Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11288 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling toolkit templates
Answer: The place to include references in our templates is section 2 (Reference documents). Applicable controls to each template are already included in this section, so you should check if the references you want to include are already there, or if you should add the ones you wish.
Also we are currently going through who our interested parties are, other than going through each of the UK legalisation in detail is any other of reviewing this element of the task?
Answer: Besides entities that issue laws your organization must comply with, you also should consider for interested parties employees, customers and suppliers that can affect, or be affected by your ISMS
This article will provide you further explanation about interested parties:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/ knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
These materials will also help you regarding interested parties:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Performing BIA
Answer: The proper approach is that the responsible for each business activity to determine the criticality of the functions in his/her department, not only because they know their activities the best, but this will create a sense of accountability that will ensure more precise results. You should act as support for them, providing real examples of relevant disaster that affected other companies (so they understand that extreme failures can happen) and orientation about the BIA methodology.
This article will provide you further explanation about Performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding Performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Consent required
Answer:
As regards to the existing emailing list, if the legal basis for processing, where consent has been given under the Data Protection Directive, it will continue to be valid under the Regulation if it also meets the requirements of the Regulation. For example, check that when you obtain the consent you were not using pre-ticked boxes and the request for consent was separate from other matters.
If you have emails of partners you can use “contract necessity as a legal basis for processing assuming you have an already existing contractual arrangement".
As for obtaining the consent by contacting the data subject on email, I would advise against that because by sending an email you are already processing personal data and you would need a legal basis for this.
As key take always:
- Review your existing processes to obtain consent to establish if they are valid under the Regulation;
- Consider if you can rely on an alternative basis for processing;
- If you do want to use consent, put in place processes to record and act on a withdrawal of consent. -
BIA exercise participants
What does the ISO standard recommend?
Answer: ISO 22301 does not prescribe who must participate in a BIA exercise, but you should consider any person or business unit that may have relevant information related to the business being analysed.
This article will provide you further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
This material will also help you regarding performing BIA:
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/ -
Scope definition and exclusions
Can we exclude every close related to production/ preservation/ calibration/ etc...?”
Answer:
ISO only allows exclusion of clauses from section 8. Although your scope doesn’t include production it surely includes service provision. Perhaps you can exclude some clauses of section 8 like preservation and calibration (although it is from section 7), but you can’t exclude service provision. ISO 9001 mentions the word stakeholders precisely because of organizations like yours that work with donors funds, but provide a service to others as third parties, like communities or like victims.
The following material will provide you information about scope definition and exclusions:
ISO 9001 – What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/ 2015/
How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Crear procedimientos ISO 20000 desde 0
He recibido la siguiente pregunta: Que recomienda para crear procedimientos desde cero? en este caso serian procedimiento para la gestión de capacidad, configuración y continuidad de la ISO 20000. que fuentes me pueden ayudar. Respuesta: Nuestra recomendación para crear procedimientos es usar plantillas, y tenemos muchos recursos para esto, por tanto, podrías desarrollar tus propias plantillas con nuestros recursos. Aquí por ejemplo puedes encontrar recursos gratuitos: https://advisera.com/20000academy/es/descargas-gratis/ Con respecto a la gestión de la capacidad, estos artículos te pueden ayudar: https://advisera.com/20000academy/blog/2016/02/16/itil-and-iso-20000-how-to-setup-the-capacity-management-process/ https://advisera.com/20000academy/knowledgebase/three-faces-capacity-management/ Con respecto a la gestión de la configuración, estos artículos te pueden ayudar: https://advisera.com/20000academy/blog/2015/07/14/three-main-activities-to-set-up-itil-service-asset-and-configuration-management/ https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/ Y con respecto a la continuidad, este artículo te puede ayudar: https://advisera.com/20000academy/blog/2017/05/02/it-service-continuity-plan-why-do-you-need-it/ Finalmente, también tienes la posibilidad de descargarte una versión gratuita de nuestro paquete de documentos: https://advisera.com/20000academy/es/paquete-de-documentos-sobre-iso-20000/ -
Documents to be produced.
Even if you are an SaaS provider you will be a processor in terms of processing personal data that belong to controllers using your software, but I am pretty sure you have processing activities for which you act as controller for example managing your staff (HR administration). So, my advice is to consider all documents since is highly unlikely that you are only processor. -
Scope definition (virtual company)
How should I specify location in the ISMS Scope document?
Answer: In terms of certification you can state as location (company's headquarters) the home address of the founder / CEO of the company or the address of the office where the people accountable for the company can be found (you should ask the certification body what their preference would be in such situation). You can present this address as company's address and all other locations can be considered remote locations and can be audited accordingly.