Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Elaborating an audit checklist
We received this question:
>If for example under access control, in the XXX document of business I am doing an internal audit for, it clearly states that access requests are made by the IT administration and any approval or rejection is dealt with by the information and security manager or senior clerk. Would I still need to speak to the relevant people to ask this question, or would I simply note down that this information is in policy document number xxxx and effectively tick it off my list?
>
>The reason for asking is because this document is around 72 pages long and it could take considerable time to do these for each area within this one document. I would just like to be sure before I proceed with the checklist.
Answer: You must include asking some questions to relevant people about this document to ensure people are acting accordingly what was planned (remember, in an audit you must verify if controls are planned and implemented properly and if people are performing as expected).
Regarding the size of the document, you can choose some critical questions to make (you do not have to cover all the document in a single audit) considering the time you have to perform the audit. One interesting question is if you ask to the auditee to show you one access request he has made, explaining how he performed it. -
Lead auditor and lead implementer courses
thats what i need advise on…
Answer: Since you work as a consultant, the ISO 27001 Lead Implementer course would be a more adequate alternative to you, since this course can help you understand and implement an ISO 27001 ISMS, and how to apply controls in Annex A.
The ISO 27001 Lead Auditor Course is more adequate to a person who wants to become a certification auditor.
These articles will provide you further explanation about lead implementer and lead auditor courses:
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https:// advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
Approaches beyond asset-based for risk assessment
Answer: Since other methods besides the asset-based approach to risk assessment are not commonly used by small and medium organizations, we do not have specific material about them, but we can suggest you to take a look at the ISO 31010 standard (www.iso.org/standard/51073.html), which will provide you examples of other risk assessment methodologies, including the scenario-based approach.
This article will provide you further explanation about ISO 31010:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/ -
ISO9001 Scope
The scope of the QMS (Quality Management System) should include all processes that affect quality of products and services and customer satisfaction. Also, in the document about the scope you need to document what locations of your organization are covered by the QMS scope.
For more information, see: How to define the scope of the QMS according to ISO 9001:2015 https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
These materials will also help you regarding the QMS scope:
- Book DISCOVER ISO 9001:2015 THROUGH PRACTICAL EXAMPLES https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Free online training ISO 9001:2015 Foundations Course https://advisera.com/training/iso-9001-foundations-course/
- Conformio (online tool for ISO 9001) https://advisera.com/conformio/ -
Privacy Framework
Answer:
Based on the information you provided it looks like your question relates to cross border personal data transfers, more precisely to the safeguards needed in order to ensure that a cross border transfer is lawful.
Before jumping into the matter at hand we should first clarify what does a cross border data transfer means: a cross border data transfer means a transfer to non EU/EEA countries as well as countries that have not been deemed by the European Comission as providing an adequate level of protection as regards to personal data (adequacy decisions countries). In a nutshell any transfer out of EEA or to countries without adequacy decisions is a cross border data transfer.
As a general rule the EU GDPR states that cross border data transfers are forbidden unless proper safeguards are used.
Coming back to the question:
1. transfers to UK are not considered cross border data transfers since UK is still in the EU thus no need to have any safeguards. Once UK will leave EU this issue would have to be reconsidered based also on the results of the Brexit negotiations.
2. transfers to Canada are not considered cross border because Canada has been issued an adequacy decision by the EU Comission.
3. Australia is not in the EU/EEA and no adequacy decision has been issued thus adequate safeguards must be set in place. One of the most commonly used safeguards are the use of the "Model Contracts for the transfers of personal data to third countries" (Model clauses) . The EU GDPR implementation Toolkit provides guidance on how to use these contracts - see details here : https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
4. US and EU have agreed (July 2016) on the new framework for transatlantic data flows: EU-US Privacy Shield. This new framework replaced Safe Harbour which was declared invalid by the European Court of Justice (EUCJ) in October 2015. Currently transfers between EU and US can be grounded on Privacy Shield although this is currently challenged in front of EUCJ as well and, there is no telling what would be the outcome. As an alternative "Model clauses" can be used as safeguards instead of Privacy Shield and this approach would cover the risk of Privacy Shield being invalidated. -
Exclusiones de las cláusulas 8.3 y 7.1.5
He recibido esta pregunta: Estoy implementando ISO 9001 en una empresa que distribuye y vende válvulas y equipos de medición a industrias Oil & gas en toda latinoamérica. Los equipos son comprados previamente a otra companía. Mi pregunta es si debo excluir de mi SGC los requisitos 8.3 Diseño y Desarrollo y 7.1.5 Recursos de seguimiento y medición, ya que vendemos productos terminados Mi respuesta: Como la empresa no posee ningún proceso de diseño y desarrollo dentro del alcance del SGC, entonces puedes excluir la cláusula 8.3 del alcance de la organización. A la hora de excluir cláusulas de la norma, necesitas documentar dichas exclusiones en la documentación sobre el alcance del SGC y proporcionar justificaciones de las exclusiones. Interpreto por otro lado, que la companía además no hace seguimiento y medición de los equipos en sus procesos por lo que también podrías excluir la cláusula 7.1.5 del alcance. Para más información puedes ver "Qué cláusulas pueden ser excluidas en ISO 9001:2015" (en inglés): https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/ Estos materiales pueden ayudarte con respecto a la implementación de ISO 9001: - Libro"Preparación para el proyecto de implementación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-el-proyecto-de-implementacion-iso-una-guia-en-un-lenguaje-sencillo/ - Curso gratuito en línea: Curso de fundamentos ISO 9001 https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ - Conformio (Herramienta en línea para ISO 9001): https://advisera.com/conformio/ -
Continual vs step change improvement process
Answer:
The process of continuous improvement is a kind of incremental process, each improvement is a small breakthrough built on what previously existed. It works well when the outside world does not change greatly. When the outside world changes rapidly, or when an organization has been without incremental improvements for a long time, and therefore has become very out of phase with external reality, incremental improvement is no longer enough. It is in these situations that a step change improvement process is required, other name for step change improvement process is, for example, reengineering. With a step change improvement process the improvement is not based on what previously existed.
The following material will provide you information about improvement:
ISO 9001 – Plan-Do-Check-Act in the ISO 9001 Standard - https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/
ISO 9001 - Seven Steps for Corrective and Preventive Actions to support Continual Improvement - https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
Corrective actions vs. continual improvement in AS9100 - https://advisera.com/9100academy/knowledgebase/corrective-actions-vs-continual-improvement-in-as9100/
free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
SoA content_
Just taking as example the HR security, the division which is to implement ISO 27001 is using Company's HR procedures. Does the division need to describe exactly in SoA what processes are shared, or is it enough to write in SoA that HR Security controls are Shared with the Company?
Answer: By "processes" I'm assuming you are referring to security processes performed in a shared way by the Division and the Company's HR.
Considering that, first of all, for shared controls you have to state clearly in the SoA which part of each control is implemented by whom. Regarding the level of detail about how a control is implemented, if you have documents related to HR security available (e.g., policies or procedures) you can write a small text to provide an general overview and include references to these documents, or to the location where they can be found. If you do not have these documents available then you have to describe in SoA the whole HR security process. -
Data mapping for GDPR
Answer:
Based on the background provided it seems the information asset inventory is limited to IT assets only and performed from the perspective of an IT security manager. This approach most likely won't provide a full picture of the processing activities performed in your organization.
Using a data discovery tool, although useful in some instances, will only provide some information about where the personal data is being stored and how it transits through different systems. The information gathered this way would not be sufficient to build a record of processing activities as required by art. 30 of the EU GDPR.
Our advice would be to start the data mapping process by first identifying the data proce ssing activities based on the processes that are ongoing within your company, for example in an university this could be gathering information about students onboarding, students lifecycle, HR management, security (IT Security and Physical security), suppliers management etc.
After identifying the relevant processes and processing activities the record of processing activities can be filled in with the information required by art. 30 of the EU GDPR. The EU GDPR implementation Toolkit provides guidance on how to perform a the data mapping as well as a template containing all the fields needed to ensure compliance with the EU GDPR art. 30 requirements - see the details here: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ -
Template content
I have just started work with the Risk Assessment Table template. Is it possible to change the colour range in the Risk column? Would like to have 0=green, 1=yellow, 2=orange and 3 and 4 =red. 3 and is red, but there is no colour scaling on 0,1 and 2...
Yes. The templates are fully customizable, and you can adjust them to fit your organizations needs, including the colour range in the Risk Column.
I did have a look at the post in Expert Advice Community – could you also describe how to change the colour scaling, please
Please follow these steps:
1- Select cells I4 through I700. Do this by dragging from I4 to I700.
2- Then, click Home > Conditional Formatting > New Rule.
3- In the New Formatting Rule dialog box, click Format only cells that contain.
4- In the box where is select is between, change to is equal to
5- In the box besides the box filled with is equal to include the value 0.
6- Click Format.
7- In the Fill tab, select Green.
8- Click OK until the dialog boxes are closed.
9- The formatting is applied to column the selected cells.
Repeat the process to include rules for the colours yellow and orange for values 1 and 2 respectively.
For more information please access this link: https://support.office.com/en-us/article/Use-formulas-with-conditional-formatting-fed60dfa-1d3f-4e13-9ecb-f1951ff89d7f