Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
DPIA template
Thank you for your answer Andrei. You have made some good points. Have a good day! -
DPIA and risk assessment
Answer:
The ISO27K risk assessment is aimed at identifying the risks for companies. However DPIAs focus on the risks to the rights and freedoms of data subject. Another difference is that DPIAs will be a legal requirement as of May next year as opposed to ISO standards that are from a legal perspective strictly voluntary. -
DPIA according to EU GDPR
Answer:
It relates to information security to the extend that the personal data is processed by certain IT systems thus those systems need to be secured in order to keep the integrity and availability of personal data. An existing ISMS system would , in DPIA , relate to the technical and organizational measures in place to protect the data. -
Risk Treatment Plan Template
Answer: To have a better understanding of our Risk Treatment Table I suggest you to take a look at the free demo provided through the link: https://advisera.com/27001academy/documentation/risk-treatment-table/
With this table you can determine options for the treatment of risks and appropriate controls for unacceptable risks. This table also includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.
Our templates are based on ISO 27001 standard, so I also suggest this material to better understand the risk assessment and risk treatment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
I also suggest you to consider purchase our Risk Assessment Toolkit (https:// advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/), so you can have the complete set of documents aligned with ISO 27001 and make the adjustments to integrate them with your already implemented process. We would charge you only the price difference with what you already spent. -
Standards for IT procedures and policies
Answer: For definition of IT Security and Operation Security policies complaint with ISO standards you should consider ISO 20000 (for IT service management) and ISO 27001 (for Information security management). By considering these standards, you can develop policies and procedures to ensure proper IT operations and protection of information.
If your focus is on information security, I suggest you to take a look at the free demo of our Operating Procedures for Information and Communication Technology at this link: https://advisera.com/27001academy/documentation/operating-procedures-for-information-and-communication-technology/
The purpose of this document is to ensure correct and secure functioning of information and communication technology.
If your focus is on information technology, I suggest you to take a look at the free demo of our ISO 20000 Documentation Toolkit at this link: https://advisera.com/20000academy/iso-20000-documentation-toolkit/
This toolkit will help you implement, operate manage an efficient and secure IT service process.
These materials will provide you further explanation about ISO 20000 and ISO 27001:
- How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
- How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
2. My second question is that I am writing new Process document & guidelines for customer.. I am planing to used ISO standard only.
Need help to understand how to write Process & guidelines according ISO standard.
Answer: For developing and implementing procedures I suggest you the following articles:
- Seven steps for implementing policies and procedures https://advisera.com/27001academy/knowledgebase/seven-steps-for-implementing-policies-and-procedures//
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/ (the orientations applied here for ISO 27001 documents also can be applicable to other documents in general). -
Vulnerability identification
Answer: You understanding is correct. Complicated procedures are prone to errors and the impacts you mentioned, and depending upon the results of your analysis and evaluation the application of security controls may be required.
This article will provide you further explanation about risk analysis:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
This material will also help you regarding risk analysis:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ -
GDPR compliant
Answer:
How about a self assessment? You could use the "EU GDPR Readiness Assessment" and besides the answers also gather documentation to prove compliance. By the way, you should be able to answer Yes to all questions applicable to you. You could also engage a third party to perform an audit. The audit should focus both on processes and documents with a special focus on your Inventory of processing activities and DPIAs.
Also bear in mind that no body as of yet can certify that you are GDPR compliant. Certification bodies are yet to be established. -
Comité de Calidad
Mi respuesta: Dentro del Plan de Proyecto pude ser definida la organización del proyecto, donde estarían incluidos: - el promotor del proyecto: no participa activamente en el mismo. El gerente del proyecto del proyecto debe informar regularmente al promotor del proyecto acerca del estado del mismo; éste interviene si el proyecto está paralizado. - el gerente del proyecto: su función es coordinar el proyecto, garantizar los recursos necesarios para su implementación, informar al promotor sobre el progreso del proyecto y realizar trabajos administrativos relacionados con el mismo. La autoridad del gerente del proyecto debe ser tal que garantice la implementación ininterrumpida del proyecto dentro de los plazos establecidos. - el equipo del proyecto: su fun ción es ayudar en diversos aspectos de la implementación del proyecto, realizar tareas preestablecidas y tomar decisiones sobre diversos temas que requieren un enfoque multidisciplinario. El equipo del proyecto se reúne antes de completar cada versión final de un documento y, en otros casos, cuando el gerente del proyecto lo considere necesario. Estos materiales pueden ayudarle con respecto a la implementación de ISO 9001: 2015: - Libro "Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de Fundamentos ISO 9001: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Risk assessment report
Answer: The risk assessment report should be a separated document from the risk assessment, because its purpose is to to present to top management the main results of the risk assessment, while the risk assessment document contains all information gathered, analysed and evaluated about the risks in the organization.
This article will provide you further explanation about the risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment and treatment process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on dem and] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Need for Data Protection Impact Assessment
Answer:
As stated in the webinar DPIAs are not necessary to all processing activities, but only for those activities that may be considered as high risk to the rights and freedoms of the data subjects. Our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ contains also threshold assessment which is meant to help you identify high risk processing activities.