Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
CRISC or ISO 27001 certifications
Answer: First of all, I'm assuming that by ISO 27001 you are referring to the ISO 27001 Lead Auditor certification, so my answer will be based on this ISO 27001 certification.
CRISC (Certified in Risk and Information Systems Control) should be considered if you want to evaluate how IT risks are managed and controlled in an organization.
ISO 27001 Lead Auditor certification should be considered if you want to evaluate how the information security is managed and improved in an organization.
In fact, these certifications have different purposes, but are complementary in nature, because a great deal of information security today depends on how IT risks are managed and controlled (and CRISC covers this part), and since information exists not only in IT systems, the understanding of ISO 27001 concepts and requirements can help an auditor better understand and identify problems and opportunities for improvement in overall information securi ty.
These articles will provide you further explanation about ISO 27001 and ISO 27001 Lead Auditor:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to become ISO 27001 Lead Auditor https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
These materials will also help you regarding ISO 27001 and ISO 27001 Lead Auditor:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/ -
Identifying a Cloud Service Provider
"3.3. Backup information to cloud service customers
Depending upon the cloud model adopted, the cloud service customer may be responsible for the backup process.
For example, in an IaaS model, the cloud service provider is responsible for the backup of the infrastructure, while backup of data and systems are the cloud service customer’s responsibility"
Answer: Cloud service providers (CSPs) are companies that offer network services, infrastructure, or business applications in the cloud. Since you offer trust services and a degree of data storage, your organization can be identified as a CSP and you should consider this situation when planning your ISO 27001 ISMS.
This article will provide you further explanation about s cope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Configuration Item
Answer:
Configuration Item, or CI is service assets that need to be managed to deliver the service. That could be e.g. your PC, but also its hard drive, memory, processor...
Following articles will give you more information:
"What is the role of the Service Asset and Configuration Manager according to ITIL/ISO 20000?" https://advisera.com/20000academy/blog/2016/11/01/what-is-the-role-of-the-service-asset-and-configuration-manager-according-to-itil-iso20000/
"Answers to 5 FAQs about the ITIL Service Asset and Configuration Management process" https://advisera.com/20000academy/blog/2016/03/29/answers-to-5-faqs-about-the-itil-service-asset-and-configuration-management-process/
"Knowing your herd – Service Asset and Configuration Management (SACM)" https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/ -
Article 30 Records of processing activities
Answer:
As regards to the article 30 Records of processing activities or Inventory of processing activities, there is no requirement to report to the Supervisory Authorities about it, this is why you won't find this document in our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
The only reporting requirement presented in the EU GDPR refers to the the notification of Supervisory Authorities in case of some data breaches. You can find guidance as well as the appropriate templates in folder 9 "Personal Data Breaches" of our EU GDPR implementation toolkit. -
Documenting Risks and Opportunities
Answer:
Clauses 4.1 and 4.2 don’t have any requirements about documenting risks and opportunities.
The following material will provide you information about the risk-based approach:
ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Required documented information
Answer:
Clause 8.1a is about product or service specifications. Your company must have product or service specifications. Then, see clause 8.1e, it is this clause that requires to document product or service specifications.
The following material will provide you information about ISO 9001:
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Requerimientos ISO 27001
Respuesta: Los requerimientos mínimos dependen del estándar que quieras implementar para la seguridad de la información, y uno de los más importantes (y más populares) es la ISO 27001 (muchos estándares, relacionados con la seguridad de la información, se basan en ISO 27001). Este estándar tiene requerimientos específicos, y tienes que leer el estándar en detalle para conocerlos, pero existe una serie de documentos obligatorios que tienes que tener para implementar los requerimientos del estándar, y puedes ver esta lista aquí: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
GDPR Documentation Process
Answer:
Filling in the documentation is just one of your tasks of achieving EU GDPR compliance, after this step you should focus on making sure that all the documents are backed-up by the proper processes in order to ensure that the policies and procedures are followed and integrated into your day to day business activities.
For example, you should also consider the following tasks:
- test some of these processes such as the one set up by the “Data Breach Response and Notification Procedure" https://advisera.com/eugdpracademy/documentation/data-breach-response-and-notification-procedure/ You need to see if all the staff involved knows what to do from identifying a data breach until sending the appropriate notifications;
- maintaining the “Inventory of processing activities” https://advise ra.com/eugdpracademy/documentation/inventory-of-processing-activities/which should be up to date;
- perform Due Diligence on some of your most important suppliers;
- build up an awareness EU GDPR program to train your relevant staff;
EU GDPR compliance is not a “one shot” exercise but rather a continuous process to ensure that personal data is protected in any instance, regardless of the changes in your business activities.
And to answer your second question, there is no need for you to proactively go to the ICO to present your EU GDPR framework.” -
Activity Recovery Strategy template content
To be more specific, our economy dep has a critical activity of paying a certain supplier, the rest of the activities in the economy dep is not time critical until the end of a month.
Answer: You should include all tasks to fully recover the activity, but the time to execute each one of them will be accordingly their criticality to the business, as defined in the Recovery Priorities for Activities template, included in your toolkit. This way you can either ensure the more time for critical activities to be recovered first and that all needed activities to recover normal operations will be recovered in the proper time.
These materials will also help you regarding business recovery:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/ -
Controls application
Answer: According to ISO 27001 requirements, the applicability of controls from Annex A section A.11 on your office will depend on whether your employee's laptops have access to any information you want to protect (either if the information is stored or processed onsite or in the cloud), and the results of risk assessment identify risks to your premises that should be treated (e.g., there is an unacceptable risk that someone invades your office and steals the notebooks).
These articles will provide you further explanation about physical and environmental security:
- Physical security in ISO 27001: How to protect th e secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
This material will also help you regarding Physical and environmental security:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/