Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Warning notice in email containing personal data


    Answer:

    There is no requirement for such “warning notices” in emails. The EU GDPR only speaks about privacy notices that need to be provided to the data subjects by data controllers.

    To find out more about privacy notices check out our webinar “Privacy Notices under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) .

  • ISO 27001 certification


    Answer: ISO 27001 can't certify a website. The ISO 27001 certification is applicable to processes, locations or information related to the website. For example:
    - The development and maintenance processes related to the website
    - The physical location from where website is accessed
    - The information published on the website

    Considering that, broadly speaking, an organization has to:
    - Define and document a scope based on the needs and expectations of interested parties relevant to information security
    - Define, document and communicate an information security policy
    - Define roles and responsibilities relevant to operation and management of information security
    - Define a risk assessment and treatment methodology
    - Define and allocate competencies and resources for the operation and management of information security
    - Implement risk assessment and risk treatment
    - Operate the security controls and generate the necessary records
    - Measure, monitor and evaluate th e information security performance
    - Implement corrections and improvements

    To increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard.

    These articles will provide you further explanation about ISO 27001:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/

    2 - What kind of standard procedures we have to follow. Please let me know.

    Answer: ISO 27001 has a set of documents and records that you need to produce if you want to be compliant with the standard such as:
    - Scope of the ISMS (clause 4.3)
    - Information security policy and objectives (clauses 5.2 and 6.2)
    - Risk assessment and risk treatment methodology (clause 6.1.2)

    For a complete list, please access this article: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    These materials will also help you regarding ISO 27001 certification:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Video tutorial content


    Answer: First of all, thanks for your feedback. We'll verify this situation and answer you as soon as possible.

    If you find any other differences between any video tutorial and the templates, please consider the templates, because they are up to date to the current version of the standard.

    The "Policy for handling classified information" is now called "Information Classification Policy", and can be found on folder 08 Annex A A.8 Asset management

    If you still feel you need more information about this topic, you can schedule a meeting with one of our consultants. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

  • Template content


    Answer: Here is an example you can use to guide you to fill this template:
    Job title or name: Security Officer
    Necessary knowledge and skills: Risk Management
    Which training is necessary: ISO 27005 course (Information technology -- Security techniques -- Information security risk management)
    Implementation record of necessary training: Course certificate
    Have training objectives been achieved?: Yes
    Achieved knowledge, skills, experience: Security officer is now capable to identify, analyse, evaluate and treat risks according the organization context and risk acceptance criteria.

  • ISO 27001 and NIST


    Answer: First, let's understand both NIST and ISO 27001:
    - NIST SP-800 series of documents provides detailed information about processes to select and implement controls for computer security
    - ISO 27001 provides general requirements for the implementation, operation, control and improvement of a management system to protect information, regardless of the environment where it is (e.g., physical reports or digital databases). ISO 27001 provides protection through the selection of security controls described in its Annex A, as well other controls that can be added by the organization.

    The ISO 27001 Documentation Toolkit has templates that are organized and can be used to implement either the management requirements of the ISO 27001 standard, as well as the most common used information security controls from ISO 27001 Annex A, some of them IT related, and that can be linked to NIST SP-800 documents.

    Considering that, you can use the ISO 27001 Documentation Toolkit to implement the overall approach to protect information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.

    These articles will provide you further explanation about ISO 27001 and NIST:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/

  • ISO 27001 foundations course


    Answer: ISO 27001 Foundations course can add value to your competencies by giving you an overview of how information security concepts and practices fit in a ISO management system frameworks, which are used by organizations world-wide. Since ISO 27001 is similar in structure to other management systems, this course can also be used as a first step in knowing management systems like ISO 9001 (quality management) and ISO 20000 (IT services management).

    This article will provide you further explanation about ISO 27001:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

    These materials will also help you regarding ISO 27001:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

  • Materials for large organizations


    Answer: Large organizations often require more detailed policies and procedures, because they:
    - face a wider range of risk scenarios
    - have multiple sites that require different approaches to handle the same risks

    Considering that, the point is to increase the level of details in each template and elaborating multiple documents. The problem with this approach is that a manual document control of such a great number of documents may become unfeasible, then you should also consider this when adapting our toolkit to a large organization.

    It is also important to note that you may have to create some documents that do not exist in the toolkit (e. g., physical security), because they do not exist in the toolkit because they are not mandatory and smaller companies usually do not need them.

  • BYOD Policy


    Do you happen to have some examples or a list for some ideas what to put here?

    [List of acceptable BYOD devices and their settings]
    [List of prohibited BYOD applications]

    Answer: For BYOD devices you should consider any asset your employees can bring to work premises (e.g., cellphones, tablets, and notebooks).

    For allowed settings you should consider configurations that can improve information protection (e.g., "storage encryption" and "screen locking" should be enabled). For prohibited settings, you should consider configurations that may compromise information storage or processing on the device (e.g., "Bluetooth connections" and "local password storage" should be disabled).

    Examples of prohibited applications are unlicensed software, and software no t related to work, even if they have license (e.g., games).

    It is important to note that the creation of those lists are defined in sections 3.2, 3.3, and 3.4 of the BYOD Policy, not only in section 4.

  • An integrated management system for a mining operation


    Answer:

    Those are two very general questions. Implementing ISO 9001 and 14001:2015 in a mining environment is no different from other organizations and sectors. For ISO 9001 I would start with the process approach by mapping how the mining operation works as a set of processes. For ISO 14001 I would start with the environmental assessment to identify significative environmental impacts and compliance obligations. Then, I would develop a quality and environmental policy and determine context and interested parties. Then would apply the risk-based approach and develop quality and environmental objectives and plans to meet them. Naturally, there are some iterations needed to fine tune things. Then would start with monitoring of operations/processes and objectives.

    The following material will provide you information about implementing integrated management system:

    - Why mining comp anies should obtain ISO 14001 certification - https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/
    - How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
    - How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
    - ISO 9001:2015 & ISO 14001:2015 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-integrated-toolkit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • GDPR and Meetings


    Answer:

    The EU GDPR is applicable for “processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” so if the personal data of the attendees is collected and processed then the answer is yes.

    To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//)
Page 725-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +