Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11269 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Certifications differences

Answer: The ISO 27001 Internal Auditor course prepares people to audit an ISMS against ISO 27001 so they can perform audits for their organizations, while the ISO 27001 Lead Auditor certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and qualifies them to start the process to become a certification auditor.

Both contents for ISO internal auditor and ISO lead auditor can be useful to prepare someone for the CISA and CISSP certification exams, but otherwise they have no relation.

These articles will provide you further explanation about personal certifications:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/
- CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

These materials will also help you regarding audit training:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Becoming compliant with ISO 27001
• Which policies / policies shall be present and which shall I recommend to apply?
• Which processes and procedures should support my approach to secure that we do as we say we will do as attendee?
• Which controls should I set up and carried out to check that we follow the processes and procedure?

Answer: First of all, sorry for the late answer.

Although ISO 27001 defines some common requirements that must be implemented by any organization (e.g., control of document and records, internal audit, management review, etc.), more specific policies, processes, procedures and controls should be tailored by each organization's purposes and needs, as result of risk assessments, so there is no definitive answer to your questions.
- In terms of polices, the mandatory one to be documented is the Information security policy. For network segregation you should consider at least an Acce ss Control Policy and an Acceptable Use Policy, to help guide how these network groups are separated and how they can interact with each other. Other policies (related to ISO 27001 Annex A), should be defined considering the results of risk assessment
- In terms of processes and procedures, the mandatory one to be documented is Risk assessment and risk treatment methodology. At least a change management process should be considered so you can ensure changes in network groups are properly authorized and implemented. Other processes and procedures, should be defined considering the results of risk assessment
- To ensure the processes and procedure are being followed you have to keep records of the following: Records of training, skills, experience and qualifications, Monitoring and measurement results, Internal audit program, Results of internal audits, Results of the management review, and Results of corrective actions. Although there is no standard requirement for processes to be documented, you should consider implementing as a good practice an internal audit procedure.

These articles will provide you further explanation about implementing ISO 27001 and network related controls:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/
- How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/
- How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/

These materials will also help you regarding implementing ISO 27001 and network related controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Acciones correctivas
He recibido esta pregunta: ¿A toda acción correctiva se le tiene que realizar la técnica de análisis de causa raíz, me refiero a que si un hallazgo, se podría decir no es muy grave es necesario que se documente es técnica? Mi respuesta: El tema de las acciones correctivas es tan relevante en esta nueva norma como en la anterior versión y de hecho, el análisis de la causa raíz sigue siendo la parte más importante del proceso de la acción correctiva. En caso de haber identificado que un problema es realmente serio, más que una simple no conformidad, entonces es necesario llevar a cabo una acción correctiva para evitar que el problema vuelva a surgir de nuevo. Para ello es necesario aplicar un proceso sistemático que nos asegure que no vamos a olvidarnos de nada por el camino, y éste es el análisis de la causa raíz. En esta técnica es fundamental que no sólo tratemos de forma superficial el problema sino que hagamos un análisis más exhaustivo para encontrar la verdadera causa raíz. Si un problema es suficientemente grande como para invertir tanto tiempo como recursos en crear una acción correctiva, entonces es suficientemente importante como para garantizar que el problema se corrige de forma adecuada y se mantiene corregido. Para obtener más información puede leer los siguientes artículos (sólo disponibles en inglés): - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/ - https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/ Además los siguientes recursos pueden ser de utilidad en la implantación de la norma ISO 9001:2015: - Libro "Preparación para el proyecto de implementación: Una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de fundamentos ISO 9001 https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/
CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE

Answer:

Most likely is a typo, the document is meant to be a procedure. The document is more focused than a policy and goes more in depth as regards to cross border data transfers.
Company data vs. personal data

Answer:

Indeed if you only deal with company data this would be out of the scope of the EU GDPR. However, consider that EU GDPR will be applicable in to your processing activities concerning your own employees for which you are a data controller.

So, even if your main business activities deals exclusively with B2B there might customers there might be some other processing activities that are subject to the EU GDPR.

To learn more about what is considered personal data see this free online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//
Risk assessment

Answer: The documents you bought do not include the Risk Assessment and Risk Treatment Methodology, the process you have to define to guide you on performing the risk assessment and rtisk treatment.

To understand the risk assessment process I suggest you to read the following material:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

At this link you can see a preview of the template for the Risk Assessment and Risk Treatment Methodology: https://advisera.com/27001academy/documentation/ris k-assessment-and-risk-treatment-methodology/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Performing audits

The question was if the auditor must check if the controls are applied by collecting evidence like making sure that the backup is done and the process is working rather than just asking how it’s done or just reviewing the process / procedure document. Or looking for AV logs, alerts, and evidence of how the alerts are handled rather than just checking the system has an AV and there is a process for monitoring and handling the alerts. Basically checking the effectiveness of the applied controls by checking evidence and gathering samples. Also if there are any ISO relevant documents that talks about this topic.

Answer: The collection of evidences that confirms that the controls are being applied and working properly and according to what was planned is the core of an audit, so the auditor must complement its evaluation of polices and procedures and interviews with personnel with verification of samples of reco rds defined by each process.

Regarding related ISO standards, I suggest you to take a look at ISO 19011, the ISO standard about performing management systems audits. You can find this standard at this link: https://www.iso.org/standard/50675.html

These articles will provide you further explanation about audits:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

These materials will also help you regarding audits:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
EU GDPR obligations

Answer:

My understanding from your question is that you are a processor and your healthcare customer are the controllers.

Under the EU GDPR the processors have the following obligations:

1. To appoint a representative if based outside of the Union - art. 27 (https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ );
2. To ensure certain minimum provisions in contracts with controllers – art. 28(3) https://advisera.com/eugdpracademy/gdpr/processor/ ;
3. Not appoint sub-processors without specific or general authorization of the controller and to ensure there is a contract with the sub-processor containing certain minimum provisions - art. 28(2) & (4) https://advisera.com/eugdpracademy/gdpr/processor/ ;
4. Only to process personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law) – art. 29 https://advisera.com/eugdpracademy/gdpr/processing-under-the-authority-of-the-controller-or-processor/ ;
5. To keep a record of processing carried out on behalf of a controller – art.30 https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
6. To co-operate with the supervisory authorities – art. 31 https://advisera.com/eugdpracademy/gdpr/cooperation-with-the-supervisory-authority/ ;
7. To implement appropriate security measures – art. 32 https://advisera.com/eugdpracademy/gdpr/security-of-processing/ ;
8. To notify the controller of any personal data breach without undue delay – art.33 (2) https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/ ;
9. To comply with the rules on transfers of personal data outside of the Union – art. 44 https://advisera.com/eugdpracademy/gdpr/general-principle-for-transfers/
10. All of these requirements as well technical and organizational measures an be found in our EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

In terms of security measures you should apply all necessary security measures to protect the personal data considering the fact that you are processing health related data which is considered special category of data, and a good starting point is the use of ISO27001 as best practice. Our EU GDPR Toolkit has a folder containing a collection of security policies that would come in handy as well.

Don`t forget about setting up a data breach management process because you would need to notify the controllers in case of a data breach.

You might find these materials helpful for your EU GDPR implementation tasks:
- Article: “Does ISO 27001 implementation satisfy EU GDPR requirements?” https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/;
- Article: “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
Certification of internal auditors

Answer:

There is no general requirement for any kind of certification to conduct Internal Quality Audit training in-house. The only valid requirements are the ones demanded by your particular client of your training. Normally training clients require evidence of training as auditor, not necessarily IRCA certification, and evidence of experience. In some countries they also require a professional trainer certificate.

The following materials will provide you details about training internal auditors:

- Article - ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/

- [free course] ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11269 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Certifications differences

Becoming compliant with ISO 27001

Acciones correctivas

CROSS BORDER PERSONAL DATA TRANSFER PROCEDURE

Company data vs. personal data

Risk assessment

Performing audits

EU GDPR obligations

Certification of internal auditors

Didn’t find an answer?