Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • NIST CSF, ISO 27002 and PCI


    Answer: I'm assuming that for PCI you are referring to PCI-DSS. Considering that:

    NIST Cyber Security Framework (CFS) gives you a methodology on how to implement information security or cybersecurity in an organization (in this point it is quite similar to ISO 27001, the ISO standard for Information security management systems).

    ISO 27002 is a standard that provides guidelines and recommendations for the implementation of the controls listed on ISO 27001. It differs from NIST CSF in the point it does not establish a system methodology, only practices to be considered when implementing individual controls.

    PCI DSS is a standard of data security for the credit card industry, providing a group of mandatory controls to be implemented by organizations that work with credit cards. Like ISO 27002 it does not define a methodology.

    These articles will provide you further explanation about CSF, ISO 27002 and PCI:
    - Which one to go with – Cybersecurity Framewo rk or ISO 27001? https://advisera.com/27001academy/blog/2014/02/24/which-one-to-go-with-cybersecurity-framework-or-iso-27001/
    - ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
    - PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences https://advisera.com/27001academy/knowledgebase/pci-dss/

  • SOA content


    I wonder if it is possible to fill in SOA Applicability ''No'' for a certain controls from Annex A/ table A.1, in the situation a risk is Shared with the Company. (e.g. HR security)

    Answer: Sharing a risk means some part of the responsibility is divided between the Division and the Company, so you cannot state these controls as not applicable, but you can include observations stating this shared situation.

    This article will provide you further explanation about SOA:
    - The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  • Distance of recovery site


    Answer: ISO 22301 and most regulations and industry practices do not define any specific distance to recovery sites because, as you mention, many factors can affect what would be considered a "safe" distance. From our experience I suggest you to start the discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyse your organization's context (geographic situation, available resources, required investment, etc.).

    This article will provide you further explanation about distance of recovery site:
    - Dis aster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/

    This material will also help you regarding distance of recovery site:
    - Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

  • BCMS presentation to top management


    Answer: I suggest you to take a look at this free material: Why ISO 27001 – Awareness presentation, that you can find at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation

    You can use the general framework and adapt to your needs. For example, you can change the following information:
    - “what ISO 27001 is all about” to “what ISO 22301 is all about”
    - “why is it good for the company – and also for themselves” to “why BCMS are good for the company – and also for themselves”
    - “what is their role in handling information security” to “what is their role in BCMS”

    Then you can finish presenting the BCMS proposal.

    Additionally, I suggest you these materials:
    - Free webinar ISO 22301: ISO 22301: An overview of the BCM implementation process [free webinar] https://advisera.com/27001academy/es/webinar/iso-22301-an-overview-of-bcm-implementation-process-free-webinar/ – maybe you can use some items from here.
    - ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/

  • How much time is needed before IATF 16949 certification


    Answer:

    Certification can happen fairly quickly once your management system is ready. Usually, the certification bodies define the time needed, and it is from three to six months after the system is implemented (last document is approved and published). Before the certification, you will have to run the full cycle of your QMS, this includes conducting internal audit and management review.

    The typical certification process involves an onsite Pre-Assessment if you desire, a stage-1 Readiness Review of your system, the stage-2 Certification Audit itself, closure of any open issues, a review by the registrar, and the issuance of your certificate.

  • Audit scope


    Answer:

    There is not a unique correct answer. Each organization should choose the best approach according to its own experience and system. Personally I like to program the internal audits based on the map of processes of each organization, but one can base the internal audits along departments, along clauses of the standard or mixes of these approaches.

    The following material will provide you information about audit programs:
    • - ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
    • - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    • - free online training - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/

  • GDPR compliance for accountancy business


    Answer:

    Based on the description provided the accounting company only acts as processor on behalf of sole traders and other limited companies.

    If we are considering sole traders which are in fact natural persons (data subjects) the EU GDPR would be applicable and the documents found in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ would be useful. For example, data breaches should be notified, according to their severity, to the Supervisory Authority and to the data subjects themselves (the sole traders).

    As for the limited companies the situation might differ depending on the type of activities provided by the accounting company. If we are talking about general ledger type activities, s uch as tax calculations, filing tax reports which do not involve personal data the EU GDPR is not applicable. However, if other accounting activities such as payroll for the limited companies employees or calculating tax deductions for employees, are delivered, this would mean that the EU GDPR would be applicable.

    As a general remark, due to the fact that the accounting company has only one employee, there may not necessarily be a need to have procedures or complex processes set up in place. For example EU GDPR article 30 requirements (Records of processing activities) are not compulsory for companies under 250 employees which includes accounting companies (although it would be helpful to have it) and the Data Protection Impact Assessments will most likely not be necessary.

    Nevertheless the only employee of the accounting company should be informed about the main GDPR provisions - especially the ones referring to personal data breaches and the use of sub-processors (if the accounting company outsources part of its activities to third parties). All relevant information can be found within the EU GDPR implementation toolkit.

  • Toolkit content


    We are a small team can i remove the following sections:

    "The project manager will prepare a project implementation report on a monthly basis and forward it to the project sponsor"

    4 Managing records kept on the basis of this document
    Record name: Project implementation report (in electronic form)
    Storage location: Shared folder for project-related activities
    Person responsible for storage: Project manager
    Control for record protection: Only the project manager is authorized to edit data
    Retention time: The report is stored for a period of 3 years

    Answer: The toolkit templates are fully customizable, so you can edit them to fit your organization's needs (if you note, the sentence about the project implementation report already has a comment orienting that it can be deleted if considered unnecessary).

    Regarding section 4 (Managing records kept on the basis of this document), if your organization is going for certification, you should keep this section, since this document will be a part of the ISMS documentation and the standard requires that document information is controlled. Otherwise you can exclude this section too (but we strongly recommend you to keep it, since even without going for certification the control of document information is important to organizations).

    2 - Why would we need to print and sign documents. Can we not have online sign off be sufficient.

    Answer: Only for very specific situations you should have the need to print and sign documents (e.g., when demanded by law or contracts). In most cases the digital version will be enough, and even when you are asked for a printed copy, usually it will not need to be signed.

    3 - Would you expect us to have a document code? Is that necessary

    Answer: Document code is a common way organizations adopt to organize and control documentation, but it is not mandatory according ISO 27001, so you do not have to create one if your organization does not see reason to.

    Included in the toolkit you bought you have access to video tutorials that will help you write the project plan and the document control procedure.

    These materials will also help you regarding documentation:
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • ISMS scope


    Answer: Included in the toolkit you bought you have access to video tutorial that can help you write an ISMS scope using real data examples. Please check the “Repository” at the top left corner of your screen in Conformio. From there you can find the subfolder “Video Tutorials”. Consult this screenshot as a reference: https://www.screencast.com/t/T5rLxMgc3UJz

    These article will also provide you further explanation about defining scope:
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Page 833-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +