Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • BIA vs AIA


    Mi respuesta: Disculpa, pero el término "Análisis de Impacto en Aplicativo" está relacionado con aplicaciones de TI, y este término no es utilizado por ISO 22301. Este estándar, quiero decir, ISO 22301, está diseñado para el negocio (no sólo para TI), y podrías utilizar el BIA (Business Impact Analysis o Análisis de Impacto en el Negocio en español), para determinar el impacto de las aplicaciones TI en el negocio (el BIA es una herramienta específica de análisis de impacto de ISO 22301). Si estás interesado en el BIA, puedes ver este artículo: https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

  • Scope Definition


    Answer: You can limit your ISMS scope to your business core offering without problems, but for small and medium-size organizations sometimes is better to include all the organization in the ISMS scope, because the effort to manage a scope that covers only part of the organization is not worthy.

    These articles will provide you further explanation about scope definition:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/pro blems-with-defining-the-scope-in-iso-27001/

    These materials will also help you regarding scope definition:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Controls required for ISO 27001 certification


    Answer: According to ISO 27001, the elements you mentioned only need to be in place in the following situations:
    - to treat unacceptable risks
    - are required by laws or contracts the organization must comply with
    - are demanded by top management for any other reason

    If you cannot link these elements to any of these reasons they are not required for ISO 27001 certification.

    This article will provide you further explanation about ISO 27001 and mandatory documents:
    - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    - List of mandatory documents required by ISO 27001 (2013 revi sion) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    This article will provide you further explanation about risk assessment and risk treatment:
    - ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding ISO 27001, mandatory documents and risk assessment and risk treatment:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Risk-based approach example

    Very helpful
    Many Thanks

  • GDPR - Supervisory Authorities


    Answer:

    In your case, based on provided description, since you only have one establishment in UK then the Supervisory Authority you will have to deal with is the UK Information Commissioner’s Office in terms of GDPR.

  • Data importer and Data exporter

    We are being asked to fill in the "data exporter" during an agreement with a third party, and my understanding is that it should refer to our company name, but I want to be sure.

    Answer:

    The EU GDPR does not provide a definition for the “data importer” or the “data exporter”, nevertheless these definitions can be found in COMMISSION DECISION 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.

    According to article 2 of the abovementioned Decision:
    - “data exporter” means the controller who transfers the personal data;
    - “data importer” means the processor established in a third country who agrees to receive from the data exporter personal data intended for processing on the data exporter’s behalf after the transfer in accordance with his instructions and the terms of this Decision and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC.

    Learn more here: EU GDPR controller vs. processor – What are the differences?https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • ITSM Implementation


    Answer:
    That depends on many circumstances. But, let's assume you have management commitment and available resources (if not - gaining management commitment is -must have). Our free webinar (recording is available) "How to use a Documentation Toolkit for the implementation of ITIL / ISO 20000 " https://advisera.com/20000academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-itil-iso-20000-free-webinar-on-demand/ will give you many information that you can use to start your project and answer the question regarding necessary documentation.
    Also, the article "12 steps for ISO 20000 implementation" https://advisera.com/20000academy/blog/2016/09/06/12-steps-for-iso20000-implementation/ contains guidance how to approach the implementation.

    Regarding training - at least ISO 20000 Foundation is a dvisable. It will give you understanding of the standard's requirements and some hints how to approach the implementation.

  • Implementar ISO 22301 sin ISO 27001

    Pregunta: es posible implementar la ISO 22301 sin la iso 27001? Respuesta: Completamente, aunque si implementas ISO 27001, la implementación de ISO 22301 puede ser muy sencilla, porque ambos estándares tienen muchos puntos en común. Este webinar te puede resultar interesante: https://advisera.com/27001academy/es/webinar/iso-27001-iso-22301-why-is-it-better-to-implement-them-together-free-webinar/

  • No Quality Manual?


    Answer:

    First, there is no mandatory requirement to keep documented information about clause 4.2. That means, organizations are free to decide how to handle that clause. An organization can decide to answer clause 4.2 in a top management meeting record for example.

    Second, although the Quality Manual is no longer a mandatory document under ISO 9001:2015, that doesn’t mean that an organization shouldn’t keep a document, called Quality Manual, or Organization ID Card, or by any other name, reuniting important information about the organization such as: Who we are, What we do, to Whom and with Whom do we work, in What we believe, How do we do it

    The following material will provide you information about ISO 9001:2015 and the Quality Manual:
    ISO 9001 – The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/ ebase/the-future-of-the-quality-manual-in-iso-90012015/
    free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
Page 829-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +