Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Importancia de los indicadores en la ISO 27001
Respuesta: Los indicadores son muy importantes porque puedes usarlos para medir y monitorizar los procesos y los controles de seguridad de la información, que es un requerimiento en la ISO 27001, de acuerdo al punto 9.1 Seguimiento, medición, análisis y evaluación.
Por cierto, este artículo sobre indicadores puede ser interesante para ti “Key performance indicators for an ISO 27001 ISMS” : https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
Y también este otro sobre los objetivos de control "Control objectives - Why are they important? " https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/ -
Auditing outsourced processes (1)
Answer:
Consider auditing a process – what ISO 9001:2015 clauses do you consider?
Auditing process performance (9.1.1 and 9.1.3);
Auditing process control (8.5.1);
Auditing quality control (8.6);
Auditing nonconformities control (8.7);
Auditing order control (8.4)
Auditing documentation control (7.5)
Auditing monitoring resources (7.1.5)
Auditing identification and traceability (8.5.2)
As you can see, you can use several ISO 9001 clauses to audit a process, outsourced or not.
The following material will provide you information about scope definition:
- ISO 9001 – How to control outsourced processes using ISO 9001 - https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Issues are not necessarily negative (1)
I believe that “issue” is related with clause 4.1 of ISO 9001:2015. Several organizations use SWOT analysis as a way of determining relevant internal and external issues. Using the SWOT analysis implies determining issues with a positive connotation (opportunities and strengths) and determining issues with a negative connotation (threats and weaknesses)
The following material will provide you information about internal and externa l issues:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Data Subject Access Request Procedure
Answer:
All the data subject requests including the “right to be forgotten request” would be dealt with according to the “Data Subject Access Request Procedure”.
To find out more about data subjects right you can check put our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
EU GDPR
Answer:
You should first check the iCloud Privacy Policy because it might be that the data for EU users are stored in Europe.
To find out about data transfers don`t miss our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Transmission of data to third countries
Answer:
You should first check the iCloud Privacy Policy because it might be that the data for EU users are stored in Europe.
To find out about data transfers don't miss our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Policy documentation
In ISO world, mandatory requirements/documents are related to the words "must" or "shall", while non mandatory requirements/documents are related to words "may"or "should". In ISO 27002, since it provides recommendations for the implementation of controls that may be required as a result of a risk assessment, you will find the guidance ruled by "should", i.e., you only have to consider the recommendations that will help handle the risks you identified as unacceptable.
You can find more information in this article: Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/ -
ISO 22301 LA course
From your perspective, is it possible to take only the exam for ISO23001 lead auditor and not do once again the training? Is it something your company is offering?
Answer: The ISO 22301 Lead Auditor exam is the final part of the ISO 22301 Lead Auditor course, so you cannot take the exam without attending the course, unless you are taking a second exam after failing the first one in the allowed time interval.
Besides that, the content about audit methodologies and techniques are only part of the course. You will be presented to ISO 22301 concepts and requirements, as well as the exercises developed during the course are different.
At this moment we are not providing the ISO 22301 Lead Auditor course. -
Communication of information security
“Can you please clarify where we specify what areas need to be known by what group of people?
For example, the NOC personnel are not involved in Legal Matters (A.18) and vice versa Legal department needn’t know about the Incident Management Procedure (A.16). Our aim is that all employees in Scope must know the Scope Document and the IS Policy very well and then know documents that are relevant to their particular domain.”
Answer: Included in the toolkit you bought there is a template called Training & Awareness Plan that you can use to map and organize the competences required for particular areas/skills and which people need to know them. This template can be found on folder 09 Training and Awareness Plan.
Regarding your example, it is important to note that although NOC personnel is not directly responsible for Legal Matters, they provide an important support for the technical evaluation of solutions t o be implemented. Likewise, legal department should be aware of Incident Management Procedure to ensure evidences are properly handled so they can be legally accepted in case when a legal action is needed. It is important to note that information security requires a multidisciplinary approach to be effective, with different areas working together. -
Signing DPA with large companies
Answer:
Usually big companies such as Microsoft, when acting as processors they don`t sign separate DPAs, this would be impossible due to the sheer amount of customers.
However, they have similar DPA clauses regarding their commitment to protect personal in their “Licensing terms and documentation” (https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46).
To find out more about processors you can also check out our free course “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//)