Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
People related risks
Answer: Considering ISO 27001, when thinking about people related threats you should consider how people can endanger information security (e.g., espionage, error, identity theft, etc.), and when thinking about people related vulnerabilities you should consider how weaknesses related to people can endanger information security (e.g., lack of training, lack of awareness, unavailability of the person, etc.).
These articles will provide you further explanation about assessing risks:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding assessing risks:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Implementation of controls
We received this question:
>Can you also let me know if I decide to implement a control from Annex A, does that mean that we have to implement all the requirements for that control from the ISO 27002 standard ?
Answer: Most of ISO 27002 text is written as "you should...", meaning that you only have to implement some items if you identify a need to do that (based on the results of your risk assessment). So, for some controls you may have to implement all items, while for others you have to implement only a few of them. -
Termination of job - activity
Answer: ISO 27001 does not prescribe how to implement its requirements or controls, only what needs to be achieved.
Considering that, for the scenario you stated you can consider the control A.9.2.6 - Removal or adjustment of access rights as basis to support your need to manage users's access rights, but for the definition of specific period of time for account deletion / removal you must consider the perceived risks (results of risk assessment) and legal requirements (e.g., laws, regulations and contracts) that must be fulfilled.
These articles will provide you further explanation about controls selection and access control:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
These materials will also help you regarding controls selection and access control:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ITIL and ISO 20000
Answer:
There is a free download on our web page. Please check this whitepaper:
ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping https://info.advisera.com/20000academy/free-download/itil-vs-iso-iec-20000-similarities-and-differences-process-mapping -
Environmental aspects and risks
I have a question about ISO 14001:2015 – item 6.1.1 and 6.1.2
In accordance with the 6.1.2:
1. Define Aspects
2. Estimate them by established criteria and I received Significant Aspects
And that is all.
There is Note: that significant aspects CAN result risk and opportunities.
During the certification audit – Auditor requires THAT: To each aspect MUST BE added risk and opportunity in accordance with the 6.1.1. I do not agree with that Auditor interpretation. In my opinion:
In accordance with 6.1.1 I must prepare managing of the Environmental Processes (a little bit like 4.4 of ISO 9001:2015 – eg. Turtle Diagram). To that Environmental Process – I prepare risk and opportunities which ARE to environmental activities – estimate etc.
Is above clear? What is your opinion? – to what I must prepare risks and estimate them?
Answer:
The standard requires organization to determine risks and opportunities related to environmental aspects, compliance obligations and other issues and requirements regarding the context and interested parties. This doesn't mean that every environmental aspect needs to have risk and opportunity.
It is not enough to identify risks and opportunities related only to the environmental activities, because the standard requires organization to identify risks and opportunities to ensure effectiveness of the QMS, prevent, or reduce desired effects and achieve continual improvement. This includes determining risks and opportunities related to environmental aspects. For most of the significant environmental aspect you can identify risk related to not establishing or not following operational controls. But you don't have to do this for every environmental aspect you have.
For more information, see: ISO 14001 risks and opportunities vs. environmental aspects https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/ -
Mandatory external training
Answer:
The standard does not require external training for internal auditors or certifications. All the standard requires is for training to be conducted by competent trainer and for organization to maintain records on the trainer competency.
The trainer competency can be demonstrated either through various relevant certificates the trainer possesses, or by work experience that qualifies the trainer to perform the training.
For more information, see: Requirements for competence of IATF 16949 internal audi tors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/ -
EU GDPR questions
2. Can you please attach an agreement template between a data processor and sub-processor?
3. Does the privacy notice need to be displayed by the data controller to his customer? Or by us to each individual user?
4. The same as 3 but regarding the use website cookies
5. Users rights – does the right to be forgotten/deleted/export should be available to the end user or should it only be controlled by the “data controller”? Seeing we are the data processors, do we need to allow end users this right?
6. Data retirement – We are storing data for reporting and operational purposes, for example, a traveler can view his past trips, are we obligated to retire data after a certain period of time or should this have controlled by the “data controller”?
7. Personal data encryption – We are using user email address as our username to access the site, and this field can’t be encrypted, is this acceptable? Also, user first name and last name can’t be encry pted.
please advise what’s the best course of action
Answers:
1. The content providers for flights, hotels, cars, ground transportation, and rail (nor the providers of the services themselves such as airlines, hotels, car rental companies etc.) would be your sub processors as you well pointed out. These providers should be instructed by you how the personal data they receive should be processed and protected. Usually, as you are processor you would receive instructions from your customers acting as controllers. The instruction you receive from your customers (data controllers) would need to be “back to back” with the ones you impose on your sub processors.
2. Unless you receive specific requirements from your respective controllers you could use the attached document as a template. Is basically the same Supplier Data Processing Agreement but tweaked a little bit to accommodate the processor – sub processor relation.
3. The Privacy Notice would need to be provided to the end user by the controller. The Notice could be presented similar to the way you would present the Terms & Conditions of your product.
4. The Cookie Policy should be the responsibility of the controller using the cookies to collect and process personal data. If you are the entity collecting and using the personal data captured by the cookies you should be the one presenting the Cookie Policy to your website visitors. Be aware that cookies are regulated by the ePrivacy Directive as well as the EU GDPR.
5. The controllers are the ones responsible for making sure that the data subjects can exercise their rights. You as a processor need to inform the controller if you receive such requests form the data subjects as well as to provide the controllers the means of complying with those requests. Basically you just need to enable the controllers to analyze and decide on the requests and only if specifically instructed you may answer them on behalf of the controller.
6. The controllers are the ones that determine the retention period in most cases. For your particular situation I would advise you to leave this up to them meaning the controllers should be able to delete the data whenever they want. Here I am referring to your travel agents and company customers not necessarily the individuals doing the travel as they unless the travel agents or company customers (controllers) instruct you to provide this choice to the individuals (end users).
7. Encryption means in this case for securing your communications for example using https instead of http for the account authentication page. Also, the database where you store the travel related information could be encrypted to prevent unauthorized access. Consider also implementing strong passwords to protect you against brute force attacks.
8. Yes, you can grant access rights to a limited number of employees for specific purposes. Make sure that you log all the actions they perform to be used as a proof that there was no tampering with the data in storage.
You can get more knowledge about the EU GDPR by accessing our free online training GDPR Foundations Course: https:…less…Like -
EU GDPR toolkit
Answer:
The EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ is designed to be used by both controllers and processors and most of the document reflect this. However, there are certain sections that are less relevant for processors such as the Managing Data Subjects Rights and the Data Protection Impact Assessments because these are more controller oriented.
Bear in mind that any company established in EU is unlikely to be only a processor regardless of its business activities, if it has employees it will act as a controller in terms of processing their data . -
Sub-processors
Answer:
You are correct, if Zendesk would be hosting the data of your customers they should be considered your sub-processors based on the description you provided.
To learn more about processors and sub-processors see this free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Quality objectives and roles, responsibilities and authorities
Answer:
About quality objectives, the most important is to start by considering the quality policy of your organization. Quality objectives are a way of translating the words of the quality policy into precise and measurable challenges. Quality objectives must be about relevant requirements about products and services. For example, If your organization has a statement in its quality policy to exceed customer expectations about delivery time then it could have a quality objective that relates to on-time delivery.
About roles, responsibilities and authorities, besides those particular situations mentioned in the standard about authorities (for example, to release products and services, or decisions about nonconforming outputs) there is no mandatory requirements for documented information. People need to know what are expected from them, what they must do (re sponsibilities), what they can decide (authorities).
The following material will provide you information about quality objectives:
- ISO 9001 – How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
-
What is the job of the Quality Manager according to ISO 9001? -
- https://advisera.com/9001academy/blog/2016/08/23/what-is-the-job-of-the-quality-manager-according-to-iso9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/