Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SOA content
I wonder if it is possible to fill in SOA Applicability ''No'' for a certain controls from Annex A/ table A.1, in the situation a risk is Shared with the Company. (e.g. HR security)
Answer: Sharing a risk means some part of the responsibility is divided between the Division and the Company, so you cannot state these controls as not applicable, but you can include observations stating this shared situation.
This article will provide you further explanation about SOA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ -
Distance of recovery site
Answer: ISO 22301 and most regulations and industry practices do not define any specific distance to recovery sites because, as you mention, many factors can affect what would be considered a "safe" distance. From our experience I suggest you to start the discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location and from that analyse your organization's context (geographic situation, available resources, required investment, etc.).
This article will provide you further explanation about distance of recovery site:
- Dis aster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/
This material will also help you regarding distance of recovery site:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
BCMS presentation to top management
Answer: I suggest you to take a look at this free material: Why ISO 27001 – Awareness presentation, that you can find at this link: https://info.advisera.com/27001academy/free-download/why-iso-27001-awareness-presentation
You can use the general framework and adapt to your needs. For example, you can change the following information:
- “what ISO 27001 is all about” to “what ISO 22301 is all about”
- “why is it good for the company – and also for themselves” to “why BCMS are good for the company – and also for themselves”
- “what is their role in handling information security” to “what is their role in BCMS”
Then you can finish presenting the BCMS proposal.
Additionally, I suggest you these materials:
- Free webinar ISO 22301: ISO 22301: An overview of the BCM implementation process [free webinar] https://advisera.com/27001academy/es/webinar/iso-22301-an-overview-of-bcm-implementation-process-free-webinar/ – maybe you can use some items from here.
- ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/ -
How much time is needed before IATF 16949 certification
Answer:
Certification can happen fairly quickly once your management system is ready. Usually, the certification bodies define the time needed, and it is from three to six months after the system is implemented (last document is approved and published). Before the certification, you will have to run the full cycle of your QMS, this includes conducting internal audit and management review.
The typical certification process involves an onsite Pre-Assessment if you desire, a stage-1 Readiness Review of your system, the stage-2 Certification Audit itself, closure of any open issues, a review by the registrar, and the issuance of your certificate. -
Audit scope
Answer:
There is not a unique correct answer. Each organization should choose the best approach according to its own experience and system. Personally I like to program the internal audits based on the map of processes of each organization, but one can base the internal audits along departments, along clauses of the standard or mixes of these approaches.
The following material will provide you information about audit programs:
• - ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• - free online training - ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/ -
GDPR compliance for accountancy business
Answer:
Based on the description provided the accounting company only acts as processor on behalf of sole traders and other limited companies.
If we are considering sole traders which are in fact natural persons (data subjects) the EU GDPR would be applicable and the documents found in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ would be useful. For example, data breaches should be notified, according to their severity, to the Supervisory Authority and to the data subjects themselves (the sole traders).
As for the limited companies the situation might differ depending on the type of activities provided by the accounting company. If we are talking about general ledger type activities, s uch as tax calculations, filing tax reports which do not involve personal data the EU GDPR is not applicable. However, if other accounting activities such as payroll for the limited companies employees or calculating tax deductions for employees, are delivered, this would mean that the EU GDPR would be applicable.
As a general remark, due to the fact that the accounting company has only one employee, there may not necessarily be a need to have procedures or complex processes set up in place. For example EU GDPR article 30 requirements (Records of processing activities) are not compulsory for companies under 250 employees which includes accounting companies (although it would be helpful to have it) and the Data Protection Impact Assessments will most likely not be necessary.
Nevertheless the only employee of the accounting company should be informed about the main GDPR provisions - especially the ones referring to personal data breaches and the use of sub-processors (if the accounting company outsources part of its activities to third parties). All relevant information can be found within the EU GDPR implementation toolkit. -
Toolkit content
We are a small team can i remove the following sections:
"The project manager will prepare a project implementation report on a monthly basis and forward it to the project sponsor"
4 Managing records kept on the basis of this document
Record name: Project implementation report (in electronic form)
Storage location: Shared folder for project-related activities
Person responsible for storage: Project manager
Control for record protection: Only the project manager is authorized to edit data
Retention time: The report is stored for a period of 3 years
Answer: The toolkit templates are fully customizable, so you can edit them to fit your organization's needs (if you note, the sentence about the project implementation report already has a comment orienting that it can be deleted if considered unnecessary).
Regarding section 4 (Managing records kept on the basis of this document), if your organization is going for certification, you should keep this section, since this document will be a part of the ISMS documentation and the standard requires that document information is controlled. Otherwise you can exclude this section too (but we strongly recommend you to keep it, since even without going for certification the control of document information is important to organizations).
2 - Why would we need to print and sign documents. Can we not have online sign off be sufficient.
Answer: Only for very specific situations you should have the need to print and sign documents (e.g., when demanded by law or contracts). In most cases the digital version will be enough, and even when you are asked for a printed copy, usually it will not need to be signed.
3 - Would you expect us to have a document code? Is that necessary
Answer: Document code is a common way organizations adopt to organize and control documentation, but it is not mandatory according ISO 27001, so you do not have to create one if your organization does not see reason to.
Included in the toolkit you bought you have access to video tutorials that will help you write the project plan and the document control procedure.
These materials will also help you regarding documentation:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
ISMS scope
Answer: Included in the toolkit you bought you have access to video tutorial that can help you write an ISMS scope using real data examples. Please check the “Repository” at the top left corner of your screen in Conformio. From there you can find the subfolder “Video Tutorials”. Consult this screenshot as a reference: https://www.screencast.com/t/T5rLxMgc3UJz
These article will also provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -
Data breach notification
Answer: Based on the information provided, there could two potential situations that should be considered:
1) if the customers are legal entities (companies) the company would have to notify the affected the legal entities about the personal data breach and not the Supervisory Authority. Usually the requirements for the breach notification (both timing and content of the notification) would be established by the customers and mentioned in a legally binding document (a diligent customer would require the provider to notify all data breaches and not only personal data breaches). The Data Breach Response and Notification Procedure from the EU GDPR Implementation toolkit would provide guidance on how to handle the personal data breach internally: https://advisera.com/eugdpracademy/documentation/data-breach-response-and-notification-procedure/
2) if the customers are natural persons (individuals) then the data breach could be handled also based on the Data Breach Response and Notification Procedure from the EU GDPR Implementation toolkit.
With regards to the assessment of the impact of the personal data breach, if the provider has access to the personal data that was subject to the data breach, the provider should identify the risk for the customers and determine the notification requirements.
However, if the Data Center cannot access the information it is advisable to have a clause in the Terms & Conditions or the contract stating roughly that the customer should not upload any personal data or sensitive information without implementing adequate security measures such as encryption and that the provider would not be responsible for any direct or indirect losses generated by the personal data breach.