Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing gap assessment
Answer: Basically you have to ask questions based on standard's requirements, to identify if they are being meet or not.
For example, for requirements such as "The organization shall determine...", the question should be "Did the organization determine...". For requirements such as "The organization shall consider", the question should be "Did the organization consider...", and so on.
To help you perform a gap assessment, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/
This simple questionnaire will help you and your client to visualize which specific elements of a information security management system he has already implemented, and what he still needs to do. -
EU GDPR questions
2. How long do we keep the log files for? Also if an unmanaged customer stops the service and asks for deletion of all data and the vps ( I guess we are obliged to delete everything but if that customers was dealing in unlawful activities and the police asks for information we won’t have any to give. (hoe does this work?)
3. If a customer complains about a bridge on their website that is handled by them on a shared hosting platform are we required to have tools that will identify such bridge and from where it came from? Now we use tools to prevent this from happening such as brute force attacks, sql injection etc…
4. Just to add further the data we ask and keep for Billing purposes for the customers is as follows:
Company Name, Contact Name, Address, V.A.T number, Email address
We use the above only for billing and email them for maintenance and invoices. Are the above considered Personal data as all this c an be found on their website? We don’t provide this info to 3rd parties.
Answers:
1. All documents except for the ones in folder 4 “Managing Data Subject Rights” can be used by both processors and controllers so we strongly suggest you go through all of them. Also, there is a document called List of Documents EU GDPR Toolkit where you can find out which documents are mandatory according to the EU GDPR.
2. Regarding the retention period the EU GDPR in article 5 - Principles relating to processing of personal data (https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/) states that personal data shall not be kept for “ longer than is necessary for the purposes for which the personal data are processed” this means that controllers have to delete the data once is no longer needed for processing unless there is a specific legal requirement that allows them to keep them for longer ( e.g regulatory compliance). As far as your activity as a processor goes the retention periods should be defined by the controllers and communicated to you. If a manages services customer asks you to delete the data you need first to assess if you can comply with the request or not by assessing the local legislation and if there is no reason to hold on to the data for longer you can delete it.
3. Your platform should be designed to prevent and detect data breaches. However, if the data breach originates from a customer is the duty of the customer to detect an report the breach when necessary (EU GDPR article 33 - Notification of a personal data breach to the supervisory authority - https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/; EU GDPR article - Communication of a personal data breach to the data subject - https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/) . If the customer has a breach on their website is their duty to deal with that and notify the appropriate entities, you however, if acting as a processor might be required to assist.
4. The contact name and email address (provided it belong to an individual) on invoices are personal data. Usually invoices have to be kept by companies for regulatory compliance for periods up to 15 years. You should check your local legislation (usually the Tax Code) to see which is the retention period for invoices .
You might find interesting our article on “5 steps to handle a data breach according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/ as well as our EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
ID Verification
The identification method used in cases of DSARs depends on various factors such as the information you hold about the data subject as well as how the DSAR was received.
For example, if the data subject sends the request via email and the email is already in your database as it was provided by the data subject you can safely assume that the data subject is the one sending the email. If you receive the request via telephone you can just ask the data subject some ID verification questions same as banks do such as ( the last recorded address, the social security number, etc.).
One easy way is to establish a set of identification questions to be used to check the ID of the data subjects whenever a request is received. If the request comes form another person then the data subject you need to ask for a authorization from the data subject by which he empowers anoth er party to submit a DSAR on his/her behalf.
To learn more about how to handle DSARs you can book a seat at our webinar - Data Subject Rights under the EU GDPR - https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/
You can also check out our EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/ -
Procesos y procedimientos
Respuesta: De acuerdo a la filosofía de ISO 9000, un procedimiento es una forma específica para llevar a cabo un proceso, por tanto no hay mucha diferencia con respecto a los procedimientos, por lo que podrías usar el artículo que comentas para implementar procesos.
Quizás también te pueda interesar el libro "Seguro & Simple" : https://advisera.com/books/seguro-simple-una-guia-para-la-pequena-empresa-para-la-implementacion-de-la-iso-27001-con-medios-propios/ -
Scope definition
Would we have a scope of entire organisation, but exclude physical management and operation of the Helpdesk/Monitoring system and ensure some sort of ISO compliance from the Datacenter provider. I assume we would then write policy for our staff access to Datacenter/Helpdesk and Monitoring and have defined roles ?
Answer: I'm assuming that by excluding physical management and operation of the Helpdesk/Monitoring system you are referring to focus only on using the Helpdesk/Monitoring system (like a Software as a Service - SaaS).
Considering that, for the relation with the datacenter provider you should consider a service agreement, establishing clauses to ensure it will apply the security controls you require for your business (e.g., based on ISO 27001 and ISO 27017). These clauses should cover not only the policy for your staff to access the Datacenter/Helpdesk and Monitoring system and necessary roles, but also refer to other controls, like your right to audit the provider operation and receive periodic performance reports.
These articles will provide you further explanation about scope definition and supplier management:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding scope definition and supplier management:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Implementation consultancy
Answer: We provide documentation toolkits to support implementation of ISO 27001, and included in the toolkit you can schedule meetings with one of our experts so he can help you overcome potential difficulties. Additionally, you can send filled documents for review, and we will answer with orientations on how to improve them so they can become ISO compliant.
Please access this link to have an overview of our toolkits documentation review features: https://advisera.com/27001academy/iso-27001-documentation-toolkit/#toolkit-options
Access this link to understand the support: https://advisera.com/27001academy/iso-27001-documentation-toolkit/#toolkit-expert
2- If, what do you think is the best way to evaluate a consultant?
Answer: For evaluation of consultants some important criteria you should consider are Experience & skills., Reputation, Customized service.
For more information, please read this article:
- 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/
3- And, is there any common knowledge on the cost?
Answer: There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information it's not possible to precise a value. What I can tell you are some cost issues you should consider:
- Training and literature
- External assistance
- Technologies to be updated / implemented
- Employee's effort and time
- The certification process
Regarding knowledge on costs, I suggest you these articles:
- How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
- 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/ -
Performing audits
Answer: I'm assuming you are referring to the ISO 27001 Lead Auditor certification. Considering that, a certified lead auditor can audit a company to verify if it is ISO 27001 compliant, but only audits performed by auditors in the name of certification bodies are considered valid as a formal recognition that an organization is ISO compliant.
This article will provide you further explanation about becoming a lead auditor:
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
This material will also help you regarding becoming a lead auditor:
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
ISO 27001 benefits
Answer: In general way, the benefits of ISO 27001 are related to:
- Enhanced competitive edge
- Reduction on losses due to security incidents
- Reduction on fines due to legal or contractual non conformity
- Improvement of internal organization
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
These materials will also help you regarding ISO 27001 benefits:
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your O wn https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ -
3402 statement and ISO 27001
Answer: I'm assuming you are referring to ISAE 3402, an assurance standard. Considering that, you must first evaluate your needs regarding compliance to legal requirements (e.g., laws, regulations and contracts). If you need to comply with multiple legal requirements, then ISO 27001 has a more comprehensive approach (it requires you to identify, evaluate and treat all requirements that can impact your organization in terms of information security, while ISAE 3402 focus on documenting that an organization has adequate internal controls, generally approached from a financial perspective).
These articles will provide you further explanation about how ISO 27001 can help comply with legal requirements:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How ISO 27001 can help suppliers comply with U.S. DFARS 7012 https://advisera.com/27001academy/blog/2017/04/24/how-iso-27001-can-help-suppliers-comply-with-usa-dfars-7 012/
- How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Integrated internal audit
Answer: It is perfectly possible to combine ISO 27001 and ISO 9001 internal audit processes, since both standards have a lot of requirements in common (the requirements for internal audit in both standards are practically the same).
These articles will provide you further explanation about similarities between ISO 27001 and ISO 9001:
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
2. Is it mandatory for the author of the security policies and procedures to have appropriate trainings? Shall he/she be an internal certified auditor?
Answer: ISO 27001 requires that people with roles in ISO 27001 must have proper competencies, which can be fulfilled by means of training, education or experience, so it is not mandator y for the author of security policies to have related trainings, if he can demonstrate by other means (e.g., experience) that he has the necessary competence to elaborate the polices. The same applies to the need for an certified internal auditor.
3. Where shall I document the applicable legislation for the company?
Answer: I suggest you to take a look at the free demo of our "List of Legal, Regulatory, Contractual and Other Requirements" template at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/ so you can have an idea of how documentation of applicable legislation looks like.
This article will provide you further explanation about ISO 27001 required documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/