Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
¿Apéndices en la ISO 22301?
Respuesta: Disculpa, pero ISO 22301 no tiene apéndices, por tanto, este estándar no habla sobre apéndices. Donde puedes ver apéndices es en nuestro paquete de documentos de la ISO 22301, por ejemplo, el documento “Procedimiento para identificación de requisitos” tiene el apéndice “Lista de requisitos legales, normativos, contractuales y de otra índole” que simplemente es un documento adicional que se utiliza como soporte al procedimiento. Puedes ver aquí nuestra lista de documentos con sus apéndices, y también puedes ver qué documentos son obligatorios : https://advisera.com/wp-content/uploads//sites/5/2015/06/Lista_de_documentos_Paquete_de_documentos_sobre_ISO_22301_BS-25999_ES.pdf -
Inventory of processing activities
Answer:
Inventory of processing activities need to be filled in by the companies themselves, there are no “most used processing activities” since these are closely linked to the business. For example a call center processing activities will be different than the ones form a recruitment company. This is why we provided in the EU GDPR toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ the ”Guidelines of Processing Activities Inventory” that will explain how you could tackle this task.
As for the Retention Schedule it is somehow the same story especially for certain types of records for which retent ion period is established by local legal requirements for example the retention period for CCTV footage is different between various Member States the same goes for payroll related documents as well. -
ISO 27017 and ISO 27018 certification
Answer: Although there are some certification bodies issuing certificates for ISO 27017 and ISO 27018, these are unofficial (to ISO these standards are not certifiable), and cannot be issued without a formal ISO 27001 certification.
ISO27017 and ISO 27018 are support standards to ISO 27001, providing specific guidance and orientation on security controls form ISO 27001 Annex A that are applicable to cloud environments and Personally Identifiable Information.
These articles will provide you further explanation about ISO 27001, ISO 27017 and ISO 27018:
- WHAT IS ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. I SO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Maximum Allowable Outage and non financial impact
Answer: You can have situations where the non financial impact is high and the financial impact is low, so the non financial impact is more significant to determine the MAO. In such cases the MAO is not calculated, but determined considering the perceptions of the interested parties about how much time the outage should last so the organization wouldn't be able to resume business activities. Since this is a subjective approach, you should involve personnel with as much as experience and knowledge about the impact as possible, to ensure some degree of confidence in the MAO value.
This material will also help you regarding Maximum Allowable Outage and non financial impact:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Book Becoming Resilient: The Definitiv e Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
ISMS implementation
Answer: First of all I suggest you ISO 27001, the ISO standard with requirements for implementing an ISMS, which will provide you a structured framework for the implementation. To have an overview of the process of implementing an ISMS according ISO 27001, I suggest you the following material:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
- Seven key problems to avoid in ISO 27001 implementat ion [free webinar on demand] https://advisera.com/27001academy/webinar/seven-key-problems-to-avoid-in-iso-27001-implementation-free-webinar-on-demand/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Case study: ISO 27001 implementation in an IT system integrator company https://advisera.com/27001academy/blog/2017/05/08/case-study-iso-27001-implementation-in-an-it-system-integrator-company/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Specifically about defining the scope, I suggest this material:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Finally, to support you implementation, I suggest you to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
This toolkit will provide you easy to fill templates and expert support to guide you in your implementation process. -
Procedure for identification of requirements
Can you suggest some additional help material that I can use when I am working through this template. For the Information Security Scope and Policy templates, I found using the video’s very helpful, but I don’t think that there is a video related to this template.
Answer: To help you with the identification of requirements I suggest you the following material:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ -
Exclusion of requirements
@Anthony
Software validation may be exluded, or deeemed not applicable.
* may not :)
Hit enter too fast
-
Auditing AS9100D with transition training only
Answer: The process of auditing is to compare what is actually happening in a process against the planned arrangements. That being said, if you already know how to audit then what you need to update is your understanding of the planned arrangements, and an awareness and transition course will have given you this knowledge. In many cases this is all that would be needed to audit against AS9100 Rev D. I say in most cases because it is up to the company to determine the competence required for internal auditors, so if the company competence requirements are understanding auditing, understanding AS9100 Rev D and understanding internal company processes then it is the knowledge needed to meet these requirement that needs to be demonstrated, and the tr ansition course could be one way to do this.
For some more information on the changes see this article: https://advisera.com/9100academy/knowledgebase/as9100-rev-d-vs-rev-c-what-has-changed/ -
Process mapping?
Answer:
ISO 9001:2015 requires that your organization determines all key processes. “Determines” means that it is your organization that defines and establishes what is a key process, considering the scope of your QMS. ISO 9001:2015 do not use the word map, and do not require any particular visual approach to characterize each process. For example, you can use a table, each process in a row, and each item of clause 4.4.1 of ISO 9001:2015 in columns.
The following material will provide you information about the process approach:
- ISO 9001 – ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-14001-internal-auditor-course/"
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
3rd Party Integrator Question
My question is, do we need to have any integration partner (once again not hired by us) complete a variation of the form, 11-A.13.2 Annex 2-Standard Contractual Clauses for the Transfer of Personal Data to Processors?
Answer:
In the situation described by you it seems that you are sharing the information to those vendors because you are instructed by the controllers to do so.
If this is the case the Controllers should be the ones that requires the vendors you share the information with to sign a Data Processing Agreement.