Search results

Home / Search

Category:

Sort by:

Select

Types of user:

Select

11277 results

Guest

Create New Topic As guest or Sign in

Business department* About business* Organization size*

Title *

Body *

HTML tags are not allowed

Category *

Select

Assign topic to the user

Select user

Certificaciones de una proveedor cloud

Respuesta: Generalmente te diría que si, porque la mayoría de proveedores cloud que conozco tienen una infraestructura IT segura, aunque te recomiendo que busques proveedores que cumplan con estándares como por ejemplo ISO 27017 que es para servicios cloud, o ISO 27018 que es para la protección de la privacidad en la nube. También es importante considerar certificaciones como CSA, CCM, o inclusive ISO 27001 o ISO 20000. Por tanto, te recomiendo servicios que sean gestionados por proveedores con estos estándares, porque pueden darte una seguridad o una confianza de que tu información está a salvo en la nube. Este artículo te puede resultar interesante “ISO 27001 vs. ISO 27017 - Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

Y también este otro “ISO 27001 vs. ISO 27018 - Standard for protectin g privacy in the cloud” : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Privacy Statement

Answer:

As required by EU GDPR article 13 “Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) you need to provide to the data subject with “Identity and the contact details of the controller” regardless if the controller is an individual or a legal entity. As for a controller which is owned by a Holding company you just need to specify the details for the controller.

Regarding your next query, if you are not collecting or processing personal data there is there is no requirement in the EU GDPR that you provide such information.

You might find our webinar on ” Privacy Notices Under the EU GDPR” (https: //advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/) useful for your tasks ahead.
Training manuals and QMS documents

Answer:

Those training manuals are useful now because of the implementation of a new database. Will they still be useful in the future to train, to integrate new workers? If the answer is no, the training manuals will be of short time usefulness and I would not include them in the QMS documents. If the answer is yes, I start to see them as a kind of work instructions to be used in the future by whoever has doubts about the database operation, and in that case I would include them as QMS documents.

The following materials will provide you details about work instructions:

- Article - How to structure work instructions in the ISO 9001 QMS - https://advisera.com/9001academy/blog/2015/06/16/how-to-structure-work-instructions-in-the-iso-9001-qms/

- [free course] ISO 9001:2015 Foundations Course - https://tr aining.advisera.com/course/iso-90012015-foundations-course/

- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Starting with the documentation

Answer:

You can always start filling in the EU GDPR Readiness Assessment Questionnaire which will give you an overview of your current compliance status. The EU GDPR Readiness Assessment Questionnaire can be found in folder 1 of the EU GDPR Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ Alternatively, you can use our EU GDPR Readiness Assessment Tool which you can find at https://advisera.com/eugdpracademy/eu-gdpr-readiness-assessment-tool/

After performing the Assessment and setting up your project plan and project team you can start working through the documents in the order in which they are presented in the Toolkit. Make sure that you also consult the “List_of_documents_EU_GDPR_Documentation_Toolkit” so you can see which are the mandatory documents that you need to have (although we encourage our customers to consider all documents and not only the mandatory ones).

There are al so several materials available on Advisera website that you might find useful in your future tasks:
- Article: “9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/);
- Webinar: “How to use a Documentation Toolkit for the implementation of EU GDPR” (https://advisera.com/eugdpracademy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-eu-gdpr-free-webinar-on-demand/)
Division of tasks

Notwithstanding the workload, do you think this is feasible or are there any potential conflicts of interest here?

Answer: A single person to manage such scope (considering the different systems, number of personnel and multiple offices), may compromise the systems effectiveness, because not only the common aspects of the systems (e.g., control of documents, internal audit, processes and controls monitoring, etc.), but the specific activities required by each system (risk assessment, business impact analysis, and processes monitoring), and support required by employees can easily overload a single person time and capacity.

You should consider at least another person to assume part of the tasks.
Shared resources

Asset name: Network locker (NO Office)
Threat: Information interception
Vulnerability: Switch Locker is shared with other companies
Consequence(0 to 3): 2
Likelihood(0 to 3): 3

The neighboring office (and anyone with access) has access to the locker through a door that can only be locked from their side. The people that are responsible for the building, will apparently install an alarm that will go off if anyone opens the door, however we are not very happy about that as a solution, and we’d much rather be able to control exactly who has access to the locker.

?Do you have any suggestion that u can give us?

Answer: Considering the scenario you described, you should try to establish with the people that are responsible for the building an agreement specifying the security controls they need to implement (e.g., install an alarm, give you the key to the locker, etc.). If this solution is not possible, other alternatives you should consider are:
- Implement a separate switch/network
- Implement cryptography to protect communication between the computers in your network and to protect you files.
- Implement access control into the shared folders in your network.

The last alternative in terms of risk management is to accept the risk (and do nothing), and to avoid the risk (e.g., by stopping using the switch).

This article will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
ISO 27001 implementation project

Answer: The first and most critical step is to get management support for the project. Implementing information security will need resources in terms of people, material and capital, and most of all, it involves cultural change, and for that you will need top management support and involvement.

To help you with Top Management, I suggest you to use our Project proposal for ISO 27001 / ISO 22301 implementation and Project plan for ISO 27001 / ISO 22301 implementation that you can find at these links:
- https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword
- https://info.advisera.com/27001academy/free-download/project-plan-for-iso-27001-iso-22301-implementation

These documents can be adjusted to your organization context and can help you explain the importance of ISO 27001 to the business and how the implementation should be conducted.

Regarding the gap asses sment phase, I suggest you to take a look at our Free ISO 27001 Gap Analysis Tool at this link: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

Its question-and-answer format allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.

These articles will provide you further explanation about implementation steps:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

These materials will also help you regarding implementation steps :
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
- Seven key problems to avoid in ISO 27001 implementation [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
Applicability of controls

Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these occurs there is no need to implement a control considering ISO 27001 requirements (what occurs in fact is that hardly one of these won't happen regarding incident management - is extremely rare that a company does not have any control from section A.16). Since you did not provide the justification for exclusion in your documen t it is not possible to evaluate is the exclusion acceptable or not (at the beginning of the document, about control A.6.1.1, there is a comment about the same issue - justification for inclusion/exclusion).

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
ISO 27005 Annexes

Answer: Annexes B (Identification and valuation of assets and impact assessment), C (Examples of typical threats) and D (Vulnerabilities and methods for vulnerability assessment) from ISO 27005 are compilations from common practices and situations found in the market, so there is no problem to adopt them in your framework

This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
ISMS audit

Answer: I'm assuming that you are interested in performing the internal audit, and to help you with this I suggest you the following material:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
- 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/

Additionally I suggest you to take a look at our ISO 27001/ISO 22301 Internal Audit Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/

This toolkit will provided you templates to build your internal audit process, audit plan and other documents require to perform an i nternal audit according ISO 27001.

These materials will also help you regarding ISMS audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +

Search results

11277 results

Create New Topic As guest or Sign in

Assign topic to the user

Want to vote?

Certificaciones de una proveedor cloud

Privacy Statement

Training manuals and QMS documents

Starting with the documentation

Division of tasks

Shared resources

ISO 27001 implementation project

Applicability of controls

ISO 27005 Annexes

ISMS audit

Didn’t find an answer?