Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Scope definition
The company I am helping have a simple function; they have developed, maintain with ongoing R&D and service through Customer Support a SaaS which is placed on line.
They also conduct Marketing & Sale activities as well as internal finance and internal HR.
They want their scope to be restricted to:
The processes and services that are in scope are to be the development, operation, administration and customer support of the Software as a Service platform ‘Human Resources Management System’, provided by XXXXX HR.
The other functions, M&S, Finance and internal HR they want to be out of scope.
The issue is that they occupy a single open plan office.
Question: Is the desired scope likely to achieve certification?
Answer: You can limit your ISMS scope to your business core offering, but for small and medium-size organizations usually it is better to include all the organization in the ISMS scope, because the effort to manage a scope that covers only part of the organization is not worthy.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2 - Following on, may we schedule a skype call for Wed PM UK Time please?
Answer: To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
We will contact you to confirm your suggested schedule or offer an alternative at your convenience. -
Policies, procedures and guidelines
What are differences and similarities between these?
Answer: The main difference between them would be the issues covered. A "Security Policy" handles with security in general, covering multiple subtopics (e.g., physical security, logical security, financial security, etc.). An ISMS Security Policy handles with information security (e.g., protection of information confidentiality, integrity, availability, etc.) in the context of an Information Security Management System (for ISO 27001 this policy is known as Information Security Policy). A System-Specific Security Policy handles the security considering the specificities needed for the targeted system.
Regarding similarities, all of them have the purpose to define the rules and behaviors, regarding security, that are expected to be followed by the users. Their framework also would be the same (e.g., scope, references, rules, responsibilities, etc.).
It is important to understand that for IS O 27001, only the Information Security Policy is mandatory. Other policies may be needed as result of risk assessment or legal requirements.
These articles will provide you more information:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
2 - What about Manual & Procedures – where does this documents come in?
Answer: A procedure describes how a specific activity must be performed, while a manual is a set of policies and procedures. ISO 27001 does not require documented procedures (only when specific controls are identified as applicable as result of risk assessment), and we do not recommend the use of manuals, because generally they become too big and unpractical to read or use.
This article will provide you more information:
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
3 - What about guidelines & standards?
Answer: Guidelines are orientations about how a specific activity must be performed, not having the mandatory aspect of a procedures (they can be followed or not). Standards are references that must be followed regarding how a specific activity must be performed (for some organizations they are the same of procedures).
This article will provide you more information (Although it is ISO 9001 related, it concepts also can be applied to ISO 27001):
- How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/ -
Filling templates
Answer: Included with your toolkit you have access to video tutorials that will help you filling the most critical documents, with real data examples.
If after the tutorials you still think you need more help, you can schedule a meeting with one of our experts, so he can help you solve your issues. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
2. Is it possible to have the document "ISO / IEC 27001 standard" with all the measures to be respected?
In the documents to be completed from the toolkit, it is very often mentioned standard ISO / IEC 27001 clause xxx as above:
This document is not present in the toolkit that we have purchased and it seems essential to understand and be able to better complete the documents.
Answer: ISO 27001 standard is an intellectual property of ISO, and we do not have the license to sell it.
You can buy this standard at this link: https://www.iso.org/standard/54534.html
3. In the file related to the ISMS area of application, there is a table to be completed "applicability of measures".
3.1. Do we have to complete the "Justification" column even when the measure is selected?
Answer: I'm assuming this document you are referring to is the Statement of Applicability. Considering that, you have to complete the justification for when a control is selected.
3.2. Do we have to complete the column "Objectives of the measures"?
Answer: Although objectives of the measures are not mandatory to be in the SoA, we recommend you to use this column for all controls identified as applicable, because ISO 27001 required the documentation of objectives for controls or groups of controls, and this way you will have one less document to handle.
3.3 If so, can you provide us with a typical example to complete this table?
Answer: Included with your toolkit you have the access to a video tutorial that will help you fill the Statement of Applicability, with real data examples. -
Data Processing Agreement
Answer:
From the example you have provided company A is acting as a data controller and company B would act as a data processor. In this instance a Data Processing Addendum/Agreement would need to be signed between company A and company B to ensure that company B processed the data on behalf of company B pursuant to the provisions of EU GDPR article 23 – Processor (https://advisera.com/eugdpracademy/gdpr/processor/).
To find out more about controllers and processors check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
Requisitos de la cláusula 4.4
Respuesta:
La cláusula 4.4 incluye requisitos generales para el SGC que están relacionados con cada una de las partes del SGC. Esto significa que en realidad está cumpliendo de forma indirecta con esta cláusula con los procedimientos, políticas y registros documentados necesarios para cada parte del SGC.
No disponemos de plantillas relacionadas con la cláusula 4.4 porque la norma no requiere ninguna documentación obligatoria para esta cláusula.
Para obtener más información sobre los documentos y registros obligatorios en ISO 9001: 2015, puede ver este artículo – Lista de documentos obligatorios requeridos por ISO 9001: 2015:
https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
Estos materiales también pueden ayudarle con la cláusula 4.4 en ISO 9001: 2015:
- Libro “Descubra ISO 9001: 2015 a través de ejemplos pr ácticos”: /books/disco ver-iso-9001-2015-through-practical-examples/
- Curso de Fundamentos ISO 9001: 2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Writing an environmental policy
Answer:
The environmental policy should include the following ideas and elements:
- Appropiate to the purpose and context of the organization
- Continual improvement
- Prevention of pollution
- Compliance with legal obligations and other requirements
- Framework for objectives and targets
- Support the strategic direction of the organization.
To learn more about environmental policy, you can see these articles:
- How to write and ISO 14001 environmental policy: https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-write-an-iso-14001-environmental-policy/
- How detailed should the EMS policy be: https://advisera.com/14001academy/blog/2017/10/31/how-detailed-should-the-ems-policy-be/
The following materials can also help you with the environmental policy:
- Book - The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/
- ISO 14001:2018 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/ -
QMS meeting requirements
Answer:
SWOT and PESTLE Analysis are frequently used tools to understand the organization and its context, but they are not mandatory. So, you can avoid its use, unless they are prescribed in your procedures.
If when you mention QMS meetings, you are mentioning management review or performance reviews, minutes are mandatory – please check last phrases of clauses 9.1.1 and 9.3.3.
The following material will provide you information about QMS meeting requirements:
- ISO 9001 – How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://training .advisera.com/course/iso-90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk Management Criteria
If there is no recorded occurrence of an event occurring but there is also no way of knowing if the event occurred previously then do we score it low or Medium/High?
For example - If I know the people can download company data onto their home devices through a browser based application. There are no recorded occurrences but there is also no way of knowing if this has happened.
My concerns with such a case are that whilst I don’t want to commit scant resources to dealing with a risk that is perhaps not significant but also I do not want to leave a security hole for data to leak through in relation to the business’s defences.
Answer: Besides internal historical data, the likelihood can be also identified by means such as historical data available from organization's industry (e.g., industry reports), statistical models, or by expert opinion.
This article may provide you more information about identification of likelihood:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
DPO
What are the DPO's attributions in this situation, besides managing the Processor Personal Data questionnaires?
Answer:
1. This is more organizational related question as such things are not mentioned in the GDPR or elsewhere for that matter. Usually the DPO should train the relevant departments on how to recognize when a contract would involve processing of personal data and draft the relevant agreements alone or together with the legal department depending on the qualifications of the DPO.
2. There are lots of tasks to be performed by the DPO such as:
- providing and maintaining the necessary documentation to demonstrate compliance with the GDPR including, but not limited to policies, procedures, templates, forms and ensuring that they are kept up to date;
- informing and providing expert advice to all members of staff regarding their obligation to comply with the provisions of the GDPR and relevant local laws and regulations when processing personal data;
- monitoring compliance with the GDPR and relevant local laws and regulations, and informing the stakeholders within the Company of any changes in a timely manner.
To learn more about the role of the DPO check out our webinar “Role of the DPO according to EU GDPR” (https://advisera.com/eugdpracademy/webinar/role-of-the-dpo-according-to-eu-gdpr-free-webinar-on-demand/) -
ISO 20000 Risk register
Answer:
If you have created risk register used for ISO 27001 implementation (and it was appropriate for our company) - try to re-use it. At least as a methodology. But please consider that ISO 20000 has IT services in focus. Same is for risks. Consider risks related to the IT services.
Gaps and risks - well, that's hard to answer with yes or no. There are some gaps that are risks but some are not.
Excel sheet - no, we don't provide such documents because this is different case-by-case i.e. it needs to be adapted to the organization.
Read the article Similarities and differences between ISO 27001 and ISO 20000https://advisera.c om/20000academy/blog/2018/05/09/similarities-and-differences-between-iso-27001-and-iso-20000/ to learn more about similarities and differences between ISO 20000 and ISO 27001.