, as simple as that. Your examples are good ones.

  • Is EU GDPR applicable to Middle East companies

    Answer:

    I am sorry to hear that you are not satisfied with the interpretation of EU GDPR article 3 – Territorial Scope (https://advisera.com/eugdpracademy/gdpr/territorial-scope/). I would suggest you to carefully read through the article and you will find that one condition for the EU GDPR to be applicable is that the individual (data subject) needs to be “in the Union” (Union meaning the EU/EEA). If you have another interpretation please free to share it.

    To make it more clear for you if there is a EU citizen coming to the Middle East and he/she wants to rent a car for example, the car rental company does not need to be compliant with the GDPR because the EU citizen is not physically present in the EU and the processing activity is also carried outside the EU.
Page 695-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +