Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
New Website GDPR policy statement
Answer:
The document you are looking for is called a “Privacy Notice” and is regulated by EU GDPR art. 13 - Information to be provided where personal data are collected from the data subject (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) and a template can be found in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/documentation/privacy-notice/).
To find more about privacy n otices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Privacy & GDPR
Answer:
What you are looking for is the Privacy Notice where you inform the website visitors/clients about the data you collect when they access/register on the website and you can use the template Privacy Notice in the toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
To find more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Meaning of context determination
Answer:
Any organization is an open system interacting with the outside world. So, an organization’s approach to its products, services and priorities is affected by the interested parties (and its needs and expectations), and external issues (like political, economic, social, technologic, environmental and legislation), and internal issues (like performance, strategic orientation, history, …). Determining context of the organization is a way of listing all those issues.
The following material will provide you information about the context determination:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- Procedure for Determining Context of the Organization and Interested Parties - https://advisera.com/9001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Considering the lifecycle aspect
I am trying to consider the lifecycle aspect but do not really know where to start. I would appreciate any help in this”
Answer:
I would think of your service as a process with its own lifecycle:
You purchase consumables – do you have environmental considerations when deciding to whom to buy?
Your welders have to move to customers locations – do you any environmental considerations about that transport?
Your welders perform their work and generate some kind of waste - do you any environmental considerations about how to perform and how to handle wastes?
The following material will provide you information about considering lifecycle aspects:
- ISO 14001 – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
- How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Exemplar Global accreditation
Answer: Exemplar Global certified our ISO 27001 exams according ISO 17024. For more information see this link: https://exemplarglobal.org/who-we-are/our-accreditations-and-associations/ -
Template content
Answer: Business continuity management is a set of practices to ensure the continuity of business operations in case of disasters or disruptive events that impact the organization. The main ISO standard for business management is ISO 22301.
Regarding ISO 27001 implementation, everything you need to comply with section A.17 from ISO 27001 Annex A (Information security aspects of business continuity management) is already included in the toolkit you bought. You can find them on folder 08 Annex A A.17 Business Continuity
These articles will provide you further explanation about ISO 22301, business continuity, and its applicability on ISO 27001 implementation:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- How to use ISO 22301 for the implementation of business continuity in ISO 27001 https://advisera.com/27001academy/blog/2 015/06/15/how-to-use-iso-22301-for-the-implementation-of-business-continuity-in-iso-27001/
This material will also help you regarding business continuity:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Compliance exercise
Answer:
From your description it seems like your processing activities are only concerning individuals in Pakistan and thus not subject to the EU GDPR. Another thing is that if you are targeting only enterprises this means the exposure to personal data could be quite limited.
Thus, I fail to understand why would you want to become compliant with the piece of legislation which is not applicable to you. However, it you are interested in some advice you can check out our article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/ -
Scope definition
This has been discussed during our Management meeting and our main trigger is sales related. Most of our customers and prospects strongly request ISO27001 certification, especially since 1 year.
One thing we are all convinced is that we would like to attain this, but we still have open points about scope. The main reason is that we are part of a multinational environment and a lot is changing currently. Our IT has centralized since last year. So no local impact on decisions.
And our backoffice activities will now also get more centralized. From an ISO certification point of view we see a lot of (possible) impact.
So maybe you could assist me already with 1 important question. Do we need to go for an ISO27001 certification for the entire organization ?
Or would a certification for a specific part be enough. For example. We mainly require this in environments where we deliver the IT ser vices.
Would it be possible to get a short reply about pro’s and con’s ? Or maybe a reason not to do this for only a part of the organization ?
I’m responsible for 2 countries. 1 has already ISO9001, the other doesn’t.
Answer: ISO 27001 does not require the entire organization to be in the scope for the certification, so you can define the scope that will better suit your organization needs.
For small and mid-size organizations (up to 500 employees) often it is better to include all the organization in the scope, because the effort to keep only part of the organization in the scope is not worthy. For bigger organizations defining a smaller scope may be better to reduce the costs and effort to what really matters for business objectives.
If your organization is smaller than 50 employees you should go for the whole scope.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
This material will also help you regarding scope definition:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Control of documents
My question is relating to the structure of the documentation, I'm writing the documentation on XXXX and it's going to be (initially) located in a XXXXX.
I want to make the structure as easy to ready/use as possible, so thinking of having sub-folders for the likes of Employee procedures, Data-protection policies, and then the ISMS.
However, some documentation which would be intended for Employee use (e.g. Computer Acceptable Use Policy) would also form a policy under the ISMS for ISO27001. The same applies for Data Protection Policies (such as Data Portability procedures) - this would be covered in the ISMS and Data Security, so I'm uncertain where to locate it.
I guess to cut a long story short, everything I've seen seems to suggest placing all procedures and policies in the ISMS folder but logically to me that would n't work.
Can you offer any advise?
Answer: ISO 27001 does not prescribe how you must organize your documents, so you can place them the way it will be more useful and easier to understand by your employees.
My suggestion to you is to keep in the ISMS folder only the high level policies and procedures (e.g., information security policy, document control procedures, internal audit procedure, etc.), and keep specific policies and procedures in the folders most related to them (e.g., the backup policy could be kept on the folder that contain the IT staff documentation).
These articles will provide you further explanation about document control:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/ -
ISO 27001 certifications
Answer: Certifications are one of the most common alternatives used by organizations when looking for competent personnel, as well as for professionals to demonstrate their knowledge and, for some certifications, experience. So, getting certified can improve your career opportunities.
Regarding if there are better certifications than those related to ISO 27001, this will depend of your objectives. There are certifications focused on technical aspects of information security (e.g., CISSP), certifications covering the link between information security and the business (with a wider approach on information security management) (e.g., CISM). ISO 27001 certifications focus on the requirements of the ISO 27001 standard for the implementation of information security management.
This article will provide you further explanation about personal certifications:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
2) If yes, then should I go with ISO 27001 Lead Implementer certification first before I approach the Lead Auditor certification?
Answer: There is no specific order to pursue ISO 27001 certifications. This decision will depend of your career objectives. If you plan to work on an information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification.
These articles will provide you further explanation about ISO 27001 certifications:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding ISO 27001 certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/