Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security and ISO 27001
Answer: ISO 27001 can make an organization more secure by lowering the risks it is exposed to to acceptable levels, provided that after the implementation the organization engages in the systematic work of reviewing its organizational context, business and security performance results, and performs risk assessments, to ensure the security controls are adequate to handle the perceived risks.
These articles will provide you further explanation about maintaining ISO 27001:
- Does ISO 27001 mean that information is 100% secure? https://advisera.com/27001academy/blog/2011/05/02/does-iso-27001-mean-that-information-is-100-secure/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
- Achievin g continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/ -
AS9100 Rev D: Risks, Configuration and FAI
2. Is Configuration audit to be done for Products & services?
3. If "No" for the 2nd query,whether Configuration audit to be done only during New Product/Production part introduction?
4. Does the Standard emphasise on Last Piece Inspection?
Answer:
1) In both clause 6.1 and 8.1.1 there is no requirement for documented information, however, as there is a need in both cases to review this risk listing and the action taken to address risks it is very common that these activities will need to be documented in order to facilitate these reviews.
2) Configuration management (8.1.2) is applicable to both products and services, but as is indicated it is to be implemented “as appropriate” to the organization. So if your services do not require a configuration management system per your customer requirements then this is not necessary.
3) Configuration management is applicable to all productions, as you can see in 8.1.2b it includes an assurance that the documents for the product are consistent with he actual attributes. In other words, the configuration of the actual product or service meets the configured requirements for that product or service.
4) The standard does not emphasize last piece inspection, but rather emphasizes “production process verification” (clause 8.5.1.3) which includes taking a representative item form the first production run to validate that all processes are working, which is also know as First Article Inspection. -
GDPR Cross Border Agreement Question
Answer:
Two things, first is that the document is Data Processing Agreement and not a Cross Border Data Transfer Agreement these are two distinct documents.
Regarding the Annexes Data Processing agreement, Annex 1 is consistent with the requirements of EU GDPR article 28(3) – Processor (https://advisera.com/eugdpracademy/gdpr/processor/) and the information in there should reflect the processing activity that is undertake by the processor.
Annex 2 presents just some illustrative measures which shoul d be treated as sample measures taken to ensure the security of processing so they can definitively be changed based on your needs.
To find out more about cross border data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Survey and Incident closure
Answer:
Getting users' feedback once incident is resolved is not against ITIL principles. Quite contrary, incident should be in status resolved until customer confirms the resolution. Or, as practice has shown, until certain amount of time (e.g. 3 days). I had a project where we use to call user to confirm incident resolution, so surveying users is OK if that's the preferred way. Some tools have that functionality integrated, so you can use that too.
Read the article "Incident resolution and closure: Waiting for the fat lady to sing" https://advisera.com/20000academy/knowledgebase/incident-resolution-closure-waiting-fat-lady-sing/ to learn more. -
DPIA template
Do I follow the template in the toolkit called “07.2_Supplier_Data_Processing_Agreement_EN” within the folder “07_Third_Party_Compliance”?
Answer:
Usually it is the data controller duty to ensure that its processors act based on its instructions and take appropriate technical and organizational measures to comply with the EU GDPR.
So, when acting as a controller is your duty to have the Data Processing Agreements signed with your controllers. However, when you are acting as a processor you might get some pushback from the controllers which may want to impose their own Data Processing Agreements.
To learn more about controllers and processors check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Consent under the Data Protection Directive
2. The other situation is that most of these clients that use our services, make access to the web platform available to their employees, in such a situation, is it ok to get one approved consent that represents the company as an entity or do we still have to get the consents from every single user that uses the services under their own company?
Answer:
1. Where consent has been given under the Data Protection Directive, it will continue to be valid under the Regulation if it also meets the requirements of the Regulation. This may be difficult given the new and stringent requirements for consent. Under the EU GDPR consent must be freely given, specific, informed and unambiguous indication of the individual’s wishes. Also, as controller, you must keep records so y ou can demonstrate that consent has been given by the relevant individual. So, if your consent fulfills the above mentioned requirements there is not need for new consents.
I would also advise you to double check if consent is the most suitable lawful grounds for processing.
To find out more about consent check out our webinar “How to handle consents under GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/).
Most likely you won't need the consent but another lawful grounds would be best suited. I would need more information about what is that your platform does and what types of personal data it processed to provide you with more insight. -
Advice on GDPR
Answer:
If you are processing personal data of individuals you would be subject to the EU GDPR so you should provide them the proper Privacy Notices and ensure that you can comply with their requests. Unfortunately, there are only small exceptions which apply to small companies such as not maintaining “record of processing activities” pursuant to article 30 of the EU GDPR – “Records of processing activities” ht tps://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Challenges on risk assessment and treatment
Answer: To calculate, or define, the values of threat and vulnerability you must consider historical / statistical data (either from the own organization or related to your industry) and the opinion of your personnel that better knows the assets and the process you are assessing. The information available will allow you either to calculate the values based on quantifiable data or adopt values based on the perception you and your team will have from the situation.
It is important to note that for ISO 27001 there is no need to assessing threats/vulnerabilities value to calculate the level of risk.
These articles will provide you more information:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https ://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
2. How to write the findings and recommendations in the assessment report with the overall risk rating and security ranking?
Answer: ISO 27001 does not require the findings of the assessment report to be linked directly with overall risk rating and security ranking (in fact include this correlation would result in a report excessively complex with little added value).
Regarding recommendations, for each finding the consultant should provide at least one or two recommendations on how to handle the situation (e.g., controls to minimize probability and/or impact of a risk occurring)
3. Kindly do let me know how to update the overall score and risk rating (Highlighted in Red box)
Answer: If by the the overall score and risk rating you mean the level of risk associated to the findings identified in the assessment, then the way to improve the score and the rating is to introduce controls which will decrease the risk, by handling the findings. -
ISO 27001 implementation
Answer: To start the implementation of an ISMS complaint with ISO 27001, you should consider these steps:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use you own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Justifications for ISO 27001
I can mention at least three reasons for you to consider ISO 27001:
- Your clients may demand some sort of guarantee that you you are able to protect properly the programs that handle their information, and ISO 27001 is one of the most world-wide recognized frameworks to provide that
- The industry you work on may have regulations or laws that require you to protect the programs that handle your client's information, and ISO 27001 can help you track and manage them so you can avoid fines.
- ISO 27001 may give you a business edge regarding your competitors, by means of providing programs with higher levels of security embedded.
This article will provide you further explanation about ISO 27001:
- ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Four key benefits of ISO 27001 implementation https://adviser a.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/