Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Template content
Answer: Here is an example you can use to guide you to fill this template:
Job title or name: Security Officer
Necessary knowledge and skills: Risk Management
Which training is necessary: ISO 27005 course (Information technology -- Security techniques -- Information security risk management)
Implementation record of necessary training: Course certificate
Have training objectives been achieved?: Yes
Achieved knowledge, skills, experience: Security officer is now capable to identify, analyse, evaluate and treat risks according the organization context and risk acceptance criteria. -
ISO 27001 and NIST
Answer: First, let's understand both NIST and ISO 27001:
- NIST SP-800 series of documents provides detailed information about processes to select and implement controls for computer security
- ISO 27001 provides general requirements for the implementation, operation, control and improvement of a management system to protect information, regardless of the environment where it is (e.g., physical reports or digital databases). ISO 27001 provides protection through the selection of security controls described in its Annex A, as well other controls that can be added by the organization.
The ISO 27001 Documentation Toolkit has templates that are organized and can be used to implement either the management requirements of the ISO 27001 standard, as well as the most common used information security controls from ISO 27001 Annex A, some of them IT related, and that can be linked to NIST SP-800 documents.
Considering that, you can use the ISO 27001 Documentation Toolkit to implement the overall approach to protect information, and after the identification of controls that can be related to NIST documents, you can use the NIST documents to implement the details for each control. For example, you can use information from SP 800-53 control for contingency plan testing to implement the Disaster Recovery Plan template.
These articles will provide you further explanation about ISO 27001 and NIST:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/ -
ISO 27001 foundations course
Answer: ISO 27001 Foundations course can add value to your competencies by giving you an overview of how information security concepts and practices fit in a ISO management system frameworks, which are used by organizations world-wide. Since ISO 27001 is similar in structure to other management systems, this course can also be used as a first step in knowing management systems like ISO 9001 (quality management) and ISO 20000 (IT services management).
This article will provide you further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
These materials will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Materials for large organizations
Answer: Large organizations often require more detailed policies and procedures, because they:
- face a wider range of risk scenarios
- have multiple sites that require different approaches to handle the same risks
Considering that, the point is to increase the level of details in each template and elaborating multiple documents. The problem with this approach is that a manual document control of such a great number of documents may become unfeasible, then you should also consider this when adapting our toolkit to a large organization.
It is also important to note that you may have to create some documents that do not exist in the toolkit (e. g., physical security), because they do not exist in the toolkit because they are not mandatory and smaller companies usually do not need them. -
BYOD Policy
Do you happen to have some examples or a list for some ideas what to put here?
[List of acceptable BYOD devices and their settings]
[List of prohibited BYOD applications]
Answer: For BYOD devices you should consider any asset your employees can bring to work premises (e.g., cellphones, tablets, and notebooks).
For allowed settings you should consider configurations that can improve information protection (e.g., "storage encryption" and "screen locking" should be enabled). For prohibited settings, you should consider configurations that may compromise information storage or processing on the device (e.g., "Bluetooth connections" and "local password storage" should be disabled).
Examples of prohibited applications are unlicensed software, and software no t related to work, even if they have license (e.g., games).
It is important to note that the creation of those lists are defined in sections 3.2, 3.3, and 3.4 of the BYOD Policy, not only in section 4. -
An integrated management system for a mining operation
Answer:
Those are two very general questions. Implementing ISO 9001 and 14001:2015 in a mining environment is no different from other organizations and sectors. For ISO 9001 I would start with the process approach by mapping how the mining operation works as a set of processes. For ISO 14001 I would start with the environmental assessment to identify significative environmental impacts and compliance obligations. Then, I would develop a quality and environmental policy and determine context and interested parties. Then would apply the risk-based approach and develop quality and environmental objectives and plans to meet them. Naturally, there are some iterations needed to fine tune things. Then would start with monitoring of operations/processes and objectives.
The following material will provide you information about implementing integrated management system:
- Why mining comp anies should obtain ISO 14001 certification - https://advisera.com/14001academy/blog/2018/04/17/why-mining-companies-should-obtain-iso-14001-certification/
- How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
- How to integrate ISO 14001 and ISO 9001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-integrate-iso-14001-and-iso-9001/
- ISO 9001:2015 & ISO 14001:2015 Integrated Documentation Toolkit - https://advisera.com/9001academy/iso-9001-iso-14001-integrated-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
GDPR and Meetings
Answer:
The EU GDPR is applicable for “processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” so if the personal data of the attendees is collected and processed then the answer is yes.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Sistema de gestión integrado
Respuesta: Sí, puedes usar el mismo procedimiento, porque el requerimiento relacionado con el control de documentos es común en ISO 27001 y los otros estándares.
Este artículo te puede resultar útil “Usar la ISO 9001 para implementar la ISO 27001" https://advisera.com/27001academy/es/blog/2010/04/02/usar-la-iso-9001-para-implementar-la-iso-27001/
Y también este “How to integrate ISO 9001 and ISO 27001" https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
Y también este webinar gratuito “Implementación de ISO 27001: ¿Cómo hacerla más sencilla utilizando la ISO 9001?" https://advisera.com/27001academy/es/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/ -
Terms and conditions/ translations
Answer:
If you are not targeting a specific country English language documents should be enough.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Data Security Addendum
Answer:
The document you are looking for is usually called a Data Processing Agreement or Processor Addendum and you can find a template in our EU GDPR Documentation Toolkit in section 7 – Third Party Compliance https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” https://advisera.com/training/eu-gdpr-foundations-course//