Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO22301 Internal Audit

    To define samples for a BCMS internal audit you should consider:
    - contracts and regulations you must comply with (policies and procedures related to the most critical or most frequent requirements should be sampled)
    - the results of business impact assessment (policies and procedures related to the most critical elements identified in the BIA should be sampled)
    - Business continuity plans and related records

    These articles will provide you further explanation about defining an audit checklist:
    - How to make an Internal Audit checklist for ISO 27001 / ISO 22301https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
    - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Lack of information in non-conformance description

    Answer:

    Any non-conformance issued during an audit should include the clause that is not being respected. If I received a non-conformance during a surveillance audit, I would contact the certification body and politely ask them to identify the clause being violated or asking them if my interpretation of what clause is not being respected is was correct.

    The following material will provide you information about the non-conformances issued during audits:

    - ISO 9001 – How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • GDPR component for cookie consent


    Answer:

    The EU GDPR states that the consent should be “a freely given, specific, informed and unambiguous indication of the individual’s wishes’ this means that consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.

    However, the use of cookies is regulated by the ePrivacy Directive which s tates that you only need to inform the visitors about the cookies you are using not obtaining their consent but this also depends on the types of cookies you are using as well as the personal data collected and the purposes for which is used.

    To find out more about consent check out our free “EU GDPR FOUNDATIONS COURSE” (https://advisera.com/training/).

  • Risk Assessment in ISO 27001:2013

    First is important to note that information flow is not mentioned in the whole ISO 27001 standard.

    Regarding risk assessment, the information flow is only one of the inputs used to understand the context on which the risk assessment will be performed. So you still have to define an approach to the risk assessment process, and for information security risk assessment the asset-based risk assessment is still one of the most common approaches.

    These articles can provide you more information about risk assessment approaches:
    - ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Template content


    Answer: If you need a procedure for monitoring information processing servers, I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology template to see if it can fulfill your needs. You can access the demo at this link: https://advisera.com/27001academy/documentation/security-procedures-for-it-department/
    Regarding Code of Ethics, the requirements of ISO 27001 do not require such document.

  • Entidades certificadoras acreditadas


    Respuesta: Sí, es cierto. En España, ENAC es la entidad nacional de acreditación (generalmente cada pais tiene la suya propia), y esta entidad acredita entidades certificadoras que pueden emitir certificados ISO 27001 (y otros estándares ISO como ISO 9001, ISO 14001, etc). Esto significa que si tienes un certificado que ha sido emitido por una entidad certificadora que no está acreditada por una entidad acreditadora (ENAC o cualquier otra), quizás un cliente puede no confiar en tu certificado, porque no está acreditado.

    ENAC, como entidad acreditadora, evalua si cada entidad certificadora está realizando el proceso de certificación de acuerdo a un proceso formal, que tiene que estar alineado con otro estándar: ISO 27006, que es un estándar internacional que específica unos requerimientos, y proporciona una guía para que las en tidades certificadoras puedan auditar y certificar un SGSI.

    Con respecto IQnet, básicamente es una red internacional de entidades certificadoras, lo cual significa que si tienes un certificado ISO 27001 emitido en España por una entidad certificadora, el mismo certificado puede ser válido en otro pais por otra entidad certificadora que pertenezca también a IQnet.

    Este artículo sobre cómo seleccionar una entidad certificadora puede ser útil para ti "How to choose a certification body” : https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

    Y también este otro artículo “Accreditation vs. certification vs. registration in the ISO world” : https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/

  • SOC Type 2, GDPR and ISO 27001


    Answer: We are not experts on SOC Type 2, but this information (from the official site of American Institute of CPAs) about SOC 2 and ISO 27001 can be interesting for you: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/othermapping/trust-services-map-to-iso-27001.xlsx

    Regarding ISO 27001 and GDPR, ISO 27001 is a standard which focus on protection of information, and EU GDPR is a regulation defining requirements for protection of privacy, so ISO 27001 can be used as basis to achieve compliance with ca 50% of EU GDPR.

    These articles will provide you further explanation about ISO 27001 and GDPR:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
    - Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

    2 - How to avoid duplicated effort.

    Answer: To avoid duplicated effort you should first map the correlation between the requirements of these three documents, to identify which ones are similar, and only then plan the documents you have to create.

    This material will provide you further explanation about ISO 27001 and GDPR:
    - How to integrate GDPR with ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

  • Knowledge base content


    Answer: Since their publication, ISO 27017 and ISO 27018 have not been reviewed or updated (by means of corrigenda), so any information regarding them in our knowledge base is still updated.

    Regarding ISO 27001, two updates have already been published through corrigenda, one in 2014 and the other in 2015, but they refer to minor corrections on the standard that do not affect ISMS based on this standard, or its relation with ISO 27017 or ISO 27018.

    This article will provide you further explanation about ISO 27001 corrigenda:
    - European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

  • Risks and opportunities and environmental aspects

    Answer:

    (1) Please check clause 6.1.1 – it is there that the standard establishes that organizations should determine risks and opportunities associated with environmental aspects. See also the note at the end of clause 6.1.2 and the annex A.6.1.1

    (2) No. Please check annex A.8.1, first paragraph. That will depend on the risks and opportunities, significant environmental aspects and compliance obligations. For example, if you have non-significant environmental aspects without associated compliance obligations there is no need for operational control.

    The following material will provide you information about operational control:

    - ISO 14001 – Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/ 140012015/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • GDPR for Non-governmental organization

    2. We have mapped all data our organisation processes. They fall into several categories (members, stakeholders, prospects, etc.) and the legal basis used to process data can be different in accordance (legitimate interest, contractual necessity, etc.). The description of the legitimate interest can also differ within the same group, according to the type of stakeholder approached. My question is the following: can we send out specific - and therefore different - privacy notices to data subjects according to their characteristics (legal basis used, reasons for processing), or do we need to have only one publicly available privacy notice that would consider every situation where we process data?

    Answers:

    1. The EU GDPR is applicable to your processing activity as long as the processing acti vity takes place in the Union regardless if the data subjects are in the Union or not.
    2. Regarding your privacy notices, you can bundle them for similar processing activities even if for example the legal basis would be different.

    To learn more about privacy notices check out our webinar “ Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)
Page 717-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +