Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Control gap treatment
Answer: If the gap refers to a standard's mandatory requirement, or to risks considered unacceptable in your risk assessment, it has to be solved at most before the certification audit. Otherwise, its deadline can be defined to a date after the certification, but you have to be prepared to present to the certification auditor the action plan related to the treatment of this gap and any evidence of results already achieved. -
Supplier Assessment questionnaire
Answer: There is no specific document for a Supplier Assessment questionnaire (such questionnaire is not mandatory to comply with ISO 27001 requirements), but you can drawn up one based on the Security Clauses for Suppliers and Partners document, since this document lists security requirements that can be put into contract with suppliers and outsourcing partners,and through them you can evaluate how prepared a potential supplier is. You also can take a look at the free demo of our Processor GDPR Compliance Questionnaire at this link: https://advisera.com/eugdpracademy/documentation/processor-gdpr-compliance-questionnaire/
This document can show you how a questionnaire to assess supplier’s compliance with should look like.
These articles will provide you further explanation about suppliers assessment:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
DPIA template
Thank you for your answer Andrei. You have made some good points. Have a good day! -
DPIA and risk assessment
Answer:
The ISO27K risk assessment is aimed at identifying the risks for companies. However DPIAs focus on the risks to the rights and freedoms of data subject. Another difference is that DPIAs will be a legal requirement as of May next year as opposed to ISO standards that are from a legal perspective strictly voluntary. -
DPIA according to EU GDPR
Answer:
It relates to information security to the extend that the personal data is processed by certain IT systems thus those systems need to be secured in order to keep the integrity and availability of personal data. An existing ISMS system would , in DPIA , relate to the technical and organizational measures in place to protect the data. -
Risk Treatment Plan Template
Answer: To have a better understanding of our Risk Treatment Table I suggest you to take a look at the free demo provided through the link: https://advisera.com/27001academy/documentation/risk-treatment-table/
With this table you can determine options for the treatment of risks and appropriate controls for unacceptable risks. This table also includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.
Our templates are based on ISO 27001 standard, so I also suggest this material to better understand the risk assessment and risk treatment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
I also suggest you to consider purchase our Risk Assessment Toolkit (https:// advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/), so you can have the complete set of documents aligned with ISO 27001 and make the adjustments to integrate them with your already implemented process. We would charge you only the price difference with what you already spent. -
Standards for IT procedures and policies
Answer: For definition of IT Security and Operation Security policies complaint with ISO standards you should consider ISO 20000 (for IT service management) and ISO 27001 (for Information security management). By considering these standards, you can develop policies and procedures to ensure proper IT operations and protection of information.
If your focus is on information security, I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology at this link: https://advisera.com/27001academy/documentation/operating-procedures-for-information-and-communication-technology/
The purpose of this document is to ensure correct and secure functioning of information and communication technology.
If your focus is on information technology, I suggest you to take a look at the free demo of our ISO 20000 Documentation Toolkit at this link: https://advisera.com/20000academy/iso-20000-documentation-toolkit/
This toolkit will help you implement, operate manage an efficient and secure IT service process.
These materials will provide you further explanation about ISO 20000 and ISO 27001:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
2. My second question is that I am writing new Process document & guidelines for customer.. I am planing to used ISO standard only.
Need help to understand how to write Process & guidelines according ISO standard.
Answer: For developing and implementing procedures I suggest you the following articles:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ (the orientations applied here for ISO 27001 documents also can be applicable to other documents in general). -
Vulnerability identification
Answer: You understanding is correct. Complicated procedures are prone to errors and the impacts you mentioned, and depending upon the results of your analysis and evaluation the application of security controls may be required.
This article will provide you further explanation about risk analysis:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
This material will also help you regarding risk analysis:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
GDPR compliant
Answer:
How about a self assessment? You could use the "EU GDPR Readiness Assessment" and besides the answers also gather documentation to prove compliance. By the way, you should be able to answer Yes to all questions applicable to you. You could also engage a third party to perform an audit. The audit should focus both on processes and documents with a special focus on your Inventory of processing activities and DPIAs.
Also bear in mind that no body as of yet can certify that you are GDPR compliant. Certification bodies are yet to be established.