Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification process


    Answer: The proper approach to be considered should take into account your internal expertise, available resources and time to become certified. The following material will help you identify the proper approach to your organization: 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

    Regarding the adoption of our toolkits, included in the price you can send documents for us to review for no additional cost (the quantity of documents you can send will depend on the type of the toolkit you buy). For an overview of our toolkit, please access this link: https://advisera.com/27001academy/product-tour/

    For training and awareness, our site pro vides blog posts, papers and other content free of charge.

    To have a better idea about the costs of implementation, please read this paper: How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

    2. What are the recommended trainings for staff when implementing 27001? What are the costs of such training and are they available online considering that we are based in Nigeria?

    Answer: For staff implementing ISO 27001 you should consider at least an ISO 27001 interpretation course. For other personnel you should consider trainings about backup, access control, anti virus, etc. For more information, please consult the following material:
    - 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
    - How to perform training & awareness for ISO 27001 and ISO 22301 How to perform training & awareness for ISO 27001 and ISO 22301

    Regarding costs, you should consult training providers to identify costs. About Advisera's courses, they are free of charge to attend (you only have to pay for the certificate). To see courses provided by Advisera, please access this link: https://advisera.com/training/

  • GDPR: Right to be forgotten and backups


    What is your take and solution to this problem? What formulations could I include in our GDPR policies, and in which documents (policies, notices, schedules etc) in the toolkit should I include formulations in order to be compliant?

    Answer:

    Let begin with some considerations about the right to be forgotten as set up in EU GDPR “article 17 Right to erasure (‘right to be forgotten’)” https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/

    You must comply with an erasure request where:
    - the data subject ha s objected to the processing and (other than in relation to objections to direct marketing) there are no overriding legitimate interests to justify that processing;
    - the personal data is no longer needed for the purpose for which it was collected or processed;
    - the individual withdraws consent and there are no other grounds for the processing;
    - the personal data is unlawfully processed ;
    - there is a legal obligation under Union or Member State law to erase the personal data; or
    - personal data was processed in connection with an online service offered to a child.

    You do not need to comply if the processing is:
    - necessary for rights of freedom of expression or information;
    - for compliance with a legal obligation under Union or Member State law;
    - in the public interest or carried out by an official authority;
    - for public interest in the area of public health;
    - for archiving or research; or
    - for legal claims.

    So before considering erasing the data, you should perform an assessment based on the information provided above.

    However, if you find yourself in the situation where the erasure request is valid you need to comply with it or prove that you did your best to comply regardless if the data is stored locally or elsewhere.

    You can learn more about data subject rights by going through our article “8 data subject rights according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/

  • Certificaciones de una proveedor cloud


    Respuesta: Generalmente te diría que si, porque la mayoría de proveedores cloud que conozco tienen una infraestructura IT segura, aunque te recomiendo que busques proveedores que cumplan con estándares como por ejemplo ISO 27017 que es para servicios cloud, o ISO 27018 que es para la protección de la privacidad en la nube. También es importante considerar certificaciones como CSA, CCM, o inclusive ISO 27001 o ISO 20000. Por tanto, te recomiendo servicios que sean gestionados por proveedores con estos estándares, porque pueden darte una seguridad o una confianza de que tu información está a salvo en la nube. Este artículo te puede resultar interesante “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

    Y también este otro “ISO 27001 vs. ISO 27018 - Standard for protectin g privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

  • Privacy Statement


    Answer:

    As required by EU GDPR article 13 “Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) you need to provide to the data subject with “Identity and the contact details of the controller” regardless if the controller is an individual or a legal entity. As for a controller which is owned by a Holding company you just need to specify the details for the controller.

    Regarding your next query, if you are not collecting or processing personal data there is there is no requirement in the EU GDPR that you provide such information.

    You might find our webinar on ” Privacy Notices Under the EU GDPR” (https: //advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) useful for your tasks ahead.

  • Training manuals and QMS documents


    Answer:

    Those training manuals are useful now because of the implementation of a new database. Will they still be useful in the future to train, to integrate new workers? If the answer is no, the training manuals will be of short time usefulness and I would not include them in the QMS documents. If the answer is yes, I start to see them as a kind of work instructions to be used in the future by whoever has doubts about the database operation, and in that case I would include them as QMS documents.

    The following materials will provide you details about work instructions:

    - Article - How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/

    - [free course] ISO 9001:2015 Foundations Course - https://tr aining.advisera.com/course/iso-90012015-foundations-course/

    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Starting with the documentation


    Answer:

    You can always start filling in the EU GDPR Readiness Assessment Questionnaire which will give you an overview of your current compliance status. The EU GDPR Readiness Assessment Questionnaire can be found in folder 1 of the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ Alternatively, you can use our EU GDPR Readiness Assessment Tool which you can find at https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/

    After performing the Assessment and setting up your project plan and project team you can start working through the documents in the order in which they are presented in the Toolkit. Make sure that you also consult the “List_of_documents_EU_GDPR_Documentation_Toolkit” so you can see which are the mandatory documents that you need to have (although we encourage our customers to consider all documents and not only the mandatory ones).

    There are al so several materials available on Advisera website that you might find useful in your future tasks:
    - Article: “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/);
    - Webinar: “How to use a Documentation Toolkit for the implementation of EU GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-eu-gdpr-free-webinar-on-demand/)

  • Division of tasks


    Notwithstanding the workload, do you think this is feasible or are there any potential conflicts of interest here?

    Answer: A single person to manage such scope (considering the different systems, number of personnel and multiple offices), may compromise the systems effectiveness, because not only the common aspects of the systems (e.g., control of documents, internal audit, processes and controls monitoring, etc.), but the specific activities required by each system (risk assessment, business impact analysis, and processes monitoring), and support required by employees can easily overload a single person time and capacity.

    You should consider at least another person to assume part of the tasks.

  • Shared resources


    Asset name: Network locker (NO Office)
    Threat: Information interception
    Vulnerability: Switch Locker is shared with other companies
    Consequence(0 to 3): 2
    Likelihood(0 to 3): 3

    The neighboring office (and anyone with access) has access to the locker through a door that can only be locked from their side. The people that are responsible for the building, will apparently install an alarm that will go off if anyone opens the door, however we are not very happy about that as a solution, and we’d much rather be able to control exactly who has access to the locker.

    ?Do you have any suggestion that u can give us?

    Answer: Considering the scenario you described, you should try to establish with the people that are responsible for the building an agreement specifying the security controls they need to implement (e.g., install an alarm, give you the key to the locker, etc.). If this solution is not possible, other alternatives you should consider are:
    - Implement a separate switch/network
    - Implement cryptography to protect communication between the computers in your network and to protect you files.
    - Implement access control into the shared folders in your network.

    The last alternative in terms of risk management is to accept the risk (and do nothing), and to avoid the risk (e.g., by stopping using the switch).

    This article will provide you further explanation about handling suppliers:
    - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • ISO 27001 implementation project


    Answer: The first and most critical step is to get management support for the project. Implementing information security will need resources in terms of people, material and capital, and most of all, it involves cultural change, and for that you will need top management support and involvement.

    To help you with Top Management, I suggest you to use our Project proposal for ISO 27001 / ISO 22301 implementation and Project plan for ISO 27001 / ISO 22301 implementation that you can find at these links:
    - https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword
    - https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

    These documents can be adjusted to your organization context and can help you explain the importance of ISO 27001 to the business and how the implementation should be conducted.

    Regarding the gap asses sment phase, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    Its question-and-answer format allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.

    These articles will provide you further explanation about implementation steps:
    - What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
    - ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
    - Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

    These materials will also help you regarding implementation steps :
    - Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
    - Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/

  • Applicability of controls


    Answer: A control from Annex must be applied only if one of the following occurs:
    - There are risks identified as unacceptable in the risk assessment that require the implementation of the control
    - There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
    - There is a top management decision requiring the implementation of the control

    If none of these occurs there is no need to implement a control considering ISO 27001 requirements (what occurs in fact is that hardly one of these won't happen regarding incident management - is extremely rare that a company does not have any control from section A.16). Since you did not provide the justification for exclusion in your documen t it is not possible to evaluate is the exclusion acceptable or not (at the beginning of the document, about control A.6.1.1, there is a comment about the same issue - justification for inclusion/exclusion).

    This article will provide you further explanation about risk assessment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Page 797-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +