Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Template content
We received this question:
>I read the answer..
>
>Inshort we need to make sure that all the other development projects that we undertake in the company should have risk assessment done somewhere in the project charter or project plan.
>
>or may be some document that does the project requirement analysis and identify the risks before initiating the design phase
>
>Correct me if I am wrong..
Answer: You must consider risk assessment in all phases of the projects (initiation, planing, execution, control and closing). The better way to ensure that is, as you assumed, by using a document to define how risks must be assessed and treated and when risk assessments must be performed. And the better part is that you can use the same risk assessment and treatment methodology you adopted for your organization (remember, the process is the same, either for the whole organization or for a single project, the difference being only that the project's scope is smaller than of the organization's). -
Security controls review
Answer: ISO 27001 does not prescribe how many times you need to review security controls, so you must define this periodicity based on criticality of processes, the results of risk assessments, recorded incidents and previous audit results (both internal and external).
This article will provide you further explanation about measuring and monitoring:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding measuring and monitoring:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Obtaining buy in for ISO 27001
1. You have an Organization where you want to implement ISO 27001 and controls
Example : I have nine information assets with threat, vulnerability and the Risk
Each asset information, there is a RISK. For this risk, you put controls, could be one control or more controls.
The stake holders will oppose for the controls, including staff members. As CISO, I have write an Statement of Applicability to the Management, indicating we have so many threats, staff do not know, how to access the risk, they not know how to interpret the results of a scan report, user awareness.
I need around 15 key points to say to the Management, why we choose ISO 27001 to implement. What are the benefits of this?
How we can convince them, these are the benefits, and if you do not implement, we will have these issues. Key points.
How we put Arguments for the resistance we have. Key points
Please provide the key points for me please.
Answer: In general way, the benefits of ISO 27001 are related to:
- Enhanced competitive edge
- Reduction on losses due to security incidents
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
For a more robust presentation I suggest you to pick some examples from your organization's own context so the top management can clearly understand the benefits (e.g., name competitors that do not have the certification and that you can stand ahead of them, mention incidents that already occurred and how they can be prevented, which specific laws and regulations can be better supported, etc.).
To build your presentation, I suggest you to take a look at our free download Why ISO 27001 – Awareness presentation at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
You can use this template as basis for your presentation, adjusting it accordingly your needs.
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
These materials will also help you regarding ISO 27001 benefits:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
Article 37
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or EU General Data Protection Regulation Official Journal of the European Union 4 May 2016 Page 30 of 68
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
In absence of those conditions, I suppose that the appointment of a DPO is NOT obligatory?
Answer:
Exactly, if a company/entity does not find itself in the situations described at article 37 of the EU GDPR - Designation of the data protection (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/) then it does not need to appoint a Data Protection Officer.
To find out more about the role of the Data Protection Officer you can check out free GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Photograph and Document of Employees
2. If we do need a consent, how should that be obtained? What must it contain?
Answers:
1. Usually I advise against using employees consent as a basis for processing their personal data. It was considered and it is still considered that consent from employees in not a genuinely “freely given” since there is an imbalance between the employer and the employee and the latter tends to agree to whatever the employer wants. Also, consider that consent can be withdrawn at any time and while doing so the employee would basically make the processing activity impossible for the company.
Regarding keeping copies of documents such as drivers license or other similar documents I would use as the legal basis for processing the legitimate interest since is first of all the interest of the company in some cases if an employee has a diver`s license in certain cases for example an employee who would be driving a company car.
2. In terms of consent the EU GDPR is stricter then the Directive. Consent has to be freely given, specific, informed and unambiguous indication of the individual’s wishes. The controller must keep records so it can demonstrate that consent has been given by the relevant data subject.
Here are some conditions regarding the consent that you should consider:
1. Plain language - A request for consent must be in an intelligible and accessible form in clear and plain language and in accordance with the Directive on unfair terms in consumer contracts. Separate - where the request for consent is part of a written form, it must be clearly distinguishable from other matters.
2. Affirmative action - The consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted. However, consent through a course of conduct remains valid.
3. Consent to all purposes - If the relevant processing has multiple purposes, consent must be given for all of them. The meaning of this provision is not clear. At one extreme it might prevent mixed justifications for different activities. For example, it would not be possible to rely on performance of a contract when providing services to an individual and obtain a separate ancillary consent for direct marketing. You would need a (valid) consent for them all.
4. Unbundled consent - You cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately. Not tied to contract - Consent is presumed not valid if it is a condition of performance of a contract.
5. Withdrawable - The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.
You can find some template consent forms in folder 6 Managing Data Subject Rights of the GDPR & ISO 27001 Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/
You can also find out about consent and alternative legal basis in our article “ Is consent needed? Six legal bases to process data according to GDPR” - https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
See also our free online training GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// -
Software versioning
Answer:
The changes you've mentioned cannot be considered as versions of software. If you are changing the parameters of the production process or the part you are producing, you only need to document those changes so you can ensure traceability to the parts being produced under this conditions. These information are usually already present in the working order, drawings or some other record. -
Difference between continual and continuous improvement
Answer:
“Continuous improvement” and “Continual improvement” are often used interchangeably and shouldn't be used in that manner. Continuous indicates duration without interruption. Continual indicates d uration that continues over a long period of time, but with intervals of interruption.
Continuous improvement means that organizations are in a constant state of driving process improvements. This involves a focus on linear and incremental improvement within existing processes. Continual improvements means that organizations go through process improvements in stages and these stages are separated by a period of time. This period of time might be necessary to understand if the improvements did actually help the bottom line. In some cases, the results might take a while to come to realization.
Continual and continuous improvement have nothing t o do with how the organization achieves the improvements but rather with whether the improvement is linear or not. -
Scope definition
This is how i did it:
I made a list of items that the company uses, like routers firewall switches etc.
I made a list of software that they use that inputs and outputs sensitive information.
And I made a list of external parties that inputs and outputs sensitive information.
My questions are:
1 - Do i need to descibe which department in the company makes use of this software?
Answer: First it is important to note that an ISO 27001 scope is defined in terms of locations, organizational units and/or information the ISMS is supposed to protect. Considering that, your first two lists refer to assets that are included in your scope, and your last list presents elements that interface with your ISMS. These are important things, but they do not define your scope, so it is necessary for you to define at least the department in the company that uses these software and the i nformation that is handled.
2 - Do I have to mention all external parties that are out of scope in the chapter out of scope?
Answer: Following the first answer, external parties do not need to be included in the scope statement, either if they interface with the ISMS or not.
3 - Did I miss something in the chapter interfaces?
Answer: Maybe you should consider the identification of the processes that make use of the software you identified and are used by the external parties to input and output information.
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
GRC questons
1 - Compliance organization structure in accordance to best practice for that comprises 3 pillars of ISO : ISO 27001, ISO 22301 & ISO 20000
Answer: ISO management standards now have a common framework and set of requirements that makes easier to work with them in a integrated manner. Since each organization is unique in its requirements, there is no definitive structure that can be applied to all organizations, but I suggest you to read these article about integrated systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
2 - Who should be the key members for Governance Risk Compliance committee : ie : Risk Management
a. ISMS Committee
b. BCMS Committee
c. ITSM Committee
Answer: Besides experts in each field you mentioned (i.e, information security, business continuity and information technology) and top management, you should consider personnel from Legal and Financial areas, as w ell as representatives of critical areas of the organization.
3. Who should be the expert within the organization to orchestrate and responsible for establishing and maintaining the security strategy to ensure the information assets. Ensure it is adequately protected; including identifying, developing, implementing and maintaining processes across organization.
Answer: For this role you should consider personnel with high competence (i.e., knowledge and experience) in risk management or information security (generally this person is designated as the CISO - Chief Information Security Officer)
These materials will provide you further explanation about your questions:
- Integration of Information Security, IT and Corporate Governance https://info.advisera.com/27001academy/free-download/integration-of-information-security-it-and-corporate-governance
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 foundations course content
Information about Human resources security in our ISO 27001 Foundations Course can be found on module 2 - The planning phase (units Awareness and Competence) and 6 - Annex A – Control objectives and controls.