Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11272 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Knowledge base content

Answer: Since their publication, ISO 27017 and ISO 27018 have not been reviewed or updated (by means of corrigenda), so any information regarding them in our knowledge base is still updated.

Regarding ISO 27001, two updates have already been published through corrigenda, one in 2014 and the other in 2015, but they refer to minor corrections on the standard that do not affect ISMS based on this standard, or its relation with ISO 27017 or ISO 27018.

This article will provide you further explanation about ISO 27001 corrigenda:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/
Risks and opportunities and environmental aspects
Answer:

(1) Please check clause 6.1.1 – it is there that the standard establishes that organizations should determine risks and opportunities associated with environmental aspects. See also the note at the end of clause 6.1.2 and the annex A.6.1.1

(2) No. Please check annex A.8.1, first paragraph. That will depend on the risks and opportunities, significant environmental aspects and compliance obligations. For example, if you have non-significant environmental aspects without associated compliance obligations there is no need for operational control.

The following material will provide you information about operational control:

- ISO 14001 – Defining and implementing operational control in ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/04/11/defining-and-implementing-operational-control-in-iso-140012015/ 140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/
GDPR for Non-governmental organization
2. We have mapped all data our organisation processes. They fall into several categories (members, stakeholders, prospects, etc.) and the legal basis used to process data can be different in accordance (legitimate interest, contractual necessity, etc.). The description of the legitimate interest can also differ within the same group, according to the type of stakeholder approached. My question is the following: can we send out specific - and therefore different - privacy notices to data subjects according to their characteristics (legal basis used, reasons for processing), or do we need to have only one publicly available privacy notice that would consider every situation where we process data?

Answers:

1. The EU GDPR is applicable to your processing activity as long as the processing acti vity takes place in the Union regardless if the data subjects are in the Union or not.
2. Regarding your privacy notices, you can bundle them for similar processing activities even if for example the legal basis would be different.

To learn more about privacy notices check out our webinar “ Privacy Notices Under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)
Preparing for certification

Answer: For study references about ISO 27001 I suggest you to take a look at the following material:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
CISA vs ISO 27001 LA

Answer: There is no experience requirement to attend an ISO 27001 lead auditor course (although previous experience will help you in some aspects). The experience is only required if you want to become a lead auditor working as a certification auditor.

These materials can provide you more information:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/

Regarding CISA, th e work experience is required only to apply for certification, not to attend a CISA course. Details about how demonstrate competence for this certification, and verify if your experience is enough, can be found at these links:
- https://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/Apply-for-Certification/Pages/default.aspx
- https://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/How-to-Become-Certified/Pages/default.aspx

2 - Which one is in more demand these days?

Answer: CISA and Lead Auditor cover different fields (information on systems are only a small intersection between them), so does not make much sense to compare demands between them. Your choice between them should be based on the type and depth of the activities you desire to perform. If your want to focus on information security management, you should consider ISO 27001 Lead Auditor. If you want to go beyond the scope of information security, and also consider the strategic relationships between information security and the information systems and business objectives you should consider CISA. Please note that these courses do not exclude each other, they only offer different perspectives about how information interacts with business.

Another alternative you should consider is the Lead Implementer course.

For more information, please see these articles:
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
¿Controles obligatorios?

Respuesta: Disculpa, pero no estoy seguro si he entendido bien tu pregunta, porque la lógica de la ISO 27001 es identificar riesgos, y tratarlos, implementando los controles de seguridad que sean necesarios. Por tanto, básicamente los controles que pueden no ser obligatorios son aquellos que no necesitas para tratar los riesgos identificados, por ejemplo porque no son aplicables. Por ejemplo, si en tu organización no exise el teletrabajo, el control relacionado con el teletrabajo no será aplicable, y por tanto no será obligatorio implementarlo. Este artículo te puede resultar interesante “La lógica básica de ISO 27001: ¿cómo funciona la seguridad de la información?” https://advisera.com/27001academy/es/knowledgebase/la-logica-basica-de-iso-27001-como-funciona-la-seguridad-de-la-informacion/

Por cierto, en algunos controles es obligatorio tener un documento con información documentada, aquí puedes encontrar una lista completa de los documentos que son obligatorios “Lista de documentos obligatorios exigidos por la norma ISO 27001 (revisión 2013)” https://advisera.com/27001academy/es/knowledgebase/lista-de-documentos-obligatorios-exigidos-por-la-norma-iso-27001-revision-2013/
Data transfer
To what extent should we use Annex 2 of the Cross-Border Data Processing Procedure for:
- the application of visas for countries such as America, India, China, etc.? Consulates will not be prepared to sign Annex 2.
- the reservation of hotels, renting cars in e.g. the above-mentioned countries?

Answer:

1. If you apply for visas you don`t need to have a data transfer mechanism in place as the transfer of data is regulated via International Agreements between countries.
2. If the data subject does that directly there is no need for such data transfer agreement. However, if a company in the EEA would be passing personal data to a car rental company outside the EEA a data transfer agreement would be needed between the two entities.

To learn more about data transfers check out our webinar “How to make personal data transfers to ot her countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/)
Herramientas para la transición
Para saber cuál es el nivel de cumplimiento de su documentación con la nueva revisión del estándar, puede realizar un análisis de GAP. Aquí puede acceder a nuestra herramienta de análisis GAP: https://advisera.com/9001academy/es/herramienta-analisis-de-brecha-iso-9001/
Una vez que sepa dónde está su empresa, puede seguir estos pasos para ayudarle con una transición exitosa a la nueva versión:
1) Definir el contexto de la organización
2) Revisar el alcance del SGC
3) Demostrar liderazgo
4) Alinear los objetivos SGC con la estrategia de la compañía
5) Evaluar riesgos y oportunidades
6) Controlar la información documentada
7) Control operacional
8) Revisar el proceso de diseño y desarrollo
9) Control de proveedores externos
10) Evaluación de desempeño
11) Medición e informes
Estas herramientas también pueden ayudarle con la transición de ISO 9001:
- Matriz ISO 9001: 2015 frente a ISO 9001: 2008: https://info.advisera.com/9001academy/free-download/iso-90012015-vs-iso-90012008-matrix
- Informe técnico - Proceso de transición de doce pasos desde ISO 9001: 2008 hasta la revisión de 2015: https://info.advisera.com/9001academy/free-download/twelve-step-transition-process-from-iso-90012008-to-the-2015-revision
- Lista de verificación de la documentación obligatoria requerida por ISO 9001: 2015: https://advisera.com/9001academy/2015transition/
- Herramienta de conversión ISO 9001: 2008 vs. 2015: https://advisera.com/9001academy/iso-90012008-vs-2015-conversion-tool/
- Curso de Fundamentos ISO 9001: 2015: https://advisera.com/es/formacion/?standard=iso-9001
ISO 9002 and ISO 9003
Answer:

Yes, they were. Before ISO 9001:2000 there were three quality assurance standards: ISO 9001 for a company with design, commercial and production in the scope, ISO 9002 or a company with for a company with commercial and production in the scope, and 9003 basically for a company without neither design nor production, just commercial activity.

The following material will provide you information about standards history:

- ISO 9001 – ISO 9002 & ISO 9003 are History - https://advisera.com/9001academy/knowledgebase/iso-9002-iso-9003-are-history/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Expectations for the transition audit
Answer:

I recommend you concentrate on the areas with the most important changes in the 14001:2015 version. Particularly risks and opportunities; context of the organization, interested parties and the life cycle consideration during the identification of environmental aspects.

The following material will provide you information about auditing the transition:
- ISO 14001 – How to avoid nonconformities during the ISO 14001:2015 transition - https://advisera.com/14001academy/blog/2015/10/26/how-to-avoid-nonconformities-during-the-iso-140012015-transition/
- 12 steps to make the transition from ISO 14001:2004 to 2015 revision - https://advisera.com/14001academy/blog/2015/09/28/12-steps-to-make-the-transition-from-iso-140012004-to-2015-revision/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11272 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Knowledge base content

Risks and opportunities and environmental aspects

GDPR for Non-governmental organization

Preparing for certification

CISA vs ISO 27001 LA

¿Controles obligatorios?

Data transfer

Herramientas para la transición

ISO 9002 and ISO 9003

Expectations for the transition audit

Didn’t find an answer?