Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Roles and responsibilities


    I need to know how to comply with this mandatory document, should I just create a document with all the roles related to the ISMS e.g. CISO and descript what is the role/responsibilities for him?

    Answer: Included in the toolkit you bought there is the "List of Documents" file, which shows you which clauses of the standard are covered by which templates.

    Regarding control A.7.1.2 (Terms and conditions of employment), the following templates cover this clause:
    - Confidentiality Statement, located in folder 08 Annex A, sub folder A.7 Human resource security
    - Statement of Acceptance of ISMS Documents, located in folder 08 Annex A, sub folder A.7 Human resource security
    - Supplier Security Policy, located on folder 08 Annex A, sub folder A.15 Supplier relationships
    - Security Clauses for Suppliers and Partners, located in folder 08 Annex A, sub folder A.15 Supplier relationships

    Regarding control A.13.2.4 (Confidentiality or non disclosur e agreements), the following template covers this clause:
    - Confidentiality Statement, located on folder 08 Annex A, sub folder A.7 Human resource security

    If you find that these templates still do not cover your needs, you can schedule a meeting with one of our experts (this meeting is included in your toolkit) so he can help you to handle your situation. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

  • Segregation of duties


    Answer: There is no specific template for segregation of duties because responsibilities are defined in each template according the required tasks to be performed (for example, in the Back up policy template, you can define different job titles to create and test backup copies). If for a required activity your organization identifies there is need to segregate it, you can adjust the template to that specific situation.

    Additionally, in the Information Security Policy template you can define segregated activities related to information security (please see the section 4.5 of the document). This template can be found on folder 04 Information Security Policy.

    This article will provide you further explanation about segregation of duties:
    - Segregation of duties in your ISMS accord ing to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

    This material will also help you regarding segregation of duties:
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • A path between the ISO 27001 certification and the GDPR toolkit


    Answer: In the Article 32, EU GDPR requires the implementation of security controls, so in our EU GDPR Toolkit we have included 11 documents from ISO 27001 that will cover this requirement - here they are:
    - IT Security Policy (in the ISO 27001 toolkit this one is called the Acceptable Use Policy)
    - Access Control Policy
    - Security Procedures for IT Department (in the ISO 27001 toolkit this one is called the Operating Procedures for Information and Communication Technology)
    - Bring Your Own Device (BYOD) Policy
    - Mobile Device and Teleworking Policy
    - Clear Desk and Clear Screen Policy
    - Information Classification Policy
    - Policy on the Use of Encryption Article 32
    - Disaster Recovery Plan Article 32
    - Internal Audit Procedure Article 32
    - ISO 27001 Internal Audit Checklist

    The point is, the implementation of these security controls is ca 50% of the whole GDPR implementation, while the rest of the effort should be focused on privacy and legal issues.

    These links will help you:
    - Diagram of the EU GDPR implementation process https://advisera.com/eugdpracademy/free-downloads/
    - EU GDPR Documentation Toolkit - you'll find a list of all documents on that page: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

  • Management Review inputs and monitoring and measurement


    Answer:

    According to the process approach, your QMS is a set of interrelated processes. Every process has indicators or some other methods of measuring and monitoring performance. The Management Review Meeting (MRM) is a good place to do two things with those methods. First, are they relevant? Do you still consider them to be good choices to monitor and measure performance? Do you see better choices? Second, what about the performance level according to those indicators and other methods? Should your company update the targets for performance? Should your company develop improvement actions?

    The following material will provide you information about monitoring and measurement:

    * Monitoring and Measurement: The basis for evidence-based decisions - https://advisera.com/ 001academy/blog/2014/04/15/monitoring-measurement-basis-evidence-based-decisions/
    * How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
    * How to define Key Performance Indicators for a QMS based on ISO 9001- https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
    * free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    * book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • CAB and ITIL implementation


    Answer:
    Yes, roll-out should involve CAB definition and implementation.
    Here is the article about CAB that can help you: "Change Advisory Board in ITIL – advise, approve or what?" https://advisera.com/20000academy/knowledgebase/change-advisory-board-itil-advise-approve/

    Process for project roll-out is shown in this diagram "ITIL Implementation diagram" https://info.advisera.com/20000academy/free-download/itil-implementation-diagram

  • Applicability of control A.14.1.3


    Answer: Financial information is only one kind of information that may require the application of control A.14.1.3 (Protecting application services transactions). Other examples of information that may require protection in application service transactions are health information and information the organization classified as sensitive.

    So, even if your organization don't have online financial transaction you may have other types of sensitive information processed by your web applications that may require the application of control A.14.1.3. You should consult your inventory of assets, the information classification policy and which information are processed on your web applications to verify if control A.14.1.3 is applicable.

    This article will provide you further explanation about securing applications:
    - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  • Asset owner and risk owner


    (What is the difference between the asset owner and the risk owner?)

    Answer: The asset owner is the person responsible for protecting and managing an asset in your company, while the risk owner is a person designated to solve a risk. Although these are different roles, they can be performed by the same person in a small organizations, but you should note that designating these roles to the same person becomes increasingly complex as the quantity of assets and risks under his responsibility increases.

    This article will provide you further explanation about asset owner and risk owner:
    - Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    These materials will also help you regarding asset owner and risk owner:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • Information labelling


    Answer: This statement is only a recommendation. ISO 27001 control A.8.2.2 (Labeling of information) does not define any form of labeling, only that a labeling procedure must be defined and implemented (if the control is considered applicable). How to label information is an organization's decision. In cases where the implementation of labeling is not feasible, or it will require much effort or resources, an organization can define that labeling will not be applicable.

    This article will provide you further explanation about informat ion handling:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Page 841-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +