Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Integrated ISO 27001 & GDPR toolkit content
I was looking for a policy regarding Security in the HR & recruitment process.
Does that exist?
Answer: Unfortunately we do not have a security policy for HR and recruitment processes - this is because such document is not mandatory, and for smaller companies (our target market) it is not very common. I'm not sure about the size of your company, but if you are smaller than 100 employees, such document would probably be an overkill for you.
Of course, you can always schedule a meeting with our expert who will explain you how to write such a policy if you feel it is needed. -
Alcance SGSI
Respuesta: Si quieres integrar tu ISO 9001 con la ISO 27001, comunmente la mayoría de las empresas que conozco tienen el mismo alcance para ambos estándares, por tanto, si has definido un alcance para ISO 9001, puedes definir el mismo alcance para ISO 27001. En cualquier caso, nuestra recomendación es que el alcance de la ISO 27001 sea toda la organización.
Este artículo te puede interesar “How to integrate ISO 9001 and ISO 27001” : https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/
Y también este otro “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Y este webinar gratuito sobre la implementación de ISO 27001 usando ISO 9001 “Implementación de ISO 27001: ¿Cómo hacerla más sencilla utilizando ISO 9 001?” : https://advisera.com/27001academy/es/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/ -
ISO 20000 and ISO 27001
Answer: Although ITIL/ISO 20000 and ISO 27001 cover different domains, they have a considerable overlap that requires that any organizational unit working with them work together. For example, ITIL/ISO 20000 must integrate information security requirements in its implementation. Regarding ISO 27001, when defining which and how to protect information the characteristics of the IT environment should be considered to define the best approach.
These articles will provide you further explanation about integration between information technology and information security:
- ISO 27001 vs. ITIL: Similarities and differences https://advisera.com/27001academy/blog/2016/03/07/iso-27001-vs-itil-similarities-and-differences/
- Incidents in ISO 22301 vs. ISO 27001 vs. ISO 20000 vs. ISO 28003 https://advisera.com/27001academy/blog/2016/09/05/incidents
This material will also help you regarding integration between information technology and information security:
- How to integrate ISO 27001 and IS O 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/ -
Exercising and Testing Plan
All is well but I feel I have misinterpreted the Exercising and Testing Plan. Now this document has a specific drill for a specific date in it. Should it be more like an annual schedule of different exercises and their periods instead?
Answer: Your assumption is correct. The purpose of this template is to determine the annual schedule of multiple exercises, so you can have a general overview of all exercises you have to perform in the period, but nothing prevents you to use this document for a single test to be performed in a single period.
This article will provide you further explanation about testing business continuity:
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising- and-testing-according-to-iso-22301/
This material will also help you regarding testing business continuity:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Components of ISO 14001
thank you so much for your explanation. it really help me to understand more about ISO -
Extension of scope
Answer:
If your present scope already includes distribution and commercialization of your product I would check if it is clear about the geographical scope of activities to avoid misleading information. About the process mapping I would consider the relevant activities made in the UK and check if different processes are needed.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/ -foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Documenting the context for ISO 14001
Answer:
The standard doesn't require any document to be created regarding the context. However, if you decide to document it, there are two aspects of the requirements for context of the organization that needs to be considered.
First is to decide whether to document the process of determining context of the organization, meaning to develop the procedure where you will define who is responsible for determining the context, how often the context is considered, what elements of the context will be analyzed, etc. Here you can download free preview of our Procedure for Determining Context of the Organization and Interested Parties https://advisera.com/14001academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/
The second is to decide how to document the result of the analysis of the context, or the context itself. Documenting the entire context can be overwhelming and t iduous, so my suggestion is to use some simple record that will contain only the crucial information of the context. For example, if you decide to apply SWOT or PEST analysis for determining the context, you can create only the record of the analysis and this can be sufficient. In addition to this record, you should also create a list of interested parties and their needs and expectations. Here you can download free preview of our List of Interested Parties, Legal and Other Requirements https://advisera.com/14001academy/documentation/list-of-legal-and-other-requirements/
For more information about the context, see: Determining the context of the organization in ISO 14001 https://advisera.com/14001academy/knowledgebase/determining-the-context-of-the-organization-in-iso-14001/
These materials will also help you regarding the context:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
Is life-cycle analysis necessary for ISO 14001 implementation
Answer:
LCA (life-cycle analysis) is required by the standard during the assessment of environmental aspects and their impacts. The organization needs to identify life-cycle stages of its product or service and assess environmental aspects emerging in each stage and define appropriate controls for each significant environmental aspect.
For more information, see: Lifecycle perspective in ISO 14001:2015 – What does it mean? https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/
These materials will also help you regarding LCA:
- Book THE ISO 14001:2015 COMPANION https://advisera.com/books/the-iso-14001-2015-companion/
- Free online training ISO 14001:2015 Foundations Course https://advisera.com/training/iso-14001-internal-auditor-course/
- Conformio (online tool for ISO 14001) https://advisera.com/conformio/ -
DPIA
2. What changes can be proposed as part of remediation plan (some examples will be enough)?
3. Data Mapping and how to conduct this?
4. And any other information which I could add in my CV to get the role. Obviously, once I will get the role, I will be contacting you for your help (and will pay your fee for your assistance). But in order to get the job of BA of GDPR, I need these information.
Answers:
1. A Data Protection Impact Assessment is basically an assessment of the likelihood and severity of risks for the rights and freedoms of individuals resulting from a processing operation. Data controllers will be required to undertake DPIAs prior to data processing – in particular processing using new technologies - which is likely to result in a high risk for the rights and freedoms of individuals (Article 35 - Data protection impact assessment - https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
The EU GDPR provides the some non-exhaustive list of cases in which DPIAs must be carried out:
- automated processing for purposes of profiling and similar activities intended to evaluate personal aspects of data subjects (e.g. automatic credit checking performed by banks or other financial institutions)
- processing on a large scale of special categories of data or of data relating to criminal convictions and offences (e.g. processing of mental information by a psychiatric clinic);
- systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV)
If you want to have a more in depth view on how to actually perform a DPIA the following materials would be helpful:
- Article 29 Working Party - “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679”
- Free webinar “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR” - https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/
- Article “5 phases of the EU GDPR Data Protection Impact Assessment” - https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
- Document: “Data Protection Impact Assessment Methodology” -https://advisera.com/eugdpracademy/documentation/data-protection-impact-assessment-methodology/;
- Document: “DPIA Register”- https://advisera.com/eugdpracademy/documentation/dpia-register/;
2. The risk mitigation measures derived form a DPIA may greatly vary depending on the processing activity that is subject to the DPIA.
For some examples of mitigation measures derived from a DPIA in CCTV you can access our webinar on “Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR” - https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/
3. For the data mapping there is a specific guidance document in our EU GDPR Toolkit that would most likely shed some light on how to go through the data mapping exercise. You can find the “ Inventory of Processing Activities” here : https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/
4. As for other things to add to your CV I would suggest getting acquainted with the EU GDPR provisions and attending our EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//#reviews) and the EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/#reviews -
Applicability of controls
Delete this item if control A.9.2.1 is marked as inapplicable in the Statement of Applicability
This implies that Access Control may not be mandatory. However, it seems a bit against the principles of ISO 27001 to disregards Access Control to information assets. In the documentation I find elsewhere seems to indicate that this is in fact mandatory.
Would you care to elaborate on that, for me, please?
Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you further explanation about risk assessment:
- ISO 2700 1 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/