Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
List of evidences / artefacts
Example: HR security domain :-
Evidence required : Approved HR policy document, Roles and responsibility in the table in ISMS, Last 5 onboarded resources with training completed list and offboarded 5 resources list with offboard checklist and data removable certificate, access revoked mail confirmation. etc
Answer: It seems to me that you are making a mistake here.
When performing risk assessment there is no need to list evidences /artefacts. In this step you have to identify which risks are relevant considering the scope of the assessment.
Evidences and/or artefacts regarding the 114 controls from ISO 27001 Annex A are used when you perform either a gap analysis (to identify how many controls you already have implemented) or an audit (to evidence the controls implementation and performance).
For a list of questions regarding gap analysis, I suggest y ou to take a look at our free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
Its question-and-answer format allows you to visualize which specific elements of an information security management system are already implemented, and what still needs to be done.
For a list of questions regarding internal audit, I suggest you to take a look at the free demo of our Internal Audit Checklist at this link: https://advisera.com/27001academy/documentation/internal-audit-checklist/
For each clause or control from the standard the checklist provides one or more questions which should be asked during the audit in order to verify the implementation.
These articles will provide you further explanation about gap analysis, internal audit, risk assessment and checklists:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/
- Risk assessment vs. internal audit in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
ISO 9001 Use of Quality Tools
Academy: https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
Answer:
This is correct, ISO 9001:2015 does not dictate any quality tools to be used in the QMS. ISO 9001:2015 calls for the QMS to continually improve, and the article was pointing out some ways that quality tools can be used to support this continual improvement. They are not mandated, however, like other tools such as Six Sigma and Lean the quality tools can be used to support the QMS.
For more information on these other tools see these articles: https://advisera.com/9001academy/knowledgebase/iso-9001-vs-six-sigma-how-they-compare-and-how-they-are-different/ and https://advisera.com/9001academy/blog/2014/07/22/iso-9001-vs-lean-compare-different-2/ -
GC Mark for business continuity
Answer:
I would say you have to conclude for what purpose you need a certificate - if your clients prefers GC Mark better than ISO 22301, then you should go for the GC Mark, and vice versa.
By the way, I've reviewed the GC mark website, and I didn't find a certificate for business continuity. -
Benefits of ISO 14001
how does it contribute to the sustainability practices?”
Answer:
The implementation of an environmental management system allows developing a systematic approach to environmental issues in organizations. Beginning with basic assurance of legal and regulatory compliance, and evolving to issues such as alignment between strategy and environment (eg waste reduction, better waste separation and increased efficiency in cost-based strategies, or integration of environmental concerns into design of new products in strategies based on innovation), such as improving the relationship with the neighborhood and avoiding problems with future expansion needs, or such as improving the image before potential clients who value the environmental issues.
The following material will provide you information about environmental management benefits:
- ISO 14001 – 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Outsourced processes in scope
No, it is not necessary. Remember that some organizations use outsourced processes only when they have more orders than capacity.
The following material will provide you information about scope:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ -
Internal audit on documentation
First, “work instructions” is a designation normally used to describe operational procedures that explain in more or less detail “how to do some task”. When auditing documentation, you can verify if it is clear, known by users, approved by the right authority, updated and followed.
The following material will provide you information about internal audit:
- ISO 14001 – How to make an ISO 14001 internal audit checklist - https://advisera.com/14001academy/blog/2016/06/27/how-to-make-an-iso-14001-internal-audit-checklist/
- Free course - ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ -
Retention period
Answer:
Article 5(e) - “Principles relating to processing of personal data” of the EU GDPR states that personal data should be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ ). And this is the only mention about an retention period.
It is up to the controller to establish suitable retention periods unless those are specified in local law. So my advice is to ask someone with a legal background if such obligation exists under Norwegian law and if not, you can keep deleting the chat content every 30 days.
You can find additional information about data retention in our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//). -
Customer complaint
Answer:
Service complaints are, basically, your customer's feedback on service (quality, performance, etc.) or your IT Service Management (ITSM) organization. Therefore, they should be seen from positive side. Customer complain can come in several ways. here are few examples:
1. Through Business Relationship Management (BRM) - BRM is in (business) contact with customer and should be advocate of complaints received by customer
2. Through Service Level Agreements (SLM) - they continually communicate with customer (on operational level) and can also be a channel how customer can communicate their complains
3. Through customer complaint form - use e.g. Service Request for user to submit complaint. Or publish document template on the intranet which users can use to submit complaints.
And one more thing - once you receive complain, it's crucial that something is done and that customer knows that.
This document can help you with more details regarding customer complain"ITIL Customer satisfaction – Design driven by outcomes" https://advisera.com/20000academy/blog/2014/07/08/itil-customer-satisfaction-design-driven-outcomes/ -
Procedure for document and record control
Answer: You have to identify the existent controls in the Statement of Applicability even if in the Risk Assessment they are associated to risks identified as acceptable (after all they are implemented and may be the main reason why the risk is low).
2- I'm also a little confused about this:
Documents of external origin:
"Each external document which is necessary for the planning and operation of the ISMS/compliance with GDPR must be recorded in the incoming mail register. The incoming mail register must contain the following information: (1) document number, (2) sender, (3) document name, (4) date of receipt, (5) name of the person to whom the document has been forwarded.
The person who receives mail and courier parcels must forward them to the Information security officer, who must make a record in the incoming mail register; the person who receives electronic mail must forward such a document to [job title], who must also record it in the incoming mail register. The information security officer then classifies documents according to the Policy for handling classified information and determines to whom the document should be forwarded."
This surely needs only to apply to documents from third parties i.e. suppliers who are sending us information about the GDPR/ISO27001 project, however, I don't really see how this would apply to us. We'll email these suppliers asking for clarification, they'll reply and we can log the information, but under what circumstance would they send us mail/physical post? Is this paragraph in here just to cover in case someone sends physical paperwork? Why would it be confidential in anyway? It maybe this just doesn't apply to us as a business and therefore I don't see it's purpose.
Answer: First it is important to note that by third parties you must consider not only suppliers, but also other players such as partners, customers, governments, regulations bodies, etc.
Second point is that even as a SaaS provider, it is extremely rare that an organization can work without documents from external origin being sent through physical media (e.g., official documents from government agencies), and the obligations to track all relevant external documents applies to both paper and electronic documents.
Therefore, you do not need an incoming mail register as a separate document.
Regarding confidentiality, the media on which the information is does not define its confidentiality level, but rather the evaluation of the information owner, then you can have confidential information on physical media if the information owner classifies the information as confidential, regardless the media where it is stored.
For more information regarding information classification, I suggest you this article:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Toolkit structure
Also, Let me know when would be best to catch up,
Answer: Included in the toolkit you bought there is a List of Documents file that will show you which templates are related to specifically to GDPR, or cover both GDPR and ISO 27001. Form that list you can identify and pick only the documents relevant to ensure compliance to GDPR.
To schedule a meeting with one of our experts, please access this link: https://advisera.com/eugdpracademy/free-consultation/