Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Is EU GDPR applicable to Middle East companies

    Answer:

    I am sorry to hear that you are not satisfied with the interpretation of EU GDPR article 3 – Territorial Scope (https://advisera.com/eugdpracademy/gdpr/territorial-scope/). I would suggest you to carefully read through the article and you will find that one condition for the EU GDPR to be applicable is that the individual (data subject) needs to be “in the Union” (Union meaning the EU/EEA). If you have another interpretation please free to share it.

    To make it more clear for you if there is a EU citizen coming to the Middle East and he/she wants to rent a car for example, the car rental company does not need to be compliant with the GDPR because the EU citizen is not physically present in the EU and the processing activity is also carried outside the EU.

  • ISO 27001 and NESA


    Answer: The National Electronic Security Authority Information Assurance Standards (NESA IAS) are primarily based on ISO 27001:2005, with some additional controls taken from ISO 27001:2013 and NIST Special Publications (SP-Series).

    For a detailed understanding of how NESA IAS correlates with ISO 27001, you should contact NESA team at this link: https://www.ebdaa.ae/contact-us/index.php

  • Specifications for server room


    Answer: ISO 27001 does not specify requirements in terms of which physical security and building standards to follow, since for each organization these can vary according to local legal requirements and results of risk assessment. A common reference you can use is the standard EIA TIA 942, which you can find at this link: https://global.ihs.com/doc_detail.cfm?&csf=TIA&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA%2D942&input_doc_title=

  • Implementing ISO 14001 -


    Answer:

    Sorry, I have no such sample. But ISO 14001 is very intuitive, much more than ISO 9001 I would say. Make an environmental assessment, determine if your organization follows conformity requirements, establish priorities for improvement considering the assessment, strategic orientation, context and risk & opportunities. Then, develop plans to meet the improvement objectives and monitor performance.

    ISO 14001 includes the Deming cycle (PDCA). So, change management is very useful for the project.

    The following material will provide you information about assessment of environmental interactions:

    - ISO 14001 – 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Identifying quality requirements


    Answer:

    That sentence seems to be taken from a contract or something like that. My understanding is: I as a customer, want you, as my supplier, to establish a process to handle all my quality requirements at product level; at product development level, and at organizational level. Thus this make sense to you?

    The following material will provide you information about customer requirements:

    - ISO 9001 – How Product Requirements work in ISO 9001 - https://advisera.com/9001academy/blog/2014/04/08/product-requirements-work-iso-9001/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Data transfer policies to non-EU country


    Аnswer:
    What I would advise you to do is to use “Data Exporter” instead of data Controller and “Data Importer” instead of Processor. In this scenario your company would be the “Data Exporter” and is irrelevant who the controller is.

    To find out more about data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR“ (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

  • Controls documentation

    First it is important to understand that auditors will evaluate documentation not considering how descriptive they are, but if they comply with the standards requirements, applicable legal requirements and needs identified as results of risk assessment.

    Considering that, as guidance for writing the details in your documents you should consider the ISO 27002 standard, a supporting standard that provides the details you are looking for. For example, for control information classification this standard recommends that information classification criteria should be reviewed over time. For anti-malware, you should include guidance for users regarding not accessing malicious content or scanning files before using them.

    Orientations from this standard can be implemented as needed, so you do not need to implement all of them if you do not identify the need.
    This article will provide you more information about ISO 27002:
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    At this link you can buy ISO 27002: https://www.iso.org/standard/54533.html

  • Information classification template


    "Step name: Entering the information asset in the Inventory of Assets
    Responsibility: Chief Information Security Officer"

    Further down in the document there is mention of “3.2.4 Reclassification” where asset owners are to review the confidentiality level of their assets with a certain time interval. Then “3.3 Information labelling” gives instructions on labelling of e.g. electronic documents and electronic mail etc.

    All this implies that each and every of such documents should be listed in the Inventory of Assets (IoA).

    Our employees produce dozens of e-mails and electronic documents every week. If the CISO has to enter all these documents in the IoA this is a full time job in and organisation with only 15 employees or so!

    Can you please give me a practical way of dealing with this problem.

    General remark: I keep running in to these kind of issues where I am not able to find any examples or practical solutions in your documentation or Secure and S imple.

    Answer: You do not need to identify emails and electronic documents individually in your inventory of assets. You can use a single identification for them (e.g., e-mails and electronic documents) and define only once how all of them will be classified and treated.

    Please note that Information Classification Policy is not a mandatory document nor are the A.8.3 classification controls mandatory. In other words, if there are no risks nor specific requirements for implementing those controls, you can exclude them in your Statement of Applicability and in such case you wouldn’t need to perform classification at all.

    Regarding doubts you may find when filling templates, included in your toolkit you have access to video tutorials that can help you fill some templates (e.g., risk assessment table), using real data. If the tutorials are not enough to clarify your doubts, you can schedule a meeting with one of our experts so he can help you. To schedule a meeting with one of our experts, please access this link: https://advisera.com/27001academy/consultation/

    These articles will help you with information classification and asset register:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Filling a SoA template

    thank you for your helpful answer and advise. Beside would you mind answering another question? This would be so kind of you. Now I'm filling the document "Statement of Applicability". I kind of stuck a bit in column "Reason for choosing / Reason for exclusion". I mean I read Dejan's note that this gap is all about the results of the risk assessment and the contractual and legal obligations. But some controls our risk assessment didn't even touch. I know that we have to have a guideline above all. But whats the reason for choosing? (Cause we want to have the certificate. ;)) I wrote for now: "protection of information against internal and external threats, intentional and accidental." Or is it better if you realize the control to write ALWAYS (the same): "based on the results of the risk assessment, the contractual and legal obligations".

    Answer: If your risk assessment does not identify risks that justify the applicability of a control, then you should look for clauses on laws, contracts or standards you have to follow tha t may demand the application of such controls. I this case you may state "control applicable to comply with law/contract XXXX, clause YYYY".

    If you still do not find legal requirements to justify controls applicability, you can state "Control applicable because of a Top Management decision to follow industry/market best practices", or "Control applicable because of a Top Management decision to support a business objective".

    You should note that you will hardly use the last examples (based on top management decision), because generally there will be risks or legal clauses to support a controls applicability.

    This article will provide you further explanation about SOA:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • ISO 19001:2018


    There is also now a need, I imagine, to revise your book to accommodate the publication by ISO of ISO 45001:2018 in March this year, and perhaps other standards mentioned in the content of bibliography?

    Answer: ISO 19011:2018 has just been released and we are already working on our books update.

    The main difference regarding ISO 19011:2018 is the addition of of the risk-based approach to the principles of auditing, to reflect the enhanced focus on risk in both management standards and in the marketplace. But is important to note that the risk-based approach is not mandatory for interna l audits.

    Other modifications refer to minor expansions on guidance related to managing an audit program, conducting an audit, competence requirements for auditors, and auditing concepts.

    Regarding 45001 - it does not have any different requirements from other ISO standards like ISO 9001 or ISO 27001.
Page 696-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +