Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risks an opportunities at department level

    List the department objectives.

    • Satisfy the needs of workers to keep up with the company's growth
    • Reduce the occurrence of problems related to skills gaps
    • Increase the effectiveness of actions to fill skills gaps
       

    What can positively affect (opportunities) the ability to meet those objectives? (examples)

    • Increase the company's notoriety to make it more attractive to potential employees.
    • Create a reward system for workers who bring in new workers.
    • Adopt a new methodology for identifying gaps in skills.
    • Change the criteria for selecting trainers to give weight to the quality of results in previous training
       

    List the department's main activities.

    • Select and recruit
    • Onboard training
    • Competency gaps detection …
       

    What can positively affect (opportunities) the ability to meet desired effects? (examples)

    • Digitize the recruiting process to more quickly respond to production requests.
    • Set up an online training program to speed up the onboarding training

  • Privacy Notices


    Answer:

    The purpose of the Privacy Notice is to provide the data subject with information about the processing activities related to his/her personal data. If you have similar processing activities you can choose to have a single Privacy Notice to cover multiple scenarios.

    You can use “layering” to provide the individual with a short summary of the important or unusual uses of their personal data and provide a link to a full specific privacy notice for those who want the detail.

    You can find more information about Privacy Notices by accessing our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • Addressing risks


    Answer:

    ISO 9001:2015 recommends us to deal with risks and opportunities at three levels.

    4.4.1 f) – risks about processes – Every process has intended outcomes and possible undesirable effects. What can affect negatively or positively the ability to meet those intended outcomes or to avoid those undesirable effects
    5.1.2 b) – risks about products and services
    6.1.1 a) – risks about intended outcomes of the QMS as a whole (quality objectives)

    The following material will provide you information about the risk-based approach:

    - ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    - Risk-based thinking repl acing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
    - ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • ¿ISO 27001 para seguridad y salud laboral?


    Respuesta: No, lo siento, ISO 27001 está enfocada en la seguridad de la información, no en la prevención de la seguridad y salud laboral. Para esto, existe un estándar internacional específico, que ha sido publicado recientemente: ISO 45001. Este artículo puede ser interesante para ti “How to address risks and opportunities and opportunities in ISO/IDS 45001” : https://advisera.com/18001academy/blog/2016/02/10/how-to-address-risks-and-opportunities-in-isodis-45001/

  • ISO 27001 implementation

    Answer: For the implementation of ISO 27001 an organization has to fulfill the requirements established on sections 4 through 10 of the standard. Broadly speaking, an organization has to:
    - Define and document a scope based on the needs and expectations of interested parties relevant to information security
    - Define, document and communicate an information security policy
    - Define roles and responsibilities relevant to operation and management of information security
    - Define a risk assessment and treatment methodology
    - Define and allocate competencies and resources for the operation and management of information security
    - Implement risk assessment and risk treatment
    - Operate the security controls and generate the necessary records
    - Measure, monitor and evaluate the information security performance
    - Implement corrections and improvements

    Any person can implement ISO 27001 in their organizations. To increase chances o f success, it is important that persons involved have experience in project management and knowledge of the standard.

    These articles will provide you further explanation about ISO 27001:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/

    2- How much time does it take for the implementation of ISO 27001 standard?

    Answer: The time to implement ISO 27001 will depend on many variables, like the size of the organization, the complexity of the scope, the resources available, etc., but in general, for small and medium-sized organizations the implementation duration, can vary from 3 to 24 months.

    To have an estimate based on your organization context, I suggest you to take a look at our free ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/

    3- What are the costs associated with this project?

    Answer: Like in the previous answer, the costs associated to an ISO 27001 implementation will vary according to the size and complexity of the scope and the controls identified as needed as result of the risk assessment. What I can tell you are some cost issues you should consider:
    - Training and literature
    - External assistance
    - Technologies to be updated / implemented
    - Employee's effort and time
    - The certification process

    Regarding knowledge on costs, I suggest you these articles:
    - How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
    - 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/

    4 - Is it possible that a trained personnel of my organization can implement this standard after getting training from the online courses.

    Answer: Our online courses provide the knowledge necessary to understand and apply the concepts of ISO 27001, and with the expert support provided with our documentation toolkits a person can go though the implementation process.

    These materials will also help you regarding ISO 27001 implementation process:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - Conformio (online tool for ISO 27001) https://advisera.com/conformio/

  • Risk management


    Answer: Non-tangible assets related to information or information processing facilities are also considered assets for ISO 27001. In fact, intellectual property usually is one critical information asset to be protected.

    For more information about assets, please see this article:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    2- Is it possible to get a sample of a completed Appendix 1 – Risk Assessment table looks like?

    Answer: Included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment table, providing examples with real data.

    3 - We are struggling with do we identify every single possible threat or just go with the most likely threats.

    Answer: The identification of every single possible threat is unfeasible, so you have to focus on the most likely ones. To minimize chances that you miss a relevant threat, the risk identification step should count with the participation of personnel with knowledge about the situation being analysed (e.g., key users, systems administrators, etc.).

    4 - Does the vulnerability relate to the threat or is it mutually exclusive in this table as in one has nothing to do with the other.

    Answer: a vulnerability is weakness, associated to one or more assets, that can be exploited by one or more threat, so there is a relation between them.

    5 - Can there be a 1 to many relationship of threat to vulnerability?

    Answer: a single threat can explore many vulnerabilities, the same way a vulnerability can be exploited by many threats.

    6 - Can an asset have many threats with many vulnerabilities?

    Answer: A single asset can have many threat associated to it, and as explained in the previous answer, these threats can explore many vulnerabilities.

    7 - Can a single threat or a single vulnerability have many controls?

    Answer: Single threats / vulnerabilities can have multiple controls designated to handle them. In fact in many cases this is the most common situation (which we call "defense in depth", where multiple controls are implemented to ensure that if one fails some sort of security still remains, giving people more time to identify and react to the threat).

    These articles will provide you further explanation about risk management:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding risk management:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Call recording policy


    Answer:

    The EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ is meant to offer companies the documents that will be required to be compliant with the EU GDPR regardless which is their business. And since not all companies are doing telephone call recording or use CCTV there are no specific documents for this.

    For both call recording and CCTV there is no need to have a specific policy in place, however, you would need to inform the data subject about the fact they are being recorded during a specific call as well as the fact that there is a CCTV monitoring system in place. For both, you can use the “General Data Protection Notice” if folder 2 “Personal data protection policy framework” of the EU GDPR Documentation Toolkit.

    Y ou can also check out our webinar on “Privacy Notices under the EU GDPR “ - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • Indemnification clauses


    Answer:

    Usually indemnification clauses are found in the Master Agreement not in the Annexes and the reason is that it needs to be applicable to all subsequent documents of the Master Agreement.

    However if you want to put a indemnification clause in the Supplier Data Processing Agreement you can use the following wording: “Supplier will indemnify and keep indemnified and defend at its own expense [Company Name] against all costs, claims, damages, expenses, or proceedings which [Company Name] may incur as a result of a breach of Supplier of its obligations herein. In case [Company Name] has suffered loss, cost and/or damage, or has to pay any penalty or compensation according to EU GDPR or other Privacy Laws due to Supplier’s breach, Supplier shall reimburse [Company Name] for all that loss, cost and damages.

  • Use of structured templates


    Answer:

    There is nothing mandatory in the ISO 9001:2015 about documents having to follow a structured template. Normally every organization follows the practice of having work instructions, procedures or forms following a structured template. That transmits, order, planning, and frames a common visual look but it is not a mandatory requirement. Clause 7.5.2 b) requires that the template(s) used is/are adequate.

    The following material will provide you information about the documented information:

    - ISO 9001 – How to structure quality management system documentation
    - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Setting up a network


    Answer: ISO 27001, and more specifically ISO 27002, can provide you requirements regarding what you must consider when setting up a network, but they do not provide guidance on how to perform such task.

    These articles will provide you further explanation about ISO 27001 and ISO 27002:
    - What is IS 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

    Technically speaking, you should consider:
    - Identification of which traffic must come in and out of this network, so you can configure the rules for the security pe rimeter (e.g., through an outbound firewall)
    - Identification of which traffic should flow inside the network, so you can configure how the elements should be segregated (e.g., to segregate networks accessed by visitors, by embassy's employees in general, and by embassy's high staff).
    - In case of use of wireless networks, what would be the rules for use and access.

    These articles will provide you further explanation about ISO 27001 and network security:
    - How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
    - How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
    - Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
Page 782-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +