Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Changing template content


    Answer: To change the formula for risk calculation you only have to replace the formula on each cell in "Risk" column, as you would do to change a formula in an excel spreadsheet. The cell are not blocked so you can change the content freely.

    To change the values permitted for columns Consequence and Likelihood, please select the cells in the "Consequence" column you want to apply the change to, access the tab "Data" in the main menu, then in Data Tools select the option "Data Validation". In the window that will show you can edit the values permitted for the cells as well as the warning text. Do the same steps for cells in the column "Likelihood".

    To change the colours that are displayed automatically based on the r isk level, you have to select the same cells as in the previous explanation and access in "Home" tab the "Conditional Formatting" option, and the the option "Manage rules". From there you can edit the colours according your needs.

    For more information, please access these links:
    - https://support.office.com/en-us/article/apply-data-validation-to-cells-29fecbcc-d1b9-42c1-9d76-eff3ce5f7249
    - https://support.office.com/en-us/article/use-formulas-with-conditional-formatting-fed60dfa-1d3f-4e13-9ecb-f1951ff89d7f

  • Information protection


    Answer: For protection of information flowing through the Internet, and networks in general, the recommended approach is application of cryptography, either to protect the communication channel and the information itself, as well as to authenticate the parties involved in the communication.

    These articles will provide you further explanation about use of cryptography:
    - How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
    - How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

  • Privacy Notices

    2. Once the 'Privacy Policy' is completed this goes online but where do we put our 'Privacy Notice' once completed? Can we send this to our clients via email?

    Answers:

    1. This depends on what you are going with the comments, for what purpose you are collecting them. So, in order to provide you with an accurate answer would need more details on the reports you are sending and the reason for doing that. Also, do you really need to include the names ? What is the reason behind that?
    2. Regarding your Privacy Policy is not necessary that you sent them to your clients you could just inform them about it and provide a link to it. Regarding the “Privacy Notice” according to article 13 of the EU GDPR – “Information to be provided where personal data are collected from the data subject” you need to provide it at the time the information i s collected.
    However, if you don`t receive the personal information from directly from the data subject but from another source as per article 14 of the EU GDPR – “Information to be provided where personal data have not been obtained from the data subject” you can provide the Privacy Notices:
    - within a reasonable time after obtaining the data, but at the latest within a month;
    - if the personal data is used to communicate with the individual, at the latest when that communication is made;
    - if the personal data is disclosed to a third party, at the latest when that data is disclosed.

    If you obtain that personal data from a third party, there is no need to provide a privacy notice if:
    - the individual already has the information;
    - providing the information would be impossible or involve disproportionate effort, particularly where the processing
    is for archiving, scientific or historical research purposes or statistical purposes;
    - the obtaining or disclosure is pursuant to Union or Member State law and there are appropriate measures to protect - the individual; or
    - the information is subject to professional secrecy

    There is no mention in the EU GDPR on how you should communicate the Privacy Notice so you can use email as well.

    You can learn more about Privacy Notices by accessing our free webinar “Privacy Notices Under the EU GDPR” at https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • ISO 22301 and NIST 800-34


    Answer: Our templates are based on ISO standards, and although NIST 800-34 share high level aspects with ISO 22301, the ISO standard for business continuity management, our templates were not designed considering specificities of NIST 800-34.

    I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-bs25999-documentation-toolkit/ to see if our templates can fulfill your needs.

    These materials will also help you regarding ISO 22301:
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/

  • Main control activity

    So, my question was- in each procedure documentation, is it an ISO27001 requirement to identify the key control activity along with the key records?

    Answer: ISO 27001 does not require the identification in procedure documentation of such thing as main or key control activity as you described it. As a good practice, you may consider to include in policies and procedures references to the controls these documents are fulfilling. For example, in a access control policy you may include reference to control A..9.1.1 - Access control policy.

  • Is ISO 27002 acquisition necessary?


    Answer: ISO 27002 provides detailed guidance and recommendations on how to implement controls of ISO 27001 Annex A (which only presents objectives to be achieved and what controls should do), and although its acquisition is not mandatory to implement ISO 27001, it can provide a significant help in the implementation process

    These articles will provide you further explanation about ISO 27001 and ISO 27002:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • Change management


    Answer: Change management is a process focused to ensure changes are formalized, evaluated, authorized and implemented in such way to minimize risks of unsuccessful changes or unplanned downtimes.

    This article will provide you further explanation about change management in ISO 27001:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • Integrated toolkits

    In all, I am happy. We have certified 9 branches in Europe and the only 'pain' I have is that information is not structured. In fact it is everywhere on the server.

    My next project will be the GDPR compliance procedures. I noticed that you have a combined toolkit on GDPR and ISO27001.

    Why do you combine these 2 toolkits? I mean with the ISO HLS, isn't it more logical to combine ISO 9001, 14001, 45001 and 27001 in one toolkit?

    Can my QHSE representatives 'approach' these toolkits?

    Answer: Both GDPR and ISO 27001 focus on protection of information, so it is a natural move to combine them to provide a more cost-effective structure.

    Regarding an integrated toolkit combining ISO 9001, 14001, 45001 and 27001, we didn’t have much interest in such product so this is the reason why we don’t have it.

  • Risk assessment approach

    Threat - Vulnerabilities (mapping)
    Vulnerabilities - Threat (Mapping)
    I've seen both types of Risk Register

    Answer: Both approaches are good, but personally speaking, I like to use the Vulnerability-Threat approach. Generally it is more easier to identify and take action over vulnerabilities (that are linked to the assets you own or have control over) than identify and handle threats, that are mostly linked to a factor you have little or no control over at all, so the approach of mapping first vulnerabilities and then possible threats that can be associate do them is more efficient.

    These articles will provide you further explanation about Risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding Risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Positive and negative risks


    Answer: ISO 27005 approach toward negative risks was a decision from the standard's responsible committee for the release of the current version (2011), based on the world's context at the time. For a risk management approach considering positive and negative risks, I suggest you to take a look at ISO 31000, ISO standard for risk management in general.

    This article will provide you further explanation about ISO 31000:
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
Page 786-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +