Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Toolkit content ISO 27001
Answer: ISO 27001 does not require a document to cover clause 4.1, so to avoid unnecessary administrative effort there is no template for cover this clause in the toolkit.
This article will provide you further explanation about organizational context (although this is an ISO 27001 article the same concept applies to 22301):
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
2 - How can you best describe our organization’s risk appetite?
Answer: The risk appetite is the organization willingness to take risks, and accept some degree of impact. The risk appetite can be related, among other things, to organizational culture, top management mindset, the desired business outcomes, and the impacts related to disruptive incidents it considers acceptable to take.
This article will provide you further explanation about risk appe tite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
3 - How can you best describe the links between the business continuity policy and the organization’s objectives and other policies, including our risk management strategy?
Answer: The organization's objectives are the base for the business continuity policy, the other policies, and the risk management strategy.
Based on the organization's objectives the policies must be developed to ensure they can be achieved (in respect to the business continuity policy, the objectives will help drive the processes and resources to be implemented to ensure the continuity of activities that are related to the objectives). Regarding risk management, the organization's objectives will help the identification of the most relevant risks and how they should be treated.
These articles will provide you further explanation about objectives:
- Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/
4 - How can you best describe the potential impact related to a disruptive incident with services, products, etc.
Answer: The best way to describe the impacts of disruptive incidents to the business is by performing a Business Impact Analysis, which will help you identify and demonstrate how business is impacted through time if a disruptive incident occurs.
These materials will provide you further explanation about BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Legal review of GDPR documentation
Answer:
All the documents in the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ are designed not to be in conflict with EU Member State laws so from this perspective there in no risk.
However, there are certain areas where you would need to turn to local laws, for example in terms of retention periods there are maybe some specific requirements that will require you to keep certain record that may contain personal data for a specific period of time. For example, CCTV footage can be kept no longer than 30 days in certain jurisdiction such as Romania, Poland and Greece. So, my advice is once you have established your Data Retention Schedule to cross check with the local legal requirements.
Another aspect that may differ relates to Labor Law, in certain jurisdiction such as Germany certain processing activities involving employees personal data need to be brought to the at tention of the Work Counsels/Workers Union.
Also, keep an eye on local EU GDPR implementation acts that can add some local flavors to certain topics.
To learn more about the EU GDPR and its applicability in EU Member States see this free online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Data Transfer Agreement
Answer:
If your suppliers are within EU/EEA there is no need for any safeguards regarding transfers so, no Data Transfer Agreement is needed between controllers and processor that are in the EU/EEA.
However, the Data Processing Agreement which is the legal binding document establishing the obligations of the processors may need to be changed as there are certain requirements that are new and not covered by the current Data Protection Directive. In terms of processor obligations you might find useful the following article on our website : “EU GDPR Controller vs. Processor – What are the differences” https://advisera.com/eugd pracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/.
To learn more about the EU GDPR and cross border data transfers see this free online training GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
Herramienta para calcular brecha con el RGPD
Respuesta: Claro, tenemos esta herramienta gratuita que te puede ayudar a determinar el nivel de cumplimiento con el RGPD europeo “EU GDPR Readiness Assessment” : https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/#
Y aquí también puedes encontrar otras herramientas gratuitas que puedes usar para el cumplimiento con el RGPD “Download free EU GDPR materials” : https://advisera.com/eugdpracademy/free-downloads/ -
Certificación ISO 27001 en un grupo empresarial
Respuesta: Ambas opciones son posibles, es decir, un grupo empresarial puede certificarse en ISO 27001, o cada compañía del grupo también puede certificarse en ISO 27001. Pero, si quieres obtener los beneficios del estándar a nivel de grupo, la primera opción sería la más recomendable.
Este artículo sobre los beneficios de la ISO 27001 puede ser interesante para ti “Four key benefits of ISO 27001 implementation” : https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
Y también este webinar gratuito “Beneficios de ISO 27001: Cómo obtener el apoyo de la Dirección” : https://advisera.com/27001academy/es/webinar/iso-27001-benefits-how-to-obtain-management-support-free-webinar-on-demand/ -
Competitors as interested parties?
Answer:
It is not normal to consider competitors as interested party of an organization. I would consider competitors as interested parties if, for example, they could be partners in research and development, or in the introduction of sectorial practices, or if they could be subcontracted for certain processes.
The following material will provide you information about interested parties:
- ISO 9001 – How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Toolkit content
Answer: Please consider the information in the white paper. Current version of ISO 27001 do not require a documented procedure for control of documents and records. Regarding the differences between the templates and the information on the video tutorials we will verify this situation. -
ITSM and Business Continuity competencies
Answer: Considering ISO standards, for ITSM I recommend you the Lead Auditor course for ISO 20000, and for Business continuity I recommend the ISO 22301 Lead Auditor course. For ITSM an alternative source of qualification are ITIL courses. -
Certifications differences
Answer: The ISO 27001 Internal Auditor course prepares people to audit an ISMS against ISO 27001 so they can perform audits for their organizations, while the ISO 27001 Lead Auditor certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and qualifies them to start the process to become a certification auditor.
Both contents for ISO internal auditor and ISO lead auditor can be useful to prepare someone for the CISA and CISSP certification exams, but otherwise they have no relation.
These articles will provide you further explanation about personal certifications:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/
These materials will also help you regarding audit training:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/ -
Becoming compliant with ISO 27001
• Which policies / policies shall be present and which shall I recommend to apply?
• Which processes and procedures should support my approach to secure that we do as we say we will do as attendee?
• Which controls should I set up and carried out to check that we follow the processes and procedure?
Answer: First of all, sorry for the late answer.
Although ISO 27001 defines some common requirements that must be implemented by any organization (e.g., control of document and records, internal audit, management review, etc.), more specific policies, processes, procedures and controls should be tailored by each organization's purposes and needs, as result of risk assessments, so there is no definitive answer to your questions.
- In terms of polices, the mandatory one to be documented is the Information security policy. For network segregation you should consider at least an Acce ss Control Policy and an Acceptable Use Policy, to help guide how these network groups are separated and how they can interact with each other. Other policies (related to ISO 27001 Annex A), should be defined considering the results of risk assessment
- In terms of processes and procedures, the mandatory one to be documented is Risk assessment and risk treatment methodology. At least a change management process should be considered so you can ensure changes in network groups are properly authorized and implemented. Other processes and procedures, should be defined considering the results of risk assessment
- To ensure the processes and procedure are being followed you have to keep records of the following: Records of training, skills, experience and qualifications, Monitoring and measurement results, Internal audit program, Results of internal audits, Results of the management review, and Results of corrective actions. Although there is no standard requirement for processes to be documented, you should consider implementing as a good practice an internal audit procedure.
These articles will provide you further explanation about implementing ISO 27001 and network related controls:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
These materials will also help you regarding implementing ISO 27001 and network related controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/