Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Procedure for Document and Record Control

    This is what the Paragraph states:
    Each external document, which is necessary for the planning and operation of the ISMS, must be recorded in the incoming mail register. The incoming mail register must contain the following information: (1) document number, (2) sender, (3) document name, (4) date of receipt, (5) name of the person whom the document has been forwarded.

    Answer:

    An incoming mail register is a record used to identify any information received by the organization from external parties, either on physical or electronic media. Examples of incoming mail are hard copies of equipment manuals you use or standards you must comply with, or a customer e-mail requiring changes in a project's specification.

    Your understanding is right about not all mail coming into the organization need to be in the incoming mail register. Examples of external documents necessary for the planning and operation of the ISMS are the ISO 27001 standard, customer requirements for service delivery, and audit reports from your certification body.

  • BYOD policy


    Answer:

    In section 3.4, I understand that you are referring to the Information Classification Policy in the text "classified information must be additionally protected according to the [Information Classification Policy]". Considering that, this template can be found in folder 08 Annex A A.8 Asset management.

  • Incident Management Procedure


    Answer:

    The Incident Management Procedure only covers requirements of ISO 27001, and for the EU GDPR & ISO 27001 Integrated Documentation Toolkit, the incident management process also must cover GDPR requirements (Articles 4(12), 33, 34), so for this toolkit yo can use the template A.16 Data Breach Response and Notification Procedure, located in folder 11 Security Controls of your toolkit.

  • Mandatory documents


    1 - Definition of security roles and responsibilities (A.7.1.2, A.13.2.4) I understand that these must be covered by clauses in the (labour) contracts with the employees and contractors or an appendix to the contract with existing employees/contractors. Is there a specific place where this must be documented or recorded?

    2 - Acceptable use of assets (A.8.1.3) Is this covered by the Advisera document 11 A.8.2?

    3 - Operating procedures for IT management (A.12.1.1) Is this also covered in the Advisera document 11 A.8.2?

    4 - Secure system engineering principles (A.14.2.5) Is this covered in the Advisera documents 11 A.14 and 11 A.14.1?

    Answer: Included in your toolkit there is a List of Documents file that maps which templates cover which clauses and controls of ISO 27001. In this document you will identify tha t:
    - Control A.7.1.2 is covered by templates A.7.1 Confidentiality Statement, A.7.2 Statement of Acceptance of ISMS Documents, Supplier Security Policy, Supplier Data Processing and Security Clauses for Suppliers and Partners, all located in folder 11 Security Controls.
    - Control A.13.2.4 is covered by template A.7.1 Confidentiality Statement, located in folder 11 Security Controls.
    - Control A.8.1.3 is covered by template A.8.2 IT Security Policy, located in folder 11 Security Controls.
    - Control A.12.1.1 is covered by template A.12.1 Security Procedures for IT Department, located in folder 11 Security Controls.
    - Control A.14.2.5 is covered by template A.14 Secure Development Policy, located in folder 11 Security Controls.

    Regarding contracts, ISO 27001 does not specify where roles and responsibilities are to be placed, so you can define where to document or record them as best to fulfil your needs (as contract clauses or appendix to contracts), or according already defined templates.

  • Asset and Risk management


    Answer: An asset should have only one owner. The owner is normally a person who operates the asset and who makes sure the information related to this asset is protected. You can define a role as the asset owner and make a link to an external competence matrix.

    This article will provide additional information:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    2 - Different kinds of contracts, Supplier contracts, rental contracts, parking contracts, customer contracts… Do we have to list all of these contract groups ? or can we list them as contracts ?

    Answer: If these cont racts have similar clauses you can list them only as contracts. For those which have specific clauses you should list them separately, because such different clauses may require different approaches when defining risk treatment.

    3 - What are common combinations for documents in the threats and vulnerability ?

    Answer: Common threats and vulnerabilities related to documents, either for paper or electronic documents, are:
    - Compromising confidential information (threat)
    - Destruction of records (threat)
    - Disclosure of information (threat)
    - Falsification of records (threat)
    - Industrial espionage (threat)
    - Disposal of storage media without deleting data (vulnerability)
    - Inadequate or irregular backup (vulnerability)
    - Inadequate physical protection (vulnerability)
    - Inadequate segregation of duties (vulnerability)

    Any combination of above threats and vulnerabilities may mean a risk for your organization's information.

    These articles will provide you more information about threats and vulnerabilities:
    - Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

  • Supplier evaluation

    If you check ISO 9001:2015 clause 8.4.1, you will see that you have just mentioned 8.4.1 a). You can have also 8.4.1b) and 8.4.1 c)

  • Personal Data Transfer Kit points 6.2 and 6.3


    Answer:

    First of all you need to check if you are processing personal data because if it is only company data (legal entities) this does not constitute personal data.

    Document 6.2 "Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)" is to regulate the transfer of personal data from a controller in the EEA sending personal data to another controller outside in the EEA.

    Document 6.3 "Standard contractual clause for transfer to processors" is meant to be a safeguard to regulate the transfer of personal data from a controller in the EEA sending personal data to a processor outside in the EEA.

    To learn more about personal data transfers check out our webinar "How to make personal data transfers to other countries compl iant with GDPR" (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Registration to a local Data Protection Authority


    The second question is how to register as a data controller.

    Answers:

    1. This is subject to local data protection laws. The EU GDPR only requests for the appointing of a representative but does not describe how this would work from an administrative perspective. For sure you would need to have a written document in place to prove that you have appointed a representative in the EU.

    2. Registration to a local Data Protection Authority is also subject to local law, just to give you an example the ICO requires controllers to register (https://ico.org.uk/for-organisations/data-protection-fee/) while other authori ties such as the one in Poland don`t.

    To learn more about the EU GDPR check out our free "EU GDPR Foundations Course" (https://advisera.com/training/eu-gdpr-foundations-course//)

  • Utilization of 11.A.15.2 and 11.A.15.1 documents

    Here is the full link:
    https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en

  • CISO role


    Answer: ISO 27001 does not prescribe the role of CISO for implementation of an ISMS. The standard requires the definition and assignment of responsibilities related to information security, but not to a specific role, nor its position on organizational chart. Considering that, you can define any existing role, or create a new one, to assume the responsibilities for information security, provided it can fulfill them, but as closer its position gets to CEO the better, because the communication of information security needs and results will be faster.

    These articles wil l provide you further explanation about CISO role:
    - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
    - Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
Page 695-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +