Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Contract with processors
Answer:
The common practice is not to engage processors that cannot be trusted to comply with the EU GDPR provisions or take liability in case of a breaching the EU GDPR provisions. Also remember that you will be responsible for the actions of the processors you contract so having a liability clause would be a must.
To learn more about the duties of processors under the EU GDPR this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Audit checklist
>1- Now looking at Dejan's checklist, it contains all requirements in 27001 from chapter 4 to 10 plus all the controls in the appendix.
It doesn't make sense to audit the full checklist for every department so I'm guessing that the auditor, as part of the preparation, choose what clauses in the checklist to include in each audit.
In short, each audit will consist of a subset of the checklist depending on the nature of the department. Can you confirm?
Answer: Your assumption is correct, the auditor can define a subset of the items to be included in the checklist, depending on the purpose of the audit and the audited department.
>2 - We're short on auditors that know infosec and the standard so would you say it would be compliant if we (the security office) audit ourselfs and our own work as long as we “select auditors and conduct audits that ensure objectivity and the impartiality of the audit process”?
Answer: The security office cannot audit its own work alone. The main requirements of ISO 27001 (from clauses 4 to 10) do not require deep knowledge about information security to be audited, so the security office and another auditor with competence in auditing ISO management systems (e.g., ISO 9001 and ISO 14001) working together would be sufficient to ensure the audit process is objective and impartial.
>3 - Regarding the scope of an audit (i.e. what clauses from the checklist to include), would it be ok to narrow the scope to just a few controls? I mean, in your template “Annual Internal Audit Program” the heading “Scope” exists suggesting that the auditor can choose what clauses to include.
An example: The auditor choose to audit the HR dept so he/she sets the scope to A.7 Human resource security and A.9 Access Control.
Would that fly?
Answer: The auditor can narrow the scope of an audit to a few controls if it fits the purpose of the audit, but you must ensure that all controls regarding the certification scope are audited between external audits, according to the external audit plan. For example, if in the next maintenance audit the certification auditor will audit the HR department, you must ensure all controls applicable to HR department, not only the controls from sections A.7 and A.9 (e.g., requirement 7.2 will also be audited by the external auditor). Another option is to use a couple of auditors in each audit event, where each would focus on only one group of controls. -
Management principles
Answer: Management principles are concepts that can be used as a foundation to guide an organization’s performance improvement. ISO 27001 shares some management principles with other ISO management standards, such as:
- Leadership
- Process approach
- Improvement
- Evidence-based decision making
Specifically for the ISMS, we can consider as principles:
- Risk-based approach
- Protection of confidentiality, integrity and availability -
Auditing ISO 27001 and ISO 27018
Last December our 27001 documentation was audit and approved, and now we have planned an audit type two (implementation phase) for November, but we want to go a bit further and also get and audit against ISO 27018 and scope the requirement of the GDPR Regulation.
My question are:
1 - It is possible to audit both ISO 27001 and 27018?
Answer: ISO 27018 is a supporting standard to ISO 27001, providing detailed guidance and recommendations on the implementation of ISO 27001 Annex A controls, considering privacy in cloud environments, so it is perfectly possible to perform an audit considering these two standards as references.
This article will provide you further explanation about ISO 27001 and ISO 27018:
-ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ loud/
2 - Is it possible to audit the 11 extra controls of the ISO 27018 only as the controls of the ISO 27001/27002 already apply? how would you recommend to do it?
Answer: You can reduce your audit scope to cover only the ISO 27018 extra controls and the other controls from ISO 27001 that have some specific recommendations provided in the ISO 27018 with no problem.
To support this activity, I suggest you to take a look at the free demo of our Internal Audit Checklist for ISO 27001 & ISO 27017 & ISO 27018 at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
It provides a list of questions in order to help perform an internal audit against ISO 27001, considering also ISO 27018. For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.
This article will provide you further explanation about internal audits:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
These materials will also help you regarding internal audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/ -
ISO 20000 and Demand Management/Service Portfolio Management
Answer:
Demand Management and Service Portfolio Management processes are part of the ITIL i.e. ITIL/ISO 20000 Premium Documentation toolkit. You can find them in the list of documents https://advisera.com/20000academy/iso-20000-documentation-toolkit/#toolkit-documents-lightbox
Additionally, list of mandatory documents, according to ISO 20000-1:2011 (still valid standard) can be found in the free Whitepaper Checklist of Mandatory Documentation Required by ISO/IEC 20000-1:2011 https://info.advisera.com/20000academy/free-download/checklist-of-mandatory-documentation-required-by-iso-iec-20000-1-2018/ -
Auditor certifications
Answer:
Passing those exams will document in a formal way that you acquired knowledge about ISO 9001:2015 and about preparation, realization and reporting of internal audits. Your previous experience and education will certainly be very useful for you and for your future audit customers, that kind of experience and education cannot be learned in a fast course and are very important to deal with situations and having a mature and business-friendly point of view. As soon as you get those two diplomas you can start acting as internal auditor for organizations and as long as you gather some actual experience you can start requesting to certification bodies if they have more particular requirements that you must obey in order to be able to apply.
The following materials will provide you details with internal audits:
- Article - ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
- ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
Third Party and cross border transfer data
2. In cross border transfer data , if the adequacy is not fulfilled , what are the penalties?
Answers:
1. There are actually the same. In the context of the EU GDPR both are entities that are receiving personal data. Depending of the purpose of processing ad the business context the Recipient or Third Party can be a data processor, a joint controller or a controller in its own rights. You can find out more about controllers and processors from our article “EU GDPR controller vs. processor – What are the differences?” – https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
2. Fail to comply with the requirements regarding cross border transfers of personal data can be sanctioned with fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. To learn more about sanctions under the EU see this free online training GDP R Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// as well as our webinar “ What to expect from Data Protection Authorities under GDPR” - https://advisera.com/eugdpracademy/webinar/what-to-expect-from-data-protection-authorities-under-gdpr-free-webinar-on-demand/ -
ISO 27001 competencies
Answer: ISO 27001 only requires the definition of necessary competencies for persons that affect its information security performance. Considering that, only the persons that handles the information you want protect must be included in the competency matrix. For example, if you want to protect only the research and development information, most probably the HR and financial personnel won't be included in your competency matrix.
2- And what type of competencies need to be included – do they have to be related to information security only ?
Answer: The competencies to be included will depend on which roles you have in your matrix, but broadly speaking they are related to information technology, physical security, HR management and legal.
As you can notice, they are not limited to information security. In fact information security competencies will drive which specific competencies in these areas must be developed.
For example, for protecting confidentiality, competencies related to physical and logical access control must be developed, as well as security practices in systems development will need to protect confidentiality of information stored and processed by information systems.
These articles will provide you further explanation about managing competencies:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding managing competencies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Context and organizational chart
Answer:
You should not build a management system in a limbo. Your organization’s management system will be a function of its context, external and internal. For example, imagine that your organization is American and exports very successfully to China. Will trade barriers be erected? How will that change the market? Imagine that your organization sells mainly to stores in shopping malls. I read today, honestly, someone defending that around 25% of shopping malls will close in the next years. Imagine that a competitor with a different business model is disrupting the market. Your management system must take this in consideration when thinking about the future. About the internal context, imagine that your commercial department is saying that customers want or need shorter delivery times, but your internal data reveal an opposite trend, your organization’s delivery times are becoming larger. Clause 4.1 of ISO 9001:2015 is about this kind of stuff. Normally, top management is who determines which issues are relevant. Most of these issues can be seen as the basis for uncertainty about the future of the business, and with that uncertainty comes risks and opportunities (clause 6.1.1). Because of the most relevant risks and opportunities, your organization can change some practices (clause 6.1.2), that is: change the way some processes are executed.
The following materials will provide you details about the context determination:
- ISO 9001 – How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
- ISO 9001:2015 Case study: Context of the organization as a success factor in manufacturing company - https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Objectives and KPIs
Answer:
I assume that by “objectives” you mean quality objectives and that by KPI you mean Key Performance Indicator.
Since I do not have more information I will speculate upon the reasons that can support the auditor’s behavior. Normally, organizations develop quality objectives, stated challenges that imply a direction of improvement. Then they use indicators to monitor, measure performance and define a precise target to meet. Has your organization wrote any statements about each objective?
Please, see below the first article where you can read “These product or process objectives are often referred to as Key Performance Indicators (or KPIs). By utilizing the KPIs that the company has identified as the important indicators that the processes are functioning well the overall QMS objectives for improvement become much easier to measure.” I believe your auditor feel s those statements are missing. Quality objectives can be measured by KPIs but are more than KPIs.
The following materials will provide you details about quality objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/