Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing risk assessment
I am not sure if I should be defining in terms of HOW LIKELY each supplier may be to let us down in some way , or THE IMPACT of a supplier letting us down.
For example. FIRE; Likely hood of our fire alarm supplier letting us down is very low as they are a reputable supplier who do regular maintenance visits, but the IMPACT should a fire destroy our office would be very HIGH.
Similarly, With Firewall provider; likely hood of issue is low but impact would be very high. Which way do I need to look at each supplier in order to define risk?
Answer: The definition of risk is a combination of likelihood and probability, so you must consider both aspects in your risk assessment.
Since you stated you are using the scale low-medium-high, then possible combinations for likelihood vs. impact are low-low, high-high, low-high, high low.
Considering these combinations you may defined that for a result low-low the risk is acceptable and do nothing. For combination high-high the risk is unacceptable and security controls must be defined and implemented. As for combinations low-high and high-low you should check then in a case by case basis considering the identified impact to make a decision to treat or not the risk.
These articles will provide you further explanation about performing risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
These materials will also help you regarding performing risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Project plan content
Answer: You can have both plans in a single document. In fact, because both systems, when based on ISO 27001 and ISO 22301, have a lot of common requirements, it is best to use a single document to coordinate the implementation.
These articles will provide you further explanation about ISO 27001 and ISO 22301 implementation:
- What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/
These materials will also help you regarding ISO 27001 and ISO 22301 implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-t he-iso-implementation-project-a-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
- ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/ -
ISMS boundaries definition
Answer: You should consider for your ISMS all employees that have access to the information you want your ISMS to protect, so if all of your employees that work remotely in different states have access to these information, then all of them must be considered in the boundaries of your ISMS.
These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Threat, risk and assessment examples
Answer: To see some example of vulnerabilities, threats an asset assessment, plesase take a look at the following material:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Non financial impact rationale
Answer: The point here is to explain about feelings and perceptions. If the persons involved in the analysis do not reach a consensus about the impact value for a specific situation, but they agree that the situation is significant enough to be taken into account together with situations for which they can determine the value, then you may have a situation where a non financial impact may be greater than any financial impacts they found related to other situations considered.
For example, in a plane crash situation, the value of the airplane can be determined, but what about the value of human lives? Someone may argue that he has a formula to calculate the value of a life, but the value may be questioned by relatives (which feelings may not be measurable), or employers (that may argue about the potential deli veries the professional would deliver to the company), making impossible to reach a consensus, but all of them would agree at certain point that the value of life is high. -
Access control policy template content
A.9.2.5 Security of equipment off premises
Control
Security shall be applied to off-site equipment taking into account the different risks of working outside the organization’s premises.
I am not seeing the relationship there. Perhaps I'm missing an important point here. Can you lend me some guidance?
Answer: Sorry, but you are making a mistake here. ISO 27001:2013 control A.9.2.5 refers to "Review of user access rights" (Asset owners shall review users’ access rights at regular intervals). The control about "Security of e quipment and assets off-premises" is the A.11.2.6, which is not covered by this template (this control was A.9.2.5 in the ISO 27001:2005, which was withdraw when version 2013 was released). Here you can find the current version of the standard: https://www.iso.org/standard/54534.html
This article will provide you further explanation about Access control:
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
This material will also help you regarding access control:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
ISMS statement
Answer: From your question I'll assume you are referring to the Statement of Applicability (SoA). Considering that, you have to evaluate if the SoA must be updated when there is a significant change in the ISMS scope or risk scenario, or at least during the management review, which normally is performed at least once a year. For controlling the SOA version you have to verify what is defined in your procedure for control of documents and records, because the SoA is a mandatory record for ISO 27001 certification.
This article will provide you further explanation about SoA:
-The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding SoA:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Lead generation service
Answer:
The lead generation service that you buy your services from would need to be GDPR compliant before sending you the data. After the application date that is. -
Consent under the EU GDPR
Answer:
Where consent has been given under the Data Protection Directive, it will continue to be valid under the EU GDPR only if it also meets the requirements of the Regulation.
This may be difficult given the new and stringent requirements for consent. If the consent is does not meet the requirements of the EU GDPR you should consider approach the existing customers or to obtain a fresh consent that is valid under.
Consent under the EU GDPR needs to be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. This means among others that:
- Inactivit y or silence is not enough and the use of “pre-ticked boxes” is not permitted so the opt-out solution will not work.
- “Bundle consent” is not allowed. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
- The individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.
If your consent does not comply with these requirements you would need to approach he data subjects again to obtain fresh new EU GDPR compliant consent.
You might find these materials on consent useful for your task:
- https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/;
- https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/;
- https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ -
Integrity, responsibility and security of the data systems
Answer:
ISO 27001 is a good starting point and it constitutes a best practice in terms of implementing technical and organizational measures to protect company IT assets including data and personal data as well (if you have defined personal data as an asset). You can check out this article https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/