Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mitigar el riesgo
Respuesta: No estoy seguro si he entendido bien tu pregunta, pero el riesgo puede ser cualitativo o cuantitativo, y lo puedes mitigar en ambos casos (y demostrarlo a un auditor, implementando controles de seguridad), porque con ambos estás usando una escala de riesgo, y puedes decidir cuál es el nivel de riesgo aceptable. Así que, por ejemplo, si tu nivel de riesgo aceptable es Medio, e identificas un riesgo Alto, tienes que tratarlo (implementando controles de seguridad). Y el auditor podrá preguntarte: ¿Cuál es tu nivel de riesgo aceptable? o ¿Por qué estás tratando el riesgo alto?
Este artículo puede ser interesante para ti “Qualitative vs. quantitative risk assessments in information security: Differences and similarities” : https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
Por último, recuerda que tienes 4 opciones de mitigación, para más información, por favor, lee este artíc ulo “4 mitigation options in risk treatment according to ISO 27001” : https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/ -
ISMS: Controls and measures
Controls are procedures, equipments or technologies used to handle a risk, while measurements are the action to assign values to a characteristic of an object or event, which can be compared with other objects or events. Broadly speaking, control is what you do to handle a risk, and measurement is what you to to obtain a value representing the result you get by the application of a control.
But you have to take care with the word "measure / measures", because they either can mean the value you attribute to something (the result of a measurement) or control (the meaning will depend of the context where the word is considered).
As for the question, if all servers have these hardening guide applied – is this the control or is it just an audit - it is important to understand that an audit is some kind of control (a management control), used to ensure the controls used to handle the risks are being properly performed.
This article will provide you further explanati on about measurements:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/ -
Gap Analysis
Answer:
You can perform a GAP Analysis or perform an internal audit. Either to check if ISO 9001 requirements are followed, either to check if what the paperwork says is followed.
The following material will provide you information about the GAP analysis:
- ISO 9001 – Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
- Gap analysis vs. internal audit in ISO 9001 - https://advisera.com/9001academy/blog/2015/02/17/gap-analysis-vs-internal-audit-iso-9001/
- Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Selling consulting services
Answer:
In your proposal you want to be clear to your potential customer about the outcomes of the project, about what kind of resources you need from the customer to execute the project (a Project responsible from the customer side, team members with time to work on the project), about the duration of the project and about the price that you will charge, and the terms of payment.
The following material will provide you information about writing a Project Plan and selling consulting services:
- ISO 9001 – Project proposal for ISO 9001 Implementation - https://info.advisera.com/9001academy/free-download/project-proposal-for-iso-9001-implementation-ms-powerpoint
How to sell your ISO 9001 consulting services - https://advisera.com/9001academy/blog/2017/06/20/how-to-sell-your-iso-9001-consulting-services/
- Free webinar – How to sell ISO consulting services - https://advisera.com/9001academy/webinar/how-to-sell-iso-consulting-services-free-webinar-on-demand/ -
ISO9001: Integrating QMS and Business Processes
Answer:
The key to integrating the business processes and QMS processes is to first identify what the business needs are (a SWOT analysis is recommended), which will allow you to identify your strategic company direction. From this you can then create your quality objectives to support your business needs, thus aligning your quality objectives to your strategic direction.
Once these quality objectives are created they can be integrated into your business processes so that the processes you use to run your business link to your overall business objectives. For instance, If you have a quality objective for improving on-time delivery, you can then have objectives and measurables for the important business process to meet to ensure this on-time delivery is improved.
For more information, see this article on writing quality objectives: https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/ -
ISO 27001 ¿Para personas y empresas?
Respuestas: Con respecto a la primera pregunta, la certificación ISO 27001 es realmente para empresas, aunque una persona también puede obtener la cualificación en ISO 27001 (como auditor o como implementador). Este artículo puede resultarte interesante “Lead Auditor Course vs. Lead Implementer Course - Which one to go for?” : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/
Y también este "ISO 27001 certification for persons vs. organizations" : https://advisera.com/27001academy/iso-27001-certification/
Con respecto a la segunda pregunta, si tu compañía quiere implementar la ISO 27001, o tu compañía quiere ofrecer servicios relacionados con la ISO 27001, puedes obtener el conocimiento sobre este estándar con cursos como los que te he mencionado arriba, y probablemente la organización le interese pagarte el curso, porque puede ser una oportunidad de negocio para ellos (la compañía necesita siempre un beneficio). Este artículo te puede resultar interesante “How to become an ISO 27001 / ISO 22301 consultant” : https://advisera.com/27001academy/blog/2014/07/21/how-to-become-an-iso-27001-iso-22301-consultant/
Con respecto a la tercera pregunta, generalmente los cursos que conozco tienen una duración de unas 15-20 horas, que puedes hacer en 1 ó 2 semanas. Con respecto el coste, lo siento, pero depende de la compañía, y hay muchas compañías ofreciendo estos cursos, y los precios son muy variables. En cualquier caso, estos cursos gratuitos te pueden interesar:
“ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
“ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/
Finalmente, puedes encontrar aquí recursos gratuitos que puedes usar para aprender los principios básicos sobre la ISO 27001, y puedes usarlos para empezar a trabajar en este sector https://advisera.com/27001academy/es/descargas-gratuitas/ -
Standard list of types of personal data
Answer:
You could use the following taxonomy as a reference because there is no standard list.
List of the type of data:
- Personal master data (e.g. Name, surname, date of birth,)
- Communication data (e.g. telephone, e-mail, address)
- Contract master data (contractual relationship, product or contract interest)
- Customer history
- Contractual invoicing and payment data
- Planning and control data
- Academic and professional data (training / qualifications, professional experience).
- Employment details (work center, job position and department)
- Employee disciplinary sanction
- Compensation and benefits data
- IP addresses
- Transaction Data
- Location Data (GPS coordinates)
- Others………….. (please describe)
Sensitive Data:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sex life or sexual orientation
- Criminal record
Data subjects:
- Customers (including the main cardholder and other cardholders)
- Employees
- Trainees
- Suppliers
- Suppliers employees
- Website visitors
- Consultants and sales agents
- Others: ……. (please describe) -
QMS implementation priority
Answer:
Based on my personal experience I cannot agree that there is one universal answer. Some parts/components of a QMS will deliver faster results when organizations live a certain situation, other parts/components of a QMS will deliver faster results when organizations live another situation. Presently, I can remember the case of a SME with too much demand where starting with the process approach was critical to avoid losing customers, and I can remember the case of another SME, with not enough demand, where starting with a strategic orientation and customer focus was critical to find a direction, a purpose. Perhaps you could design 2/3 situations where a SME can be and study patterns for each situation.
The following material will provide you information about QMS implementation:
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Process for changing purpose
Answer:
If you are going to use the collected personal data for another purpose than the initial one, this means that the data subject will not be informed about this new purpose thus the requirements of EU GDPR article 13 (1)(b) - Information to be provided where personal data are collected from the data subject https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) will not be complied with.
So, if you identify a legitimate interest for that specific processing activity and you can provide the updated information via a Privacy Notice.
However, if you cannot rely on legitimate interest you could turn to consent although not the most reliable of the legal grounds. Note that the consent needs to be informed thus the same information as in the Privacy Notice needs to be provided.
You might find the following article useful “Is consent needed? Six legal bases to process data according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ as well as our webinar on “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Implementation steps
Answer: Robust implementation approaches include diagnosis, definition of a plan, and time effectively dedicated to implementation of the solution. As for the certification step, this can vary accordingly the purposes of the organization (some of them only wish to implement the standard's practices while others want to go all the way and achieve certification).
I suggest you to take a look at our ISO 27001/ISO 22301 Implementation Duration Calculator at this link: https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
This tool can help you estimate the implementation duration considering your company scenario.)
This article will provide you further explanation about ISO 27001 implementation steps:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will als o help you regarding ISO 27001 implementation steps:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/