Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Privacy Notices

    2. Once the 'Privacy Policy' is completed this goes online but where do we put our 'Privacy Notice' once completed? Can we send this to our clients via email?

    Answers:

    1. This depends on what you are going with the comments, for what purpose you are collecting them. So, in order to provide you with an accurate answer would need more details on the reports you are sending and the reason for doing that. Also, do you really need to include the names ? What is the reason behind that?
    2. Regarding your Privacy Policy is not necessary that you sent them to your clients you could just inform them about it and provide a link to it. Regarding the “Privacy Notice” according to article 13 of the EU GDPR – “Information to be provided where personal data are collected from the data subject” you need to provide it at the time the information i s collected.
    However, if you don`t receive the personal information from directly from the data subject but from another source as per article 14 of the EU GDPR – “Information to be provided where personal data have not been obtained from the data subject” you can provide the Privacy Notices:
    - within a reasonable time after obtaining the data, but at the latest within a month;
    - if the personal data is used to communicate with the individual, at the latest when that communication is made;
    - if the personal data is disclosed to a third party, at the latest when that data is disclosed.

    If you obtain that personal data from a third party, there is no need to provide a privacy notice if:
    - the individual already has the information;
    - providing the information would be impossible or involve disproportionate effort, particularly where the processing
    is for archiving, scientific or historical research purposes or statistical purposes;
    - the obtaining or disclosure is pursuant to Union or Member State law and there are appropriate measures to protect - the individual; or
    - the information is subject to professional secrecy

    There is no mention in the EU GDPR on how you should communicate the Privacy Notice so you can use email as well.

    You can learn more about Privacy Notices by accessing our free webinar “Privacy Notices Under the EU GDPR” at https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • ISO 22301 and NIST 800-34


    Answer: Our templates are based on ISO standards, and although NIST 800-34 share high level aspects with ISO 22301, the ISO standard for business continuity management, our templates were not designed considering specificities of NIST 800-34.

    I suggest you to take a look at the free demo of our ISO 22301 Documentation Toolkit at this link: https://advisera.com/27001academy/iso22301-bs25999-documentation-toolkit/ to see if our templates can fulfill your needs.

    These materials will also help you regarding ISO 22301:
    - How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

    - Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - ISO 22301: An overview of the BCM implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/

  • Main control activity

    So, my question was- in each procedure documentation, is it an ISO27001 requirement to identify the key control activity along with the key records?

    Answer: ISO 27001 does not require the identification in procedure documentation of such thing as main or key control activity as you described it. As a good practice, you may consider to include in policies and procedures references to the controls these documents are fulfilling. For example, in a access control policy you may include reference to control A..9.1.1 - Access control policy.

  • Is ISO 27002 acquisition necessary?


    Answer: ISO 27002 provides detailed guidance and recommendations on how to implement controls of ISO 27001 Annex A (which only presents objectives to be achieved and what controls should do), and although its acquisition is not mandatory to implement ISO 27001, it can provide a significant help in the implementation process

    These articles will provide you further explanation about ISO 27001 and ISO 27002:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  • Change management


    Answer: Change management is a process focused to ensure changes are formalized, evaluated, authorized and implemented in such way to minimize risks of unsuccessful changes or unplanned downtimes.

    This article will provide you further explanation about change management in ISO 27001:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • Integrated toolkits

    In all, I am happy. We have certified 9 branches in Europe and the only 'pain' I have is that information is not structured. In fact it is everywhere on the server.

    My next project will be the GDPR compliance procedures. I noticed that you have a combined toolkit on GDPR and ISO27001.

    Why do you combine these 2 toolkits? I mean with the ISO HLS, isn't it more logical to combine ISO 9001, 14001, 45001 and 27001 in one toolkit?

    Can my QHSE representatives 'approach' these toolkits?

    Answer: Both GDPR and ISO 27001 focus on protection of information, so it is a natural move to combine them to provide a more cost-effective structure.

    Regarding an integrated toolkit combining ISO 9001, 14001, 45001 and 27001, we didn’t have much interest in such product so this is the reason why we don’t have it.

  • Risk assessment approach

    Threat - Vulnerabilities (mapping)
    Vulnerabilities - Threat (Mapping)
    I've seen both types of Risk Register

    Answer: Both approaches are good, but personally speaking, I like to use the Vulnerability-Threat approach. Generally it is more easier to identify and take action over vulnerabilities (that are linked to the assets you own or have control over) than identify and handle threats, that are mostly linked to a factor you have little or no control over at all, so the approach of mapping first vulnerabilities and then possible threats that can be associate do them is more efficient.

    These articles will provide you further explanation about Risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
    - How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
    - ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

    These materials will also help you regarding Risk assessment:
    - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

  • Positive and negative risks


    Answer: ISO 27005 approach toward negative risks was a decision from the standard's responsible committee for the release of the current version (2011), based on the world's context at the time. For a risk management approach considering positive and negative risks, I suggest you to take a look at ISO 31000, ISO standard for risk management in general.

    This article will provide you further explanation about ISO 31000:
    - ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

  • Mitigar el riesgo


    Respuesta: No estoy seguro si he entendido bien tu pregunta, pero el riesgo puede ser cualitativo o cuantitativo, y lo puedes mitigar en ambos casos (y demostrarlo a un auditor, implementando controles de seguridad), porque con ambos estás usando una escala de riesgo, y puedes decidir cuál es el nivel de riesgo aceptable. Así que, por ejemplo, si tu nivel de riesgo aceptable es Medio, e identificas un riesgo Alto, tienes que tratarlo (implementando controles de seguridad). Y el auditor podrá preguntarte: ¿Cuál es tu nivel de riesgo aceptable? o ¿Por qué estás tratando el riesgo alto?

    Este artículo puede ser interesante para ti “Qualitative vs. quantitative risk assessments in information security: Differences and similarities” : https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

    Por último, recuerda que tienes 4 opciones de mitigación, para más información, por favor, lee este artíc ulo “4 mitigation options in risk treatment according to ISO 27001” : https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

  • ISMS: Controls and measures

    Controls are procedures, equipments or technologies used to handle a risk, while measurements are the action to assign values to a characteristic of an object or event, which can be compared with other objects or events. Broadly speaking, control is what you do to handle a risk, and measurement is what you to to obtain a value representing the result you get by the application of a control.

    But you have to take care with the word "measure / measures", because they either can mean the value you attribute to something (the result of a measurement) or control (the meaning will depend of the context where the word is considered).

    As for the question, if all servers have these hardening guide applied – is this the control or is it just an audit - it is important to understand that an audit is some kind of control (a management control), used to ensure the controls used to handle the risks are being properly performed.

    This article will provide you further explanati on about measurements:
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Page 786-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +