Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
RTO and RPO definition for critical systems
Answer: The definition of RTO and RPO for critical systems is generally done by the person responsible for the application (e.g. by the HR Department Head for a HR system, by the Financial Department Head for an accounting system, etc.), considering the inputs of interested parties impacted by a disruption on application operation (e.g., IT staff, organization's users, customers, regulators, etc.), but these must be approved by top management.
2 - Can the RTO and RPO be the same for a system? Which does the business provide? RTO or RPO?
Answer: RTO and RPO are completely different concepts, so they can be the same for a system. The RTO refers to a recovery time to be achieved, while the RPO refers to a point in time on which the system must be recovered with stability (any information in the period shorter than that will be lost or not considered).
For example, if an application has an RTO of 1 day and a RPO of 4 hours, it means that this application can be recovered ( resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.
As for which one is provided by the business, in fact both are provided by them. Most often business people thinks in terms of RTO (when the business must be resumed after a disruption), but from the general information they provide during a Business Impact Analysis (BIA) you also can identify the RPO.
These materials will provide you further explanation about RTO, RPO and BIA :
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Implementing Business Impact Analysis according to ISO 22301 [free webi nar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Design validation
Answer:
Validation means the confirmation, with objective evidence, that the requirements for a specific intended use have been fulfilled. Can your company show, for example, the results of tests that demonstrate validation?
Another approach is to consider that your organization only performs a final verification to put the products on a catalog and that validation is done with the customer, after the customization and final customer approval. Normally, I use customer final approval as a sign of validation.
The following material will provide you information about design validation:
- ISO 9001 –
ISO9 001 Design Verification vs Design Validation
- https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cross border transfer
Answer:
First of all I would like to mention that cross border transfer refers to the situation where personal data is stored or accessed from outside the EEA. So in your case if the data is stored in UK but it can be accessed from the US than it is definitely a cross border data transfer. -
Quality policy and quality objectives
Answer:
How does your organization wins its most desirable customers? What do they value the most? Are there relevant interested parties that help you win businesses? What do they value the most? The answers to these questions help you assess the strategic orientation of your organization.
When I work with the top management of an organization I follow this recipe:
Who we are and what is our business (for example, our business is not what we manufacture but the results that our customers get);
To whom do we work;
In what kind of challenges do we need to be the best;
And include the two commitments of the standard (continual improvement and meeting customer and regulatory requirements)
For example:
"Company name" is an industrial company specialized in comfort footwear.
We serve customers who need a supply of comfort footwear for professional uses.
In order to better serve our customers, we believe that we must seek to continuously improve:
Our ability to develop, to be able to respond quickly to requests for samples;
A language of product that differentiates us and supports the promise of comfort;
The ace card of being a manufacturer and being able to be faster and more flexible in production;
The fulfillment of our commitments.
Considering this example of quality policy, quality objectives can be:
Average time to finish a sample request;
Ratio of success of samples to target customers;
Ratio of complying with agreed delivery dates;
Ratio of complaints
Internal defects rate (number of defect per 1000 produced pairs)
Look how objectives allow you to monitor the promises made in the quality policy.
The following material will provide you information about quality policy and objectives:
- ISO 9001 – How to Write a Good Quality Policy - https://advisera.com/9001academy/blog/2014/03/25/write-good-quality-policy/
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Using DPIA
2. Is a separate DPIA required each time this occurs? The spreadsheet provided as a template doesn't seem to speak to these events
Answers:
1. According to EU GDPR article 35 – “ Data protection impact assessment” (https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/) a DPIA is required if you are processing “personal data relating to criminal convictions and offences”. Although the EU GDPR also mentions that the processing activity would need to be on a “large scale” I would strongly advise you to perform an DPIA for background checking prior to employment.
2. You don’t need a DPIA each time you do a background check you can just mention the background checking as processing activity and this would cover all the cases you do a background check provided that you process the same data in a similar way. -
Publishing Privacy Policy
Answer:
Based on your description bellow it does not make sense to publish the Privacy Policy on your website unless you use the website to collect data for example CVs for recruitment purposes or get data subjects to set up an account.
In the case above you just need to publish the Privacy Policy on your intranet for example.
Regarding DSARS these should come from the data subjects for which you are acting as controllers so you need to provide this information only to them. For example, in case of requests from your employees you can provide the information on your intranet. However, bear in mind that also former employees have these rights so the informat ion should be available to them as well so Intranet might not be sufficient in this case.
You can find out more about Data Subject Access Requests from our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Antivirus protection
Answer:
The antivirus protects data only as regards to certain types of threats usually external threats and this is hardly enough to prove that you are keeping the data safe.
The EU GDPR in article 32 - Security of processing (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) mentions “pseudonymisation and encryption of personal data” as examples of measures that can be taken to protect the data.
However, is up to the controllers and processors to establish “appropriate technical and organizational measures” based on the types and categories of personal data they are processing as well as the purpose of the processing (obviously a Bank would nee to have more strict security measures than an online shop selling flowers). In our folder 8_Security of Processing in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ ).
You can also check out our article “How cybersecurity solutions can help with GDPR compliance” https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/ -
Risk assessment and SOA
When I look at the SOA, it lists all of the Appendix A controls. My question is if the identified number of category 3 and 4 risks is low, then logically there will be a high number of SOA controls that do not apply and I would need to say “NO” in the Applicability column in the SOA table.
Answer: Your assumption is partially correct. If you have a low number of risks considered unacceptable, and that will require the implementation of security controls to be treated, then there is a great chance that for most controls in the SoA you will state them as non applicable. But you should note that controls may be required because of legal requirements (e.g., a law or contract), or because Top management decid ed for their implementation (by considering them as "good practice").
By the way, included in the toolkit you bought you have access to a video tutorial that can help you understand and fill the risk assessment and risk treatment templates.
This article will provide you further explanation about risk assessment and risk treatment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This material will also help you regarding risk assessment and risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Risk assessment questions
Answer: The risk assessment report presents a brief explanation about the risk assessment methodology, the identified risks and those risks evaluated as unacceptable by the organization. The risk treatment report presents a brief explanation about the risk treatment methodology, and the treatments chosen to all risks the organization considered unacceptable, as well as to those the organization decided to treat based on other reasons (e.g., because of legal requirements or because it considers the treatment as a best practice).
Generally, the risk assessment and risk treatment reports are presented as a single document.
The statement of applicability presents a summary of which controls are necessary, the justification for their inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
These articles will provide you further explanation about Risk Assessment, Risk Treatme nt and SOA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - Does ISO 27001 specify the form of scope?
Answer: ISO 27001 does not specify the form of the scope, only the minimal information that must be considered in its definition:
- external and internal related issues related to the understanding of the organization and its context;
- the requirements of relevant interested parties; and
- interfaces and dependencies between the organization and other organizations.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead auditor and lead implementer
Kindly describe me more in details for both.
Answer: Let's start with the differences:
- ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process.
- ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).
So, the decision about which one to take will depend on your professional purposes. If you plan to work on an information Security Management System certification process, then you should consider the Lead Implementer certification. If you plan to ensure the operation of an ISMS, then you should consider the Lead Auditor certification.
These articles will provide you further explanation about ISO 27001 personnel certificat ions:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
This material will also help you regarding ISO 27001 personnel certifications:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/