Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Becoming a ISO 27001 Lead Auditor
Answer: To obtain a ISO 27001 Lead Auditor Certification you should attend an ISO 27001 Lead Auditor course, so you can understand the concepts of ISO 27001 management system and the processes and techniques involved in an audit (there is no need to get the lead implementer certification first), and to be approved at the exam at the end of the course
These articles will provide you further explanation about becoming a lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding auditing:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Toolkit content
Do you have any additional templates I can buy? And any other policies
And documentations related to incident management that are not included in the toolkit.
Also I need a password policy for the organization.
As I cannot find it in the toolkit I bought.
Answer: The Incident Management Procedure, Incident Log templates (located on folder 8 (Annex A), sub-folder A.16 (Information security incident management)) and Disaster Recovery Plan template (located on folder 8 (Annex A), sub-folder A.17 (A.17 Business Continuity 04 Business Continuity Plan)) included in your ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit are sufficient to fulfil ISO 27001, ISO 27017, and ISO 27018 requirements, but if you feel you still need more details or documents to cover your processes, you can schedule a meeting with one of our experts, so he can guide you on the best approach to fulfil your needs. You can schedule a meeting through this link: https://advisera.com/27001academy/con sultation/
Regarding the password policy, these documents included in your toolkit cover this issue:
- Access Control Policy
- Password Policy
Both are located on folder 8 (Annex A), sub-folder A.9 Access control, and the Password Policy may be implemented as a separated document or as part of Access Control Policy. -
Privacy and information classification
Answer: Since private information normally can cause significant damage to the natural person to which it is related to if compromised, as well as to the organization itself in terms of reputation, damage control, and legal actions, it should be classified in one of the highest levels of classification available, if not in the highest level.
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
These materials will also help you regarding information classification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Security and ISO 27001
Answer: ISO 27001 can make an organization more secure by lowering the risks it is exposed to to acceptable levels, provided that after the implementation the organization engages in the systematic work of reviewing its organizational context, business and security performance results, and performs risk assessments, to ensure the security controls are adequate to handle the perceived risks.
These articles will provide you further explanation about maintaining ISO 27001:
- Does ISO 27001 mean that information is 100% secure? https://advisera.com/27001academy/blog/2011/05/02/does-iso-27001-mean-that-information-is-100-secure/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
- Achievin g continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/ -
AS9100 Rev D: Risks, Configuration and FAI
2. Is Configuration audit to be done for Products & services?
3. If "No" for the 2nd query,whether Configuration audit to be done only during New Product/Production part introduction?
4. Does the Standard emphasise on Last Piece Inspection?
Answer:
1) In both clause 6.1 and 8.1.1 there is no requirement for documented information, however, as there is a need in both cases to review this risk listing and the action taken to address risks it is very common that these activities will need to be documented in order to facilitate these reviews.
2) Configuration management (8.1.2) is applicable to both products and services, but as is indicated it is to be implemented “as appropriate” to the organization. So if your services do not require a configuration management system per your customer requirements then this is not necessary.
3) Configuration management is applicable to all productions, as you can see in 8.1.2b it includes an assurance that the documents for the product are consistent with he actual attributes. In other words, the configuration of the actual product or service meets the configured requirements for that product or service.
4) The standard does not emphasize last piece inspection, but rather emphasizes “production process verification” (clause 8.5.1.3) which includes taking a representative item form the first production run to validate that all processes are working, which is also know as First Article Inspection. -
GDPR Cross Border Agreement Question
Answer:
Two things, first is that the document is Data Processing Agreement and not a Cross Border Data Transfer Agreement these are two distinct documents.
Regarding the Annexes Data Processing agreement, Annex 1 is consistent with the requirements of EU GDPR article 28(3) – Processor (https://advisera.com/eugdpracademy/gdpr/processor/) and the information in there should reflect the processing activity that is undertake by the processor.
Annex 2 presents just some illustrative measures which shoul d be treated as sample measures taken to ensure the security of processing so they can definitively be changed based on your needs.
To find out more about cross border data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Survey and Incident closure
Answer:
Getting users' feedback once incident is resolved is not against ITIL principles. Quite contrary, incident should be in status resolved until customer confirms the resolution. Or, as practice has shown, until certain amount of time (e.g. 3 days). I had a project where we use to call user to confirm incident resolution, so surveying users is OK if that's the preferred way. Some tools have that functionality integrated, so you can use that too.
Read the article "Incident resolution and closure: Waiting for the fat lady to sing" https://advisera.com/20000academy/knowledgebase/incident-resolution-closure-waiting-fat-lady-sing/ to learn more. -
DPIA template
Do I follow the template in the toolkit called “07.2_Supplier_Data_Processing_Agreement_EN” within the folder “07_Third_Party_Compliance”?
Answer:
Usually it is the data controller duty to ensure that its processors act based on its instructions and take appropriate technical and organizational measures to comply with the EU GDPR.
So, when acting as a controller is your duty to have the Data Processing Agreements signed with your controllers. However, when you are acting as a processor you might get some pushback from the controllers which may want to impose their own Data Processing Agreements.
To learn more about controllers and processors check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Consent under the Data Protection Directive
2. The other situation is that most of these clients that use our services, make access to the web platform available to their employees, in such a situation, is it ok to get one approved consent that represents the company as an entity or do we still have to get the consents from every single user that uses the services under their own company?
Answer:
1. Where consent has been given under the Data Protection Directive, it will continue to be valid under the Regulation if it also meets the requirements of the Regulation. This may be difficult given the new and stringent requirements for consent. Under the EU GDPR consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. Also, as controller, you must keep records so y ou can demonstrate that consent has been given by the relevant individual. So, if your consent fulfills the above mentioned requirements there is not need for new consents.
I would also advise you to double check if consent is the most suitable lawful grounds for processing.
To find out more about consent check out our webinar “How to handle consents under GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/).
Most likely you won't need the consent but another lawful grounds would be best suited. I would need more information about what is that your platform does and what types of personal data it processed to provide you with more insight. -
Advice on GDPR
Answer:
If you are processing personal data of individuals you would be subject to the EU GDPR so you should provide them the proper Privacy Notices and ensure that you can comply with their requests. Unfortunately, there are only small exceptions which apply to small companies such as not maintaining “record of processing activities” pursuant to article 30 of the EU GDPR – “Records of processing activities” ht tps://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//