Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policy template content
Track name [List of authorized persons to access documents]
Storage location With the information itself, at the place where the degree of secrecy is indicated
Responsible person for storage Information resource owner
How to protect records In the same way that information is protected
Storage time The list must exist for the duration of the information itself
Track name – what does the track refer to?
Example: The price in the contract or the whole contract? A record in database or entire database?
Answer: The track name refers to the name by which the record is known in the organization. For example, for contracts you may use as track name the word "contract"to refer to any type of contract, the expression "customers contracts", to refer to contracts related only to customers, or the expression "service contracts" to refer to contracts related to services provided by your organization. This definition is up to each organization depending on how it refers to its information.
These materials will also help you regarding control of documents:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Root cause analysis in AS9100D
Answer:
The AS9100 Rev D standard does not specify how you identify root cause analysis, so unless you have customer requirements telling you how you will do the root cause analysis you can choose any way you wish; 5 Why, fishbone, 8D, etc.
It is also useful to note that the new revision of AS9100 now allows you to made a determination for your process nonconformities to determine if you require the full root cause analysis and corrective action to address this (See clause 10.2.1 b). You do need to correct the problem and deal with the consequences, but you can then determine if you need to take action to eliminate the cause of the nonconformity. Again, if your customer is requiring you to perform full root cause analysis on a problem you will not have a choice.
For more information on the corrective action process in AS9100 Rev D see this article: https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/ -
Supplier Data Processing Agreements
Is the reseller's duty to ensure the products its sells are compliant with the legal requirements including the EU GDPR. -
Quality Manual content
Answer:
Now, ISO 9001:2015 does not require a quality manual, so we have total liberty to develop that kind document. I like your idea or making it as short as possible, perhaps 10 pages. 10 pages where you answer to questions like:
a) Who are we?
b) What do we do?
c) Whom do we serve?
d) What kind of compromises do we assume?
e) How do we work? (where you can map your processes and explain each one in plain English. I like to use photos and charts as much as possible)
The following material will provide you information about the quality manual:
- ISO 9001 – Writing a short Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Controller vs processor
Answer:
For the situation you described the insurance company acts as a controller in its own rights because they would be determining the means and purpose of the processing regarding the data of your employees.
If you want to find out more about the distinction between processors and controllers check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/ -
Contracts and compliance with GDPR requirements
2) Do we need to obtain consents from impacted personnel of third parties (e.g., we concluding contract with consulting firm or non-EU financial institution)?
Answers:
1. When acting as a controller or example for the processing of personal of your employees you would need to inform them about the processing activities . You can do that by using a “Privacy Notice” which is aimed at explaining to the employees the Employee Privacy Notice can be delivered to the new employees when sign the labor agreement. The employees do not have to agree with the content of Notice but just have to acknowledge it. For existing employees you can chose to post the Notice on your internet and inform them that they can access it at any time. We are currently working on an Employee Privacy Notice that should be with you sometime next week.
Regarding your contracts with your that process data on your behalf you will need to have in place a Supplier Data Processing Agreement which you can find in folder 7. Third Party Compliance in our EU GDPR Documentation Toolkit.
If you want to find out more about the impact of EU GDPR on your HR activities you can check out our article “How the GDPR could impact your HR department” - https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department
2. If you are transferring personal data outside the EEA is not necessarily to have the consent of the data subject. You need, however, to notify him/her about the cross border data transfer. If you transfer data outside the EEA just make sure that you use the Standard Contractual Clauses you find in folder 6. Personal data transfers. -
Internal Auditor requirements
Answer:
If you have persons trained as Lead Auditors 14001, you have persons that know how to perform an audit. Do they know ISO 9001? What are the organization requirements for internal auditors? Are they required to evidence knowledge of ISO 9001? Can they evidence it?
The following material will provide you information about Internal Audits:
- ISO 9001 – Five Main Steps in ISO 9001 Internal Audit - https://advisera.com/9001academy/knowledgebase/five-main-steps-in-iso-9001-internal-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- free online training ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ or-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Risk Assessment
While the organization has a number of security controls in place, they have a significant lack of documented policies, standard, and processes/procedures. We are not specifically calling out in the risk assessment the lack of documentation, and maybe we should.
When completing the risk assessment, I believe we are closely following the advice from the videos and blogs on your site. For example, rather than listing out all of the assets during this initial risk assessment, we are grouping the assets into “asset categories” where very similar assets will have the same threat & vulnerability pairs. We are selecting 2 or 3 threats for each asset and 2 or 3 vulnerabilities that can act on each of those threats. Due to existing controls (while undocumented ), the subject matter experts are categorizing many of the risks as acceptable (score of 0, 1, or 2) and only about 25 of the risks as unacceptable (score of 3 and 4).
When moving from the risk assessment to the risk treatment, I am a little confused. We intuitively know that the organization expects to have 107 of the 114 ISO 27001 controls in place when the project is complete. They are using many of those controls today. However, as I mentioned, the organization has a significant lack of documented policies, standard, and processes/procedures.
How do I create the association between the risk assessment and the controls selection when there are only about 25 risks being identified? Should the risk assessment include a vulnerability like “inadequate documentation of policy, process, and standards”? That would significantly increase the number of identified risks that need treatment, even if the treatment is simply creating the documentation around the controls.
Does there have to be a direct correlation between the risk assessment and all of the controls selected in the SOA?
If my email is confusing, perhaps we can have a conversation.
Answer: First you have to remember that to treat a risk you can use more than one control. In general, the controls are combined in this way:
- You establish policies, to define and formalize the rules and behaviors that are expected to be followed (e.g., information security policy, access control policy, backup policy, etc.)
- You establish procedural, physical, and technological controls to enforce the policies (e.g., incident management process, physical and logical perimeters, two-factor authentication for access control, etc.)
So, depending on the identified risks, you may have one or several controls associated to them, which may cover the 107 controls you are expecting. For example, for a risk of loss of data stored on servers due to a ransomware attack, you can consider the application of controls A.12.2.1 Controls against malware and A.12.3.1 Information backup.
Regarding the lack / inadequacy of documentation, you can consider it as a single systemic vulnerability (this way it will not increase much the number of risks to be treated) and consider for the risks related to it the application of controls A.5.1.1 Policies for information security and A.5.1.2 Review of the policies for information security.
Finally, the controls defined in the Risk Treatment, as well as those identified as implemented in the Risk assessment, must be identified as applicable in the SoA. Additionally, some controls can be marked in SoA as applicable even though they were not identified in risk treatment - in this case the reason for selection could be e.g. “good practice “.
These articles will provide you further explanation about risk assessment and treatment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk assessment and treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Nivel de confidencialidad
Respuesta: Generalmente las compañías definen 4 niveles de confidencialidad: Confidencial (información más confidencial de todas), restringido (nivel medio), interno (el nivel más bajo), y público (lo puede ver cualquier persona, de dentro, o de fuera de la empresa). Por tanto, si todos los empleados (y sólo los empleados de la organización) pueden ver el documento, podrías establecer el nivel "Interno", o si sólo lo pueden ver algunos empleados (responsable de proyecto, responsables de área, etc), podrías establecer el nivel "Restringido", o si sólo pueden ver el documento roles específicos (por ejemplo, sólo la alta dirección), podrías establecer el nivel "Confidencial". Este artículo te puede resultar interesante “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/