Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Software versioning
Answer:
The changes you've mentioned cannot be considered as versions of software. If you are changing the parameters of the production process or the part you are producing, you only need to document those changes so you can ensure traceability to the parts being produced under this conditions. These information are usually already present in the working order, drawings or some other record. -
Difference between continual and continuous improvement
Answer:
“Continuous improvement” and “Continual improvement” are often used interchangeably and shouldn't be used in that manner. Continuous indicates duration without interruption. Continual indicates d uration that continues over a long period of time, but with intervals of interruption.
Continuous improvement means that organizations are in a constant state of driving process improvements. This involves a focus on linear and incremental improvement within existing processes. Continual improvements means that organizations go through process improvements in stages and these stages are separated by a period of time. This period of time might be necessary to understand if the improvements did actually help the bottom line. In some cases, the results might take a while to come to realization.
Continual and continuous improvement have nothing t o do with how the organization achieves the improvements but rather with whether the improvement is linear or not. -
Scope definition
This is how i did it:
I made a list of items that the company uses, like routers firewall switches etc.
I made a list of software that they use that inputs and outputs sensitive information.
And I made a list of external parties that inputs and outputs sensitive information.
My questions are:
1 - Do i need to descibe which department in the company makes use of this software?
Answer: First it is important to note that an ISO 27001 scope is defined in terms of locations, organizational units and/or information the ISMS is supposed to protect. Considering that, your first two lists refer to assets that are included in your scope, and your last list presents elements that interface with your ISMS. These are important things, but they do not define your scope, so it is necessary for you to define at least the department in the company that uses these software and the i nformation that is handled.
2 - Do I have to mention all external parties that are out of scope in the chapter out of scope?
Answer: Following the first answer, external parties do not need to be included in the scope statement, either if they interface with the ISMS or not.
3 - Did I miss something in the chapter interfaces?
Answer: Maybe you should consider the identification of the processes that make use of the software you identified and are used by the external parties to input and output information.
These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
GRC questons
1 - Compliance organization structure in accordance to best practice for that comprises 3 pillars of ISO : ISO 27001, ISO 22301 & ISO 20000
Answer: ISO management standards now have a common framework and set of requirements that makes easier to work with them in a integrated manner. Since each organization is unique in its requirements, there is no definitive structure that can be applied to all organizations, but I suggest you to read these article about integrated systems:
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
2 - Who should be the key members for Governance Risk Compliance committee : ie : Risk Management
a. ISMS Committee
b. BCMS Committee
c. ITSM Committee
Answer: Besides experts in each field you mentioned (i.e, information security, business continuity and information technology) and top management, you should consider personnel from Legal and Financial areas, as w ell as representatives of critical areas of the organization.
3. Who should be the expert within the organization to orchestrate and responsible for establishing and maintaining the security strategy to ensure the information assets. Ensure it is adequately protected; including identifying, developing, implementing and maintaining processes across organization.
Answer: For this role you should consider personnel with high competence (i.e., knowledge and experience) in risk management or information security (generally this person is designated as the CISO - Chief Information Security Officer)
These materials will provide you further explanation about your questions:
- Integration of Information Security, IT and Corporate Governance https://info.advisera.com/27001academy/free-download/integration-of-information-security-it-and-corporate-governance
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISO 27001 foundations course content
Information about Human resources security in our ISO 27001 Foundations Course can be found on module 2 - The planning phase (units Awareness and Competence) and 6 - Annex A – Control objectives and controls. -
Becoming GDPR compliant
Answer:
Where consent has been given under the Data Protection Directive, it will continue to be valid under the Regulation only if it meets the requirements of the Regulation. This may be difficult given the new and stringent requirements for consent. Thus, some businesses should therefore consider approaching their existing customers to obtain a fresh consent that is valid under the Regulation. However, this is likely to be an onerous exercise and in many cases will not lead to a fresh consent.
The ePrivacy Directive imposes additional constraints if you market by telephone, email or fax. For example, you can only send direct marketing to someone by email if:
- they have given you consent; or
- you have an existing relationship with them and fall within the so-called similar products and services exemption.
The ePrivacy Directive currently defines consent by reference to the Data Protection Directive. This will automatically be superseded by a reference to the Regulation from May 2018 onward. In other words, obtaining consent to market by email will become a whole lot harder as well.
So, my advice would be to assess if the consents you got are compliant with the new EU GDPR requirements. If they do you should be fine if they don’t you need to get new compliant consents.
For more insight on how EU GDPR will affect marketing you can check out our article “How does GDPR impact marketing activities?” https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ -
Employees consent
Answer:
I would strongly advise you against using employees consent as a basis for processing their personal data. It was considered and it is still considered that consent from employees in not a genuinely “freely given” since there is an imbalance between the employer and the employee and the latter tends to agree to whatever the employer wants. Also, consider that consent can be withdraw n at any time and while doing so the employee would basically make the processing activity impossible for the company.
With regards to employees data you can use contractual obligation as a legal basis for all the activities related to the labor agreement (contract) for example payroll activities.
You can also rely on legitimate interest for activities such as video monitoring, fleet GPS monitoring or monitoring of employees using DLP solutions.
The Article 29 Working Party’s rOpinion 2/2017 (on data processing at work, WP249, 8 June 2017) provides some helpful examples of the likely limits of this legal basis. For example, if an employer deploys a data loss prevention tool to monitor employees’ outgoing emails automatically to prevent unauthorized transmission of proprietary data, in order to rely on legitimate interests it will need to ensure, among other things, that the rules that the system follows to characterize an email as a potential data breach are fully transparent to employees and that employees are warned in advance if the tool recognizes an email that is to be sent as a possible data breach, so as to give the sender the option to cancel this transmission.
You can find out about consent and alternative legal basis in our article “ Is consent needed? Six legal bases to process data according to GDPR” - https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ -
RTO and RPO definition for critical systems
Answer: The definition of RTO and RPO for critical systems is generally done by the person responsible for the application (e.g. by the HR Department Head for a HR system, by the Financial Department Head for an accounting system, etc.), considering the inputs of interested parties impacted by a disruption on application operation (e.g., IT staff, organization's users, customers, regulators, etc.), but these must be approved by top management.
2 - Can the RTO and RPO be the same for a system? Which does the business provide? RTO or RPO?
Answer: RTO and RPO are completely different concepts, so they can be the same for a system. The RTO refers to a recovery time to be achieved, while the RPO refers to a point in time on which the system must be recovered with stability (any information in the period shorter than that will be lost or not considered).
For example, if an application has an RTO of 1 day and a RPO of 4 hours, it means that this application can be recovered ( resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.
As for which one is provided by the business, in fact both are provided by them. Most often business people thinks in terms of RTO (when the business must be resumed after a disruption), but from the general information they provide during a Business Impact Analysis (BIA) you also can identify the RPO.
These materials will provide you further explanation about RTO, RPO and BIA :
- What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
- Implementing Business Impact Analysis according to ISO 22301 [free webi nar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Design validation
Answer:
Validation means the confirmation, with objective evidence, that the requirements for a specific intended use have been fulfilled. Can your company show, for example, the results of tests that demonstrate validation?
Another approach is to consider that your organization only performs a final verification to put the products on a catalog and that validation is done with the customer, after the customization and final customer approval. Normally, I use customer final approval as a sign of validation.
The following material will provide you information about design validation:
- ISO 9001 –
ISO9 001 Design Verification vs Design Validation
- https://advisera.com/9001academy/knowledgebase/iso9001-design-verification-vs-design-validation/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Cross border transfer
Answer:
First of all I would like to mention that cross border transfer refers to the situation where personal data is stored or accessed from outside the EEA. So in your case if the data is stored in UK but it can be accessed from the US than it is definitely a cross border data transfer.