Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Approving Residual Risk in Conformio

    You need to approve residual risk so you can proceed to the next step of the implementation process.

    After this approval, you will define the risk treatment plan, where you will define the dates for the implementation of the controls not yet in place.

  • GDPR compliance for B2B software applications

    At Advisera we have a large set of resources that can help you drive your GDPR compliance project. B2B Companies need to demonstrate compliance to GDPR when they process data of people in the EU or when they monitor their behaviour. You can start with our article “9 steps for implementing GDPR” (link below), followed by “A summary of 10 key GDPR requirements” and “Understanding 6 key GDPR principles”. I would also recommend to consult the “List of mandatory documents required by EU GDPR”, link below. These documents can be found in our EU GDPR Toolkit that can be purchased on our website. This Toolkit contains a step-by-step approach on driving a GDPR-compliance project, providing also a full set of templates needed for GDPR compliance.

    Please also consult these links:

  • Risk assessment question

    First of all, sorry for this confusion.

    Third-party is any entity that is not under the direct control of an organization. Examples of the third parties are: customers, suppliers, visitors, contractors, consultants, etc.

    A cleaner that does not belong to the organization’s staff can be considered a third party.

  • Establishment of the scope of the ISMS ISO 27001:2013

    First is important to note that an ISMS scope can be defined in terms of processes, location, or information to be protected.

    Considering that, and your stated scenario, you should define your ISMS scope either in terms of processes (development process, sales process, account process, etc.) or information to be protected (e.g., customer information, financial information, etc.).

    By the way, included with your toolkit you have access to a video tutorial that can help you define your ISMS scope. This video contains examples.

    For further information, see:
    - Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
    - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
    - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  • Management of change

    Requirements for change management in an ISO 22301 BCMS can be found in the Business Continuity Policy template, section 3.8 – Changes in the BCMS, located in folder 03 Business Continuity Policy.

    ISO 22301 does not prescribe a change management procedure to be written, but in case you decide you need one, please take a look at this Change Management Policy template for ISO 27001. Even though it is an ISO 27001 document, it can be adapted to be used with ISO 22301:

    - https://advisera.com/27001academy/documentation/change-management-policy/ 


    For further information, see:
    - How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • Risk Register question

    Since you are considering the weak password vulnerability to be related to people's behavior, then it makes sense to consider it for Human-related assets in this case, but please note that you can also have situations where this vulnerability can also be defined for IT equipment.

    For example, some equipment only allows pin numbers as passwords, or it is not possible to enforce password rules o them, then in this case you can also define weak passwords as a vulnerability for IT equipment. You can use only one of these two vulnerabilities, or you can use both if they are all applicable.

  • CE Marking

    1 - Bewtween the end of June and when they get the renewal, can I sell the products I hold that were manufactured under a valid CE, even though they will be out of date?
    For all medical devices that are produced until the expiry date of the MDD certificate, you can sell until the expiry date of the device.

    2 - If I purchase new products that have been produced without a valid CE, they will not be compliant will they?
    The manufacturer is not allowed to produce the device anymore after the expired certificate.

  • Inquiry about the following ISO27001 controls

    1. Physical office security for site 1:

    Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent).

    If the site 1 office does not contain highly sensitive information, and if the people from this site have only restricted access to offices within the scope, then you can exclude office 1 from the scope.

    For further information, see:

    2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes

    In case the parent company acts as a service supplier accessing information your ISMS needs to protect (i.e., information included in the ISMS scope), then you need to treat this parent company as a supplier, and controls applicable to suppliers need to be applied, but please note that in this case, the agreements signed with such "suppliers" do not need to be fully formal (i.e., instead of full formal contracts you can use something like internal memos).

    For further information, see:

    • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

    • how close treatments

      You need to gather information to evidence that actions taken to treat the risk were performed according to the decision made, and that expected results were achieved.

      For example, in case you have a data loss risk and the decision is to treat the risk by including that data in a backup routine, then you need to evidence the backup schedule covering the related data, and the results of performed backup to show that the data as indeed backed up.

      This article will provide you with further explanation about risk treatment:

    • Internal audit of management systems and GDPR

      In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:

      • Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
      • Purpose limitation (there is a clear scope of processing).
      • Data minimization (only data necessary for the purpose is being processed).
      • Accuracy.
      • Storage limitation (define clear retention timelines after which the data should be anonymized).
      • Security
         

      The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.

       

      Please also consult these links:
Page 87-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +