Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Controlling customer data


    Answer:

    If by controlling CUSTOMER (DEBITOR) data you refer to data which relates to a company we can safely assume that this processing activity is out of the scope of the EU GDPR. However is the customer is a natural person (individual) or a sole trader then the EU GDPR would be applicable.

  • Certifications for ISO 27001 experts


    Answer: There are two ISO 27001 personal worldwide recognized certifications available, and both can help you support an ISO 27001 certification process:
    - ISO 27001 Lead Implementer – this certification recognizes people who have competency on the ISO 27001 implementation process. For your stated purpose, this one would be more recommended.
    - ISO 27001 Lead Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provide more confidence to an organization for being certified).
    - ISO 27001 Internal Auditor – this certification recognizes people who have competency on auditing an ISMS against ISO 27001 requirements and want to perform audits only for their organizations.

    These materials will help you:
    - What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    - What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    - Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  • Employee background check


    Answer:

    There is nothing wrong with performing a background check as long as the processing activity is lawful and proportionate.
    So, if based on a risk assessment conducted the company, it results that some categories of employees or potential employees would need to be checked, you can do that providing you do the following :
    - get the express consent of the potential employee and for the existing employees provide an adequate notice. The consent form template can be found in folder 4 of the EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ and the notice for employees can be found in folder 2.
    - because this processing activity is quite intrusive (depen ding on the extent of the background check) and special categories of personal data (such as criminal records) might be processed, a DPIA would be required as well. You can find guidance on DPIAs in folder 5 of the EU GDPR implementation toolkit.

  • Documented information


    Answer:

    Your question is very particular and I only can give general answers because each case is a case and I don’t have enough information. Nevertheless, I would say that you can eliminate those databases from your QMS intranet. After that you will still control the information about your parts and product list (name, reference, version, change control, approval, distribution, obsoletes).

    The following material will provide you information about document control:

    ISO 9001 – How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
    free on line training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

  • BCP and Measurement report templates


    A: Business Continuity Procedures (Set of contingencies to minimize potential harm to businesses during adverse scenarios) - A.17.1.2

    Would the Business Continuity Strategy and the Disaster Recovery Plan cover this, or there’s a specific document I could use from Advisera for this issue.

    Answer: For this draft the Disaster Recovery Plan can help you, but instead of the Business Continuity Strategy template, I suggest you to take a look at the free demo of our Business Continuity Plan template at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

    This template can help you define precisely how the organization will manage incidents in the case of a disaster or other disruption of business, and how it will recover its critical activities within set deadlines.

    This article will provide you further explanation about BCPs:
    - Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

    These materials will also help you regarding BCPs:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    - Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

    B: Monitoring and Measurement Results (Determines what is to be monitored and measured above and beyond production processes).

    Does Advisera have a document for this issue?

    Answer: For this draft I suggest you to take a look at the free demo of our Measurement Report at this link: https://advisera.com/27001academy/documentation/measurement-report/

    It can help you summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results..

    These articles will provide you further explanation about monitoring:
    - Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
    - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

    These materials will also help you regarding monitoring:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Maintenance plan


    Answer:
    An organization normally has some kind of infrastructure. For example: it can be buildings, utilities, equipments, transportation, hardware and software.

    As a good practice, organizations develop maintenance plans to prevent infrastructure failures that lead to production stoppage, non-delivery dates, customer dissatisfaction, overtime, extra-costs of parts and their supply, less reliability and decreased useful lifetime. Usually a maintenance plan includes: infrastructure identification, on which date preventive maintenance will be carried out; who is responsible for doing it; (the same machine can have several types of maintenance done by different people at different times) and what kind of maintenance will be done.

    The following material will provide you information about infrastructure management:

    ISO 9001 – Understanding Resource Management in ISO 9001 https://advisera.com/9001academy/blog/2014/02/11/understanding-resource-management-iso-9001/
    free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • GDPR Consultant


    Answer:

    Currently there is no requirement for a formal examination to become a GDPR consultant. However, there are many trainings and tools that can help you become a consultant - for example, you can take an advantage of this GDPR Consultant Toolkit: https://advisera.com/eugdpracademy/consultants/

  • Information classification


    1. How to clearly differentiate the cases in which i label the information as vital, working standard, restricted, group restricted, confidential, strictly confidential.

    Answer: First of all, regarding your initial comment, you may be confusing the terms classification and labelling.

    For information security, information classification means the identification of the value of the information to the organization, and this is generally done based on the results of the risk assessment: the higher the consequences of unauthorized access or disclosure of the information, the higher the classification should be.

    On the other hand, information labelling refers to how the people who manipulate the information can quickly identify their classification and thus handle it correctly. For labelling, you can simply include in the label the classification level defined for the information (e.g., include in the header the words "vital", "confidential", etc .), or ,if you do not want identification to be so obvious, you can use a code that only internal personnel will be familiar with (for example, a colour code or number identification).

    2. Who is Information Owner? The Head of the department who handles the information flow or the information creator (so the one who writes the document) ?

    Answer: If the information is handled by few people or in a centralized way the head of the department would be a better choice to be the information owner, because he is in a better position to ensure the information is protected. On the other hand, if the information is handled by many people or in an decentralized way, the information creator, or the person handling the information, would be a better choice to be the information owner.

    These articles will provide you further explanation about information classification:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

    These materials will also help you regarding information classification:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Control justification on SoA


    Answer: The justification for control selection/non-selection is mandatory by ISO 27001 (clause 6.1.3 d)).
Page 826-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +