Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing BIA
Answer: The proper approach is that the responsible for each business activity to determine the criticality of the functions in his/her department, not only because they know their activities the best, but this will create a sense of accountability that will ensure more precise results. You should act as support for them, providing real examples of relevant disaster that affected other companies (so they understand that extreme failures can happen) and orientation about the BIA methodology.
This article will provide you further explanation about Performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Consent required
Answer:
As regards to the existing emailing list, if the legal basis for processing, where consent has been given under the Data Protection Directive, it will continue to be valid under the Regulation if it also meets the requirements of the Regulation. For example, check that when you obtain the consent you were not using pre-ticked boxes and the request for consent was separate from other matters.
If you have emails of partners you can use “contract necessity as a legal basis for processing assuming you have an already existing contractual arrangement".
As for obtaining the consent by contacting the data subject on email, I would advise against that because by sending an email you are already processing personal data and you would need a legal basis for this.
As key take always:
- Review your existing processes to obtain consent to establish if they are valid under the Regulation;
- Consider if you can rely on an alternative basis for processing;
- If you do want to use consent, put in place processes to record and act on a withdrawal of consent. -
BIA exercise participants
What does the ISO standard recommend?
Answer: ISO 22301 does not prescribe who must participate in a BIA exercise, but you should consider any person or business unit that may have relevant information related to the business being analysed.
This article will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Scope definition and exclusions
Can we exclude every close related to production/ preservation/ calibration/ etc...?”
Answer:
ISO only allows exclusion of clauses from section 8. Although your scope doesn’t include production it surely includes service provision. Perhaps you can exclude some clauses of section 8 like preservation and calibration (although it is from section 7), but you can’t exclude service provision. ISO 9001 mentions the word stakeholders precisely because of organizations like yours that work with donors funds, but provide a service to others as third parties, like communities or like victims.
The following material will provide you information about scope definition and exclusions:
ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/ 2015/
How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Crear procedimientos ISO 20000 desde 0
He recibido la siguiente pregunta: Que recomienda para crear procedimientos desde cero? en este caso serian procedimiento para la gestión de capacidad, configuración y continuidad de la ISO 20000. que fuentes me pueden ayudar. Respuesta: Nuestra recomendación para crear procedimientos es usar plantillas, y tenemos muchos recursos para esto, por tanto, podrías desarrollar tus propias plantillas con nuestros recursos. Aquí por ejemplo puedes encontrar recursos gratuitos: https://advisera.com/20000academy/es/descargas-gratis/ Con respecto a la gestión de la capacidad, estos artículos te pueden ayudar: https://advisera.com/20000academy/blog/2016/02/16/itil-and-iso-20000-how-to-setup-the-capacity-management-process/ https://advisera.com/20000academy/knowledgebase/three-faces-capacity-management/ Con respecto a la gestión de la configuración, estos artículos te pueden ayudar: https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/ https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/ Y con respecto a la continuidad, este artículo te puede ayudar: https://advisera.com/20000academy/blog/2017/05/02/it-service-continuity-plan-why-do-you-need-it/ Finalmente, también tienes la posibilidad de descargarte una versión gratuita de nuestro paquete de documentos: https://advisera.com/20000academy/es/paquete-de-documentos-sobre-iso-20000/ -
Documents to be produced.
Even if you are an SaaS provider you will be a processor in terms of processing personal data that belong to controllers using your software, but I am pretty sure you have processing activities for which you act as controller for example managing your staff (HR administration). So, my advice is to consider all documents since is highly unlikely that you are only processor. -
Scope definition (virtual company)
How should I specify location in the ISMS Scope document?
Answer: In terms of certification you can state as location (company's headquarters) the home address of the founder / CEO of the company or the address of the office where the people accountable for the company can be found (you should ask the certification body what their preference would be in such situation). You can present this address as company's address and all other locations can be considered remote locations and can be audited accordingly. -
Certification for a specific issue
Trabalho com governança de TI, mas faço parte de uma liderança de infraestrutura BD e BI. Meu líder imediato me pediu para ver certificação ISO, voltada a banco de dados.Eu não achei uma especifica para banco de dados. Seria possível reduzir o escopo para uma área de conhecimento de BD?Visto que essas certificações geralmente toda a organização ou um departamento.
(I would like to know if it is possible to certify a company in an ISO 27001 OR 20000 in a specific area or on a specific subject.
I work with IT governance, but I am part of a BD and BI infrastructure leadership. My immediate leader asked me to see ISO certification, database-driven. I did not find a specific database. Could it be possible to narrow the scope to a BD knowledge area, since such certifications generally covers the organization or a department .)
Answer: The scope of an ISO 27001 or ISO 20000 certification can be defined in terms o f processes and locations (additionally, the scope of ISO 27001 can be defined in terms of information to be protected). So, both certifications are applicable to a database, but depending on your purposes the better option may vary:
- If you want to ensure proper operation and management of the database you should look for ISO 20000 certification
- If you want to ensure the protection of the data stored and processed by the database, then you should look for ISO 27001 certification
You also can consider both certifications. ISO 27001 and ISO 20000 have similar framework that allows to integrate the common requirements, so you can take advantage of both certifications.
These articles will provide you further explanation about ISO 27001 and ISO 20000:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- What is ISO 20000? https://advisera.com/20000academy/what-is-iso-20000/
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
These materials will also help you regarding ISO 27001 and ISO 20000:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/20000academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/