Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk mitigation and BC strategy


    As I had to take the exam and I still didn´t have answer for the question I bought ISO 27001 Risk Management, hoping to find the answer. But I didn´t.

    The pocket book is really fine, though having read “Becoming resilient” most of the contents of the ISO 27001 Risk Management pocket book are exactly the same. But anyway I think I learned some new things.

    Answer: Risk mitigation involves the implementation of controls to reduce the impact and/or probability of a risk to happen, so by mitigating risks before implementing the strategies for BC will help reduce the required resources to implement BC strategies. Regarding ISO 27001 Risk Manag ement, it has much more precise requirements regarding the timing of the mitigation - the controls do not need to be implemented right away, but they need to be planned through the Risk Treatment Plan.

    For example, by installing a lightning rod system, you can reduce the need for a secondary site as result of a lighting storm damaging a build electrical infrastructure.

  • Clarification on Penetration test

    Answers:
    1. Control A.12.6.1 can become required as result of risk assessment if you identify, for example, that one of your software suppliers often releases security updates for a critical system your organization uses.

    An example regarding legal requirements is the compliance with PCI-DSS, an standard for credit card industry, which requires periodic verification of vulnerabilities on assets handling customer's credit data.

    2. Provided that you are capable to evidence that the personnel performing the tests have the competencies to do so (by means of certificates, experience records or external references), these people do not need to be part of your ISMS scope.

  • GDPR and recorded calls

    I am not sure about the rights of the customers (callers) and I am not sure about my rights either.
    1. Can a customer (caller) ask to delete the records with his/her voice?
    2. Am I eligible to ask the same from my company (if for example I would like to delete all records with my voice from the archive of the company)?

    Answers:

    There is the same approach regardless if the request comes from an employee or a customer.

    A data controller must comply with the request where:
    - the individual has objected to the processing and (other than in relation to objections to direct marketing) there are no overriding legitimate grounds to justify that processing;
    - the personal data is no longer needed for the purpose for which it was collected or processed;
    - the individual withdraws consent and there are no other grounds for the processing;
    - the per sonal data is unlawfully processed;
    - there is a legal obligation under Union or Member State law to erase the personal data; or
    - personal data was processed in connection with an online service offered to a child.

    However the right to erasure is not an absolute right and the controller does not need to comply if the processing is:
    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

    If you want o find more about data subject rights check out our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

  • IT security questionnaire


    “….as part of the risk assessment the IT Security Questionnaire is completed by third parties providing details around their information security management system and control environment.”

    As a growing publicly listed firm, my IT team get a lot of new software requests from our staff. Due to the maturity of some of the Fintechs that I’m asked to review I can tell that IT security framework is not that great. Hence the need for a questionnaire.

    Answer: Included in the toolkit you bough there is an Internal Audit Checklist template that you can use to evaluate IT aspects of information security management.

    Sections covering the controls from Annex A, specially sections A.6.2, A.9, A.10., A.12, A.13, A.14 and A.15 can help you evaluate not only your own infrastructure but also from third parties.

    This template is locate on folder 10 Procedure for Internal Audit.

  • Training and awareness


    I am pleased to inform you that we have successfully completed the ISO27001 Stage 2 Audit and have been recommended to be certified. Thank you for all your help J.

    One of the findings from the Stage 2 Audit is to generalise further the Information Security Awareness Training for our employees. Would you by any chance be able to direct me to one of your articles/presentations on this subject?

    Whilst thanking you in advance for your feedback on the matter, I look forward to hearing from you soon.

    Answer: First of all, congratulations for your achievement.

    For Information Security Awareness and Training, I suggest these materials:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
    - How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22 301/
    - How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
    - Why ISO 27001 – Awareness presentation https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation

  • Implementing risk-based thinking


    Answer:

    ISO 9001:2015 does not require neither procedures nor records about implementation of risk-based thinking. When I work with companies implementing a quality management system according to ISO 9001:2015 I recommend having a risk register and having a small instruction or procedure to assure a consistent procedure year after year. Attention, remember that my approach is not mandatory. So, your approach is acceptable, although I would like to work with recrds of the full risk assessment.

    The following material will provide you information about risk -based thinking:

    - How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
    - - ISO 9001:2015 Risk Management Toolkit https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Implementing a QMS


    Answer:
    This question has a huge scope, not easy to answer in some lines. Pick a project manager, a small team and a project sponsor with influence over the top management. Study ISO 9001, develop a process map of how your organization works and develop a project plan. Then is simple project management.

    The following material will provide you information about internal audits:

    - ISO 9001 – Case study for ISO 9001:2015 transition in a construction company https://info.advisera.com/hubfs/9001Academy/9001Academy_FreeDownloads/Case_study_for_ISO_9001_2015_transition_in_construction_company_EN.pdf
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Hard copies not a must


    Answer:

    False. Check clause 7.5.2 b)

    The following material will provide you information about documented information

    - ISO 14001 – A new approach to documented information in ISO 14001:2015 https://advisera.com/14001academy/blog/2015/08/24/a-new-approach-to-documented-information-in-iso-140012015/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Policy in business card


    Answer:

    In this case Quality policy is nothing else but a marketing material, so you don´t need to have a revision listed for this.

    If you want to learn more about document and record control, see - New approach to document and record control in ISO 9001:2015: https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/

    These materials can also help you to understand more ISO 9001:2015:

    - Book "Discover ISO 9001:2015 through practical examples": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
    - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
    - Conformio - Compliance tool: https://advisera.com/conformio/

  • ISO 22301 manual


    If it's required,kindly oblige me ways to go about it.

    Answer: ISO 22301 does not require the elaboration of a manual, and we do not recommend organizations to adopt one, because:
    - merging required documents in a single document makes them no easier to read;
    - the longer the documents are, the smaller the chance someone will read them because not every BCMS document is intended for everyone in an organization;
    - since individual BCMS documents change rather often, it would be a nightmare to update such handbook so frequently.

    This article will provide you further explanation about ISO 22301 required documents:
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
    This dilemma for ISO 22301 Manual is the same as for ISO 27001 Manual, and you can find more information here:
    - Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
Page 711-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +