Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Data processing agreement
If your accountant is not your employee the answer would be yes. -
Information Transfer Procedure
I would like to know if you have any advice on best template to use in developing an Information Transfer Procedure.
Answer: The "Operating Procedures for Information and Communication Technology" template included in your toolkit already cover the guidance and recommendations from control A.13.2.1 (Information transfer policies and procedures), so you can use this template to implement information transfer procedures, or adapt the document to your needs.
This template can be found on folder 08 Annex A A.12 Operations security -
ISO 27018
Answer: ISO 27018 provides guidance and recommendations to protect personally identifiable information, so if your services involve your customers personal data, or personal data from their customers, then probably this standard is applicable to you. To determine that you should verify your customers requirements and the laws and regulations applicable to your business.
This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Risk assessment and SoA
If I have a risk assessment documented already must I document the risks in the SOA as well?
Answer: The Statement of Applicability is required by ISO 27001 clause 6.1.3 d), so it is needed for certification purposes. In fact, it is one of the main documents used by the auditor during an audit.
Although important to the SoA to justify the applicability of controls, there is no need to document risks in the SoA. In such cases you can simply refer to the risks identifiers used on the risk assessment document (e.g., "control applicable to treat risks identified by numbers 12 and 34 in the risk assessment).
These article will provide you further explanation about mandatory documents and SoA:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/ dgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding mandatory documents and SoA:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Demostrar cumplimiento con ISO 22301
Respuesta: Cualquier compañía puede cumplir con ISO 22301, pero para esto, obviamente la compañía tiene que implementar el estándar, cumplimiento con sus requerimientos. Si yo soy un cliente de tu empresa, y quiero que me demuestres que puedes implementar el estándar, podrías mostrarme un plan de proyecto para la implementación del estándar, con la aprobación de la alta dirección.
Otra opción es la certificación de la ISO 22301 implementada, y otra opción es una auditoría de segunda parte.
Esta plantilla gratuita puede ayudarte a desarrollar el plan de proyecto “Project Plan for ISO 27001/ISO 22301 implementation” : https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation
Y este artículo puede ayudarte a conocer cómo implementar el estándar en tu organización “17 steps for implementing ISO 22301” : https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/ -
Alta dirección
Respuesta: Si esta persona, formalmente, no es parte de la diracción, el problema puede ser que sus decisiones puedan ser ejecutadas informalmente, y esto puede ser un problema para el cumplimiento de la ISO 27001, porque tu organización podría no demostrar el liderazgo y compromiso de la alta dirección con respecto el sistema de gestión de seguridad de la información, lo cual es un importante requerimiento de la ISO 27001 (apartado 5.1.- Leadership and commitment). Por tanto, una recomendación sería que est a persona formalmente forme parte de la alta dirección.
Este artículo sobre roles y responsabilidades de la alta dirección puede ser interesante para ti “Roles and responsibilities of top management in ISO 27001 and ISO 22301” : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
Y también este artículo sobre los beneficios de la implementación de la ISO 27001, que puede ser interesante para la dirección “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/ -
Purpose of requesting the birth date
2. For the Data Subject Access Request Procedure. A Data Subject Access Request can be made verbally in Germany. Hence it is necessary to ensure that verbal requests are treated with the same level of care as with written requests.
Answers:
1. The birth date is mentioned for two purposes: for establishing that the individual is not a minor and as well as means of making you easy ti identify him/her in your systems. However, you may choose not to ask that information from the data subject.
2. I cant see any question related to the topic of “Data Subject Access Request Procedure”.
To learn more about DSARs check out our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Language of the Privacy policy
Answer:
If your website is targeting Italian users you can have the Privacy Notice/Notices in Italian only.
To learn more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Standards applicability
Answer: ISO management standards (like ISO 27001 / BS EN ISO 9001) were designed to be implemented in organizations of any industry or size, so they would work the same way for any of them:
1 - Identification of business context and requirements
2 - Development and implementation of documents and records required by the standard
3 - Development and implementation of documents and records required by business operations
4 - Processes performance measurement, monitoring and review
5 - Implementation of corrective actions and opportunities of improvement
The difference would be in the number and complexity of the developed documentation, and the required resources.
These articles will provide you further explanation about ISO 27001:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
2 - Can this apply and is it useful/necessary in this case or is there any equivalent?
Answer: As mentioned in answer 1, these standards can be applied in your case, and can be useful in at least four ways:
- to decrease costs related to information security incidents
- to provide a competitive edge in your market
- to help organize operations
- to help ensure compliance with legal requirements you must fulfil
Regarding necessity, you should consider your customers and legal requirements you must comply with.
This article will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
3 - Also what is the average cost for an "extra" small company ( Web-based Dev - 1 employee )
Answer: There are a significant number of variables to be considered when estimating an implementation cost, even for such a small organizations, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project -
Audit results
I believe somewhere in your information you recommend against sharing audit results with the customer. If this is true, could you send me a link to that information? It will help to convince Sales that this is not a good idea.
Answer: The sharing of audit results with customers should be handled carefully. While this can be a good marketing tool to demonstrate good faith and commitment of your organization with customers, it also may reveal situations that can compromise the relationship and your organization image if not handled properly.
My advice would be for your organization to define, by means of contracts and service agreements, in which situations these results should be shared, what information would be sha red, and what measures should be taken by the customer to protect this information (e.g., those customers that will have the access to the results should sign a non disclosure agreement).