Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Categories of disruptive impact
Answer: The values presented in the template for the categories of disruptive impact can be changed to fit your organization's needs without problem. They are only examples based on our experience. There are not such things as a set standard, because each organization has unique characteristics that will influence these values.
What determines the values for the categories of disruptive impact is what your organization perceives as relevant time frames for the business (e.g., minutes, hours, days, weeks, etc.).
Although you can determine the values for the categories of disruptive impact, you should not change them with every BIA, because this way you cannot make comparisons between different BIAs. The better solution is to establish a set of values that will cover the majority of possible scenarios.
These material will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Surveillance and main audits
Answer: A surveillance audit is an audit performed by the certification body between the certification and recertification audits, to check if the system is maintained.
2 - How is it different from the main audit?
Answer: While a main audit (for certification or recertification) covers all the certification scope, a surveillance audit covers only part of the certification scope. After a certification, the surveillance audits are planned in such a way that all the certification scope is audited before the recertification audit is performed.
This article will provide you further explanation about audits:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
These materials will also help you regarding audits:
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/ -
ISO 27799 certification
Answer: ISO 27799 is not a certifiable standard. It defines guidelines to support the interpretation and implementation in health informatics of ISO 27001 Annex A controls (this one being certifiable regarding information security).
Considering that, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit can help you implement the general framework for ISO 27001, and the expert support included with the toolkit can help you make the adjustments to cover the requirements of ISO 27799.
This artic le will provide you further explanation about ISO 27001 and ISO 27799:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
These materials will also help you regarding ISO 27001 :
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information classification
1. ISO 27001 - Section 8.2 - Information Classification
It says that "Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification."
My Question is that who should develop the "Information Classification Matrix"? IT itself or the management? Please note that there is no separate Risk Management Section too ...
Answer: The role that better fits to develop the Information Classification Matrix is the Information owner, the person who better knows the value of the information. Generally it is the process owner (the one accountable for the results of the process) or process key user (the one who better know how the process operates).
This article will provide you further explanat ion about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. My 2nd Question is; how to evaluate whether a company needs to go for ISO 27001 or not? Competitive advantage is one reason, but what other criteria a company should analyze that why they need to go for ISO 27001.
Answer: Besides competitive advantage, a company may decide to go for ISO 27001 certification because it has a contract or other legal requirement (e.g., law or regulation) that demands this certification, or it identifies that by adopting ISO 27001 practices it can reduce losses and make the business more profitable.
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
These materials will also help you regarding information classification and ISO 2701 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Information classification
1. ISO 27001 - Section 8.2 - Information Classification
It says that "Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification."
My Question is that who should develop the "Information Classification Matrix"? IT itself or the management? Please note that there is no separate Risk Management Section too ...
Answer: The role that better fits to develop the Information Classification Matrix is the Information owner, the person who better knows the value of the information. Generally it is the process owner (the one accountable for the results of the process) or process key user (the one who better know how the process operates).
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
2. My 2nd Question is; how to evaluate whether a company needs to go for ISO 27001 or not? Competitive advantage is one reason, but what other criteria a company should analyze that why they need to go for ISO 27001.
Answer: Besides competitive advantage, a company may decide to go for ISO 27001 certification because it has a contract or other legal requirement (e.g., law or regulation) that demands this certification, or it identifies that by adopting ISO 27001 practices it can reduce losses and make the business more profitable.
These articles will provide you further explanation about ISO 27001 benefits:
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
- ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
These materials will also help you regarding information classification and ISO 2701 benefits:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Templates for ISO 17025
By the end of March we will publish a ISO 17025 toolkit, and there you will find all the required documents to comply with this standard. -
ISO 27001 and EU GDPR trainings
Answer: ISO 27001 and EU GDPR are complementary frameworks and you should consider attending trainings for both.
ISO 27001 will provide you knowledge about definition, implementation, operation, control and improvement of information security, while EU GDPR provider knowledge about what must be considered to ensure protection of data. So, while EU GDPR informs about what you have to require from those holding your data, ISO 27001 informs how to fulfill these requirements and ensure the controls applied are working as expected.
This article will provide you further explanation about ISO 27001 and EU GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
This material will also help you regarding ISO 27001:
- Free online training ISO 27001 Foundations Course https://training.advis era.com/course/iso-27001-foundations-course/
- Free online training EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course// -
APQP , PPAP , FMEA and IATF 16949
Answer:
There was no substantial changes regarding APQP , PPAP , FMEA, IAF is planning to publish new documents for APQP and FMEA but the changes won't require modification of the existing documentation. So you can kep your existing APQP , PPAP , FMEA documents.
For more information, see: What are the five core tools of IATF 16949? https://advisera.com/16949academy/blog/2017/08/23/what-are-the-five-core-tools-of-iatf-16949/ -
ISO 9001 warehousing requirements
You can audit only parts of the system during the individual internal audit. In that sense you can audit the hub against the applicable requirements of the standard and QMS documentation and that is all. If the findings of the audits are insufficient, you can later expand the scope of the audit. -
Article 20 Right to data portability
(1) Indicates the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller…
(2) … the data subject shall have the right to have the personal data transmitted directly from one controller to another…
If a data subject requests to have his/her data transmitted directly from one controller to another and the recipient controller only utilizes a subset of the data provided. If at some future point the data subject requests to have his/her data transmitted again… is the new controller required to provide all of the data (including data elements that were included in the original transmission but never utilized)? Or is it ok to just transmit the data that was actually used? (just a subset of the original data)
Example:
Data Transmitted from Controller A to Controller B
· Name (prefix, first, middle, last, suffix)
· Nick Name
· DOB
· Email addresses (primary, secondary, professional…)
· Mailing address
· Title
· Credentials
· List of interests
· List of books read
Data Supported and Utilized by Controller B
· Name (prefix, first, middle, last, suffix)
· Email address (only primary)
· Mailing Address
· Title
· Credentials
Data subject requests Controller B to transmit data to Controller C… What is Controller B required to transmit to Controller C?
Answer:
I just want to begin by saying that the right to data portability as defined by EU GDPR article 20 (https://advisera.com/eugdpracademy/gdpr/right-to-data-portability/) only applies:
- to personal data “provided to” the controller by the data subject for example to photos posted to a social network or content stored on a cloud service; and
- where the controller is processing personal data is based on consent or performance of a contract.
To come back to your example Controller B, if faced with a request for data portability, will need to provide to Controller C only the data that it processes in order to provide the service to the data subject not the excess data that the Controller A provided.