Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkits content and ISO 27001 requirements
Answer: Each toolkit includes a List of Documents file that maps each template to the requirements it covers. In the web page of each toolkit you can access its respective list of documents file, so you can identify the toolkit content and the requirements covered.
For the ISO 27001 Documentation Toolkit the List of Documents file can be accessed through this link: https://advisera.com/wp-content/uploads//sites/5/2015/06/List_of_documents_ISO_27001_Documentation_Toolkit_EN.pdf -
Guidance on implementation project
Answer: The following material will provide an step by step guide regarding ISO 27001 implementation project:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Toolkit content ISO 27001
Answer: ISO 27001 does not require a document to cover clause 4.1, so to avoid unnecessary administrative effort there is no template for cover this clause in the toolkit.
This article will provide you further explanation about organizational context (although this is an ISO 27001 article the same concept applies to 22301):
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
2 - How can you best describe our organization’s risk appetite?
Answer: The risk appetite is the organization willingness to take risks, and accept some degree of impact. The risk appetite can be related, among other things, to organizational culture, top management mindset, the desired business outcomes, and the impacts related to disruptive incidents it considers acceptable to take.
This article will provide you further explanation about risk appe tite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
3 - How can you best describe the links between the business continuity policy and the organization’s objectives and other policies, including our risk management strategy?
Answer: The organization's objectives are the base for the business continuity policy, the other policies, and the risk management strategy.
Based on the organization's objectives the policies must be developed to ensure they can be achieved (in respect to the business continuity policy, the objectives will help drive the processes and resources to be implemented to ensure the continuity of activities that are related to the objectives). Regarding risk management, the organization's objectives will help the identification of the most relevant risks and how they should be treated.
These articles will provide you further explanation about objectives:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
4 - How can you best describe the potential impact related to a disruptive incident with services, products, etc.
Answer: The best way to describe the impacts of disruptive incidents to the business is by performing a Business Impact Analysis, which will help you identify and demonstrate how business is impacted through time if a disruptive incident occurs.
These materials will provide you further explanation about BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Legal review of GDPR documentation
Answer:
All the documents in the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are designed not to be in conflict with EU Member State laws so from this perspective there in no risk.
However, there are certain areas where you would need to turn to local laws, for example in terms of retention periods there are maybe some specific requirements that will require you to keep certain record that may contain personal data for a specific period of time. For example, CCTV footage can be kept no longer than 30 days in certain jurisdiction such as Romania, Poland and Greece. So, my advice is once you have established your Data Retention Schedule to cross check with the local legal requirements.
Another aspect that may differ relates to Labor Law, in certain jurisdiction such as Germany certain processing activities involving employees personal data need to be brought to the at tention of the Work Counsels/Workers Union.
Also, keep an eye on local EU GDPR implementation acts that can add some local flavors to certain topics.
To learn more about the EU GDPR and its applicability in EU Member States see this free online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Data Transfer Agreement
Answer:
If your suppliers are within EU/EEA there is no need for any safeguards regarding transfers so, no Data Transfer Agreement is needed between controllers and processor that are in the EU/EEA.
However, the Data Processing Agreement which is the legal binding document establishing the obligations of the processors may need to be changed as there are certain requirements that are new and not covered by the current Data Protection Directive. In terms of processor obligations you might find useful the following article on our website : “EU GDPR Controller vs. Processor – What are the differences” https://advisera.com/eugd pracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/.
To learn more about the EU GDPR and cross border data transfers see this free online training GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Herramienta para calcular brecha con el RGPD
Respuesta: Claro, tenemos esta herramienta gratuita que te puede ayudar a determinar el nivel de cumplimiento con el RGPD europeo “EU GDPR Readiness Assessment” : https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/#
Y aquí también puedes encontrar otras herramientas gratuitas que puedes usar para el cumplimiento con el RGPD “Download free EU GDPR materials” : https://advisera.com/eugdpracademy/free-downloads/ -
Certificación ISO 27001 en un grupo empresarial
Respuesta: Ambas opciones son posibles, es decir, un grupo empresarial puede certificarse en ISO 27001, o cada compañía del grupo también puede certificarse en ISO 27001. Pero, si quieres obtener los beneficios del estándar a nivel de grupo, la primera opción sería la más recomendable.
Este artículo sobre los beneficios de la ISO 27001 puede ser interesante para ti “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Y también este webinar gratuito “Beneficios de ISO 27001: Cómo obtener el apoyo de la Dirección” : https://advisera.com/27001academy/es/webinar/iso-27001-benefits-how-to-obtain-management-support-free-webinar-on-demand/ -
Competitors as interested parties?
Answer:
It is not normal to consider competitors as interested party of an organization. I would consider competitors as interested parties if, for example, they could be partners in research and development, or in the introduction of sectorial practices, or if they could be subcontracted for certain processes.
The following material will provide you information about interested parties:
- ISO 9001 – How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Toolkit content
Answer: Please consider the information in the white paper. Current version of ISO 27001 do not require a documented procedure for control of documents and records. Regarding the differences between the templates and the information on the video tutorials we will verify this situation. -
ITSM and Business Continuity competencies
Answer: Considering ISO standards, for ITSM I recommend you the Lead Auditor course for ISO 20000, and for Business continuity I recommend the ISO 22301 Lead Auditor course. For ITSM an alternative source of qualification are ITIL courses.