Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 31000 study material
Trust you're doing great. Your study material on advisera is very helpful thank you.
However would like to request if there are any modules on ISO 31000 Risk management..or if you could help me with one thing whether Is it mandatory that we have vast experience in job say for some one in mid or entry level can't go for the ISO 31000 Course?
Answer: For information regarding ISO 31000, I suggest you to take a look a these material:
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
- How to address opportunities in ISO 27001 risk management using ISO 31000 https://advisera.com/27001academy/blog/2018/04/13/how-to-address-opportunities-in-iso-27001-risk-management-using-iso-31000/
Regarding ISO 31000 courses, generally they do not require previous job experience (you should verify the course content of your selected training provid er to confirm that), but any level of previous experience will help you to take better advantage of the course. -
RACI Matrix
Answer: As roles to include in your RACI matrix you should consider at least:
- Top management / Project Sponsor as Accountable for project decisions
- Project Manager as Responsible for the project overall execution
- Team member as Responsible for tasks / activities execution
- Units Heads / Processes Owners / Interested Parties as Consulted about risks identification and controls to be implemented
- Employees / Users / as Informed about project milestones
Steps to be included, you should consider:
1) getting management buy-in for the project;
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3) development of risk assessment and treatment methodology;
4) perform risk assessment and define risk treatment plan;
5) controls implementat ion (e.g., policies and procedures documentation, acquisitions, etc.);
6) people training and awareness;
7) controls operation;
8 performance monitoring and measurement;
9) perform internal audit;
10) perform management critical review; and
11) address nonconformities, corrective actions and opportunities for improvement.
This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ -
ISO 27001 Gap Analysis
1 - But my starting point for now is to check what they have according the iso 27001. Sort of gap analysis? Current situation. I am kind of in the not knowing how to start this.. I mean do you make a list of all these clauses + annex A and check if they have it documented etc? Or is it more then that?
Answer: For a Gap Analysis you do not only evaluate if they have the requirements documented, but also if the processes and controls are also generating the proper records. To help you with a gap analysis, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
2 - What about the maturity? Do I have to measure also the maturity? And how do you do that?
I hope you can give me some advice on how to start this because it is not quite clear to me.
Answer: ISO 27001 does not require performing maturity measurements, but it requires performance measurements, which can be used as parameters to evaluate maturity.
This article will provide you further explanation about ISO 27001 and performance measurement:
- What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Audit activities
We have an internal audit procedure, which defines the auditor requirements, I.e. qualified, scope, criteria, plan, etc.
They said we need to audit them and document an audit report of the auditors, and we can even give them minor/major NCs.
Am I crazy?
Answer: ISO 27001 clause 9.2 (Internal audit) requires that an organization selects auditors and conducts audits that ensure objectivity and the impartiality of the audit process, and in the situation you mention it means the auditors cannot audit their own work. When you have more than one auditor, they can audit each others work. In cases were you only have one auditor, the organization must consider hiring an external auditor to audit specifically the clause 9.2.
This article will provide you further explanation about internal audit:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 INTERNAL AUDITOR COURSE https://advisera.com/training/iso-27001-internal-auditor-course/ -
Impacts of not implementing a standard
Answer: There is no standard set of consequences if an ISO standard is not implemented in an organization, because these will depend on the applicable laws, contracts, regulations and business objectives, which will vary from organization to organization.
To help organizations understand this, ISO management standards require that organizations determine external and internal issues relevant to its purpose and that can affect its management system, including needs and expectations of interested parties (clauses 4.1 and 4.2 of ISO management standards).
On the other hand, when talking about benefits of adopting ISO standards, they can be related to:
- Enhanced competitive edge
- Reduction on losses due to incidents and non conformities
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
These articles will provide you further explanation about context, requirements and benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
These materials will also help you regarding context, requirements and benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Who does the EU GDPR apply to?
Answer:
The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.)
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant.
In your case, since the company is based in Brunei and the processing takes place in Brunei and the data subjects are ba sed in Brunei (regardless if they are UK citizens) the EU GDPR won`t be applicable.
To learn more about the applicability the EU GDPR check out our article “ What is it and how does it work?” https://advisera.com/eugdpracademy/what-is-eugdpr/ -
Sensitive personal data
Answer:
From your description you provided the data in your CRM system is indeed personal data but not “special category of data” as per article 9 of the EU GDPR – “Processing of special categories of personal data” https://advisera.com/eugdpracademy/gdpr/processing-of-special-categories-of-personal-data/
The deidentification of data using a ID number or customer number is a measure to protect personal data which is caller “pseudonymization” which is referred to and recommended in article 32 of the EU GDPR – “Sec urity of processing” https://advisera.com/eugdpracademy/gdpr/security-of-processing/ so by all means proceed.
To find out more about the security of personal data you can check out our free EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Collecting personal data
2) If personal data is transferred from India to one of the EU countries, then will it be considered as transfer to third country?
3) If we collect personal data from a site like ‘xxx’, will it be a joint controller for us?
4) In a case, where we are Processor, is Privacy Notice applicable?
Answers:
1. The answer is quite simple “NO” unless you want to advertise a job. You need the consent of the data subject for sending marketing materials via SMS and email.
2. If the data exporter is located in India and the data is transferred in the EU is not a personal data transfer.
3. Certainly not, both you and “xxx’ would be separate controllers. The only difference is that you obtain the data form a third party but both you and the data controllers on your own separate processing activities.
4. According to EU GDPR article 13 – “Information to be provided where personal data are collected from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ and article 14 – “Information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/ the controllers are the ones that need to provide the notice to the data subjects
If you want to find out more about privacy notices you can check out our free webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Implementation duration
Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 10 to 12 months.
To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
Regarding how many people should be included in the project, there is no definitive number you should consider (this number also depends on the complexity of the scope), but to increase chances of success, it is important that persons involved have experience in project management and knowledge of the standard.
These articles will provide you further explanation about ISO 27001:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/ -
Business Case for the implementation of an ISMS
Answer: ISO 27001 does not require development of a business case for ISMS implementation, although the elaboration of such material can be very useful to help you to identify business objectives related to information security and buy in the top management support for this project, and to define top-level objectives for the ISMS (which are mandatory for the standard).
These articles will provide you further explanation about getting top management support:
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
These materials will also help you regarding top management support:
- Book Secure & Simple: A Small-Business Guide to Implem enting ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/