Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Sub processor data processing agreements
Thanks Andrei -
CISO role
Answer: ISO 27001 does not require the CISO position, so you can designate any existing position in your organization to assume related information security responsibilities.
Regarding the use of name and surname, we recommend the use of role or job title, because if the person responsible for information security changes, you will have to change all related documentation to the new name, while by using the job title, in general you will have to change only the organizational chart. It is important to note that this recommendation is also valid to other roles you may define in your Information Security Management System.
These articles will provide you further explanation about CISO role:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/ -
Categorizing information
Answer: Usually, information categorization is done based on the results of the risk assessment: the higher the value of information (the higher the consequence of breaching the confidentiality), the higher the classification level should be. As for the number of levels, ISO 27001 does not prescribe the levels of classification – this is something you should develop on your own, based on what is common in your country or in your industry. The most common arrangements consider 3 or 5 levels.
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding information classification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Responsibility for organizational knowledge
Answer:
Organizational knowledge is about several different topics.
I like to think about organizational knowledge as:
1) what the organization knows it knows
2) what the organization does not know that it knows
This can be handled by human resources and is about training, coaching by experienced workers, and experience.
3) what the organization knows it does not know
This can be handled with the help of external training, suppliers, books and technical magazines, for example and can be performed by several internal functions.
4) what the organization does not know that it does not know
This can be handled by different internal functions that maintain a kind of radar surveying relevant potential new knowledge with the help of books, magazines, blogs, conferences, networking, suppliers, …
So, I do not see this as a job for one particular function centralizing everything.
The following material will provide you information about organizational knowledge:
- ISO 9001 – How to manage knowledge of the organization according to ISO 9001 https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Use of certification logo with products
We are a online shop and want to use certificates to increase our trust level.
Therefore, I want to know, if it is allowed to use regular ISO signs you can find when you google for and just place the certificates as PDF's behind the?”
Answer:
ISO 9001 certification is not about the products but about the quality management system. According to most of the rules about the use of certification logos, they should not be used in contact with products. Nevertheless, I see, for example, buses with certification logos applied.
I would be comfortable with the use of the certification logo with the name of the manufacturer, side by side with the product. -
Legal & Regulatory Requirements
The key term in this ISO 22301 requirement is "relevant parties" (to your business). You do not have to identify requirements for all customers. Your organization may already have criteria to identify which ones are most important to you (e.g., total sales per customer, frequency of purchase, time of relationship, etc.), and you can use these criteria to sort the clients from whom you will have to identify needs and legal requirements.
For these clients identified as relevant according your criteria, you have to go through all the agreements you have with them and see if there are requirements related to business continuity.
ISO 27001 has a similar requirement and this article will provide you explanation that also can be applicable to ISO 22301:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
This material will also help you regarding ISO 22301 requirements identification:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Emergency medical service key performance indicators
Answer:
Performance indicators are measurement tools that should be “specific, measurable, action oriented, relevant and timely”. Three types of indicators are used to measure quality in patient care: Structure, process and outcome indicators. EMS (Emergency Medical Service) system performance indicators follow the same classification.
Structural data are attributes of the setting in which care is provided. These usually refer to the characteristics
of the different components of an EMS system including facilities, equipment, staffing, knowledge base of providers,
credentialing, deployment. Since EMS systems designs are diverse as discussed above, these indicators may not be
applicable to all systems. Emergency vehicle response time standard is the most commonly used structure measure
in EMS. The goal is to respond to 90% of priority 1 calls (life threatening and highly time dependent) in less
than 9 min utes.
Another type of measures is process data. These are the components of the encounter between the pre hospital
provider and the patient. It is an evaluation of the steps of the care provided. Process measures are more sensitive to differences in quality of care. In contrast to structure and outcome measures that provide an indirect approach to quality measurement, process measures allow for a direct assessment of quality of care. One example would be collecting specific data points on the process of endotracheal intubation performed by EMS providers to monitor the success rate of this procedure.
A third type of measures is outcome data. These evaluate the change in patient’s subsequent health status in
response to a clinical intervention. Outcome research in EMS focuses on determining the effectiveness
of some of these interventions and showing the true value of an EMS system since it offers feedback on all aspects
of care. Outcome data is easy to interpret and easily understood by the different stakeholders. Internationally, out-of-hospital cardiac arrest (OHCA) survival is the most common outcome measure used to compare EMS systems. -
Consent for marketing email
-we do not request explicit consent to receive newsletters
- we send the next newsletter, duly including a note about the GDPR and a link to our new Privacy policy/ option to unsubscribe
Answer:
If the newsletters are sent to past/present customers you should be fine relying on legitimate interest and consent won't be needed. As you already mentioned, you need to present to the customers the possibility to unsubscribe as well as the new Privacy Notice/Policy.
To learn more about how the EU GDPR affects marketing check put our webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Controls effectiveness review
Answer: First it is important to understand that ISO 27001 does not require procedures to check the effectiveness, only that activities are performed (it is not mandatory to document them, but in some cases documentation is a best practice).
Considering that, regarding technical measures, you should consider activities for penetration tests and vulnerability assessments. For organizational measures you should consider an audit activities.
These articles will provide you further explanation about penetration tests and internal audit:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- 8 criteria to deci de which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Citizen or residents?
Answer:
Of course the EU GDPR aims at protecting the rights and freedoms of the EU citizens but not only it also protects individuals which are not citizens or residents if the processing activity takes please in the EU.
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.