Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Specific consent

    Generally speaking, do we have to mention each third service provider by name in our privacy policy in order to be eligible to use these 3rd services?

    Answers:

    1. You don’t need to have the consent your customers if you are using a third party as a processor. However you need to mention in the Privacy Notice that you may use third parties that may have access to their personal data.
    2. The answer is no. You just need to specify the type of activity that the supplier is providing in generic terms.

  • Specification of Information System Requirements


    Answer: Unfortunately we have to apologize about not having a video tutorial about this issue, but to help you fill in this document you can schedule a meeting with one of our experts (some sessions with our experts are included in the toolkit you bought). To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

    This article will provide you further explanation about defining system requirements:
    - How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

    2 - Is this document in reference to the applications that we develop or is this in reference to the tools we use to maintain and develop the applications? The question at hand is what does “Information Systems” reference? Is it the internal applications/tools used to produce our product? Is it the external applications that our clients use, that are developed by us? Could it be both?

    Answer: Let's start with the definition of Information systems. For ISO 27001, information systems are software, hardware, databases and any other asset used to store and/or process information.

    The purpose of this document is to document all requirements for new information systems, and for improvements of existing information systems, whether they are used internally or by customers.

    Considering that, this document is applicable either for systems your organization develops, and for systems your organization acquires, for internal purposes only or to provide to external customers. Your organization can define the range of application in the ISMS scope statement.

    3- With internal applications, we can dictate specifically access and security as these systems are only for company use. With external applications, we lose control as while these have specific purposes, the end user dictates the use of these.

    If we do apply to external applications, does it apply only to the process to ensure that any work done by us is verified to not to significantly affect the end user’s use, regardless of how they use it? For example, for system XXXX is specifically built for XXXX but we do know that we have at least one client that specifically caters to XXXX. The application is the same but workflows are different.

    Answer: As mentioned in the previous answer, this document covers the system's requirements, i.e., what a system can do, what it cannot do, and how it must behave under specific conditions. Specifically for the applications you develop for third parties, the conditions to not significantly affect the end user’s use most probably will come from the end users.

  • Additional evidences of competence


    Answer:

    The standard does not prescribe what kind of evidence of competence the organization will provide, it can be training record, diplomas, certificates, CVs and any other record that demonstrates that the employee is competent to perform certain activity.

    The only novelty in the new standard is that the organization will need to provide documented evidence of the trainer's competency to perform internal audit training, but other than that there are no changes in requirements for competency.

    For more information, see: How to ensure competence of your employees according to IATF 16949 https://advisera.com/16949academy/blog/2017/10/04/how-to-ensure-competence-of-your-employees-according-to-iatf-16949/

  • Training internal auditors


    Answer:

    The shorter answer is NO! Your internal audit team members do not have to be "trained/certified" by an external registrar for the 2015 edition, your organization can simply perform your own internal training program to communicate the changes with the new standard. Remember, it is your organization that have the authority to define what are the competence requirements to be internal auditor in your organization.

    The following material will provide you information about internal auditor competence:

    Check this article about ISO 14001 but applicable to ISO 9001 – What competences should an ISO 14001 internal auditor have? - https://advisera.com/14001academy/blog/ og/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
    - free online training - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
    - free online training - ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Process modeling


    Answer:

    If you see my book “Discover ISO 9001:2015 Through Practical Examples” (see link below) and click on the left “Click to Look Inside” you can see how to model an organization using the process approach and then, how to map each process with simple techniques.

    The following material will provide you information about the process approach:

    - ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Context and ISO 14001


    Answer:

    Independently of the economic sector I use as a basis the PESTEL framework. Having environment in mind defy your team to think if there are actual or foreseeable issues relevant about:

    Politics;
    Economic;
    Social;
    Technology;
    Environmental;
    Legislation.

    For example; imagine the future impact of cars without drivers: cars will be less prone to accidents. Will car makers use less steal? Will car makers use plastic composites instead of metal? Less demand for steel? Less mining activity? Smaller steel manufacturing plants?

    The following material will provide you information about context determination:

    - ISO 14001 – Determining the context of the organization in ISO 14001 - https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
    - List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • Privacy Notices Under the EU GDPR

    For the case you mentioned I would suggest to put the Privacy Notice on your website and to communicate them to the European Customer together with the first communication(email, telephone) you initiate with him.

  • Applicability of GDPR on business secret data


    Answer:

    The EU GDPR protects the rights and freedoms of individuals as regards to their personal data. The EU GDPR defines personal data as being “any information relating to an identified or identifiable natural person” (art 4 – “Definitions” https://advisera.com/gdpr/definitions/

    So unless your patent information or copyright information don’t fall under the EU GDPR unless they contain personal data of individuals which is highly unlikely.

  • ISO 14001 and stakeholders


    Answer:

    Your organization can consider, for example:
    * its neighborhood as a relevant environmental stakeholder. Then, your environmental management system, according to ISO 14001:2015, should consider their relevant expectations about the environment like environmental noise and work to reduce it;

    * its customers as a relevant environmental stakeholder. Then, your environmental management system, according to ISO 14001:2015, should consider their relevant expectations about the environment like easy recyclability and work to improve it.
    The following material will provide you information about environment and stakeholders:

    - ISO 14001 – How to determine interested parties according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-determine-interested-parties-according-to-iso-140012015/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/

  • ISMS implementation approaches

    The company is a start-up company, yet to processes in place yet. This company get a long term project to deliver a system (IT infrastructure and Application System).
    They will operate & maintain this system after the completion of delivering the project. In the contract; they are required to get certifications for 27001, 22301 and 20000 after it is in operation - at year 4 or 5.
    Certifications for System in Operation & the operation and maintenance of the system. The company is just about to start to Design stage - there is no assets, process in place yet.
    At the end of Design Stage, we are require to deliver Security Policy & System Security Plan and Risk Treatment Plan (a sign-off of Residual Risk)
    Here the risk assessment is get the security requirements, beside from user requirements, technical requirements, business requirements and contractual & best practices. From here, we get a Security Design to be implemented for the System.
    There are 2 school of taught:
    1. Implementation of ISMS should only start a fter Design Stage is completed (this where all being firms - technology solutions (IT assets), Locations of DC and DR firm-up, Applications System Design completed, etc. Suggest to do ISMS Scoping, Detail Risk Assessments, all required steps of ISMS implementations. (ISMS implementation and certifications is a journey after design start)
    2. ISMS Implementation start now, the scoping, risk assessment and all the ISMS implementation steps start now. Issue here - risks of project delivery, scoping is based on assumption, ISMS risk assessment within the context of the scope is quite difficult (IT assets (not firm-up), systems (not ready to risk assessment), system design is not firm-up yet.

    Please advice on the best approach - because the ISMS certifications objective for Secure Operation of the System that the company operate and maintenance.
    The Secure System Deliverable is done by implementing all the controls in 27001, NIST, CIS Guidelines, STIG Guidelines. The project can be delivered with implementing the ISMS from the start but only start after the design is completed and sign-off.

    Answer: I understand that yo can adopt a mixed approach. The design stage is one of the most important steps of a system development (it can save you a lot of time, effort and money by avoiding development errors and rework), so applying ISMS practices at this stage should be considered, but you do not need to implement the ISMS in all your intended scope (the operation and maintenance processes), only for the project activities.

    With this approach you can gather the benefits of information security management system practices for your project, while you gain experience to expand the ISMS to your intended scope. It is also important to note that you do not need to go for the certification at the beginning. You cn just implement the practices and do this later on.

    These articles will provide you further explanation about ISO 27001 in projects:
    - How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/
    - How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

    These materials will also help you regarding ISO 27001 in projects:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 762-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +