Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • SaaS provider

    To ISO 27001, customers should be considered as interested parts, i.e., someone that can affect, or be affected, by information security, not assets.

    For further information, see:
    - Who are interested parties, and how can you identify them according to ISO 27001 and ISO 22301? https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
    - Asset List for ISO 27001 Risk Assessment https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
    - How is ISO 27001 applicable for Software-as-a-Service companies? https://info.advisera.com/27001academy/free-download/how-is-iso-27001-applicable-for-software-as-a-service-saas-companies

  • ISO 27001 Certification Data

    (1) How many Months of Data/Records of implementation is needed for the ISO27001 Certification, 

    Answer:  Please note that ISO 27001 does not require a minimum period of data/records (i.e., a minimum period of the ISMS operation before the certification), however, some certification bodies do have such requirements, and some don't. Therefore, you should speak to the certification body you have chosen and see what criteria they have.  

    This article may also help you: 
    - How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/


    (2) What is the usual Timeline for the ISO27001 Certification from preparations, training, Stage1, Stage 2 Certification.

    Answer: Please note that “preparations and training” means the implementation and operation of the Information Security Management Systems. For small and midsize organizations the implementation time frame can vary from 3 to 18 months, depending upon the size and complexity of the ISMS scope.

    For further information, see:
    - Time, effort, and roles needed to implement ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#effort

    Regarding the certification audit, the total days to complete a certification audit (i.e., stages 1 and 2) will depend on the defined ISMS scope (e.g., number of locations, number of employees, etc.), so without detailed information, we cannot provide a precise answer for your case.

    For small companies the Stage 1 and Stage 2 audits will usually take ca 5 days. These two audits can take place 2 weeks to 2 months apart.

  • ISO 27001 Staff Security Awareness

    Your scenario is not enough to be compliant with the standard, because it is not clear that you identified the necessary competencies for awareness and training (i.e., which topics you need to cover, which in general are based on perceived risks, turnover rate, or legal requirements), and while you captured evidence of provision, it is not clear that effectiveness of the actions taken is evaluated (e.g., by means of a test at the end of each session).  

    ISO 27001 does not prescribe the frequency of training, so organizations can define it according to their needs.

    The standard also does not prescribe ways of delivering training and awareness, so organizations can define them according to their needs.

    For further information, see:

    This material will also help you regarding awareness and training:

  • ISO 27001 measurement and Monitoring

    Does the auditee incorrect response to the auditor question impact the internal audit?

     An incorrect response by the auditee may lead the internal auditor to raise a nonconformity.

    Based on the responses of other auditees, and other audit techniques, like document review, field observation, an experienced internal auditor can identify if the situation is based on auditee nervousness, lack of needed knowledge, or a real failure in following policies and procedures (the last two would be considered situations for raising a nonconformity).

    Does the internal audit planning will be same for small, mid and large organization?

    Most probably not, because the audit planning needs to take into account the size and complexity of the audit scope.

    For further information, see:

  • ISMS Policy vs Information Security Policy

    Thank you!

  • Question on Monitoring and measurement of product

    It is necessary to prove that you have traceability for the calibration process.

    There are two possible scenarios: 
    1. If you are using an accredited laboratory for the calibration, then the certificate of that accredited laboratory will be enough. On that certificate is stated with which etalon calibration is made (ID number of the etalon and certificate number for the etalon).
    2. If you are making your own calibration, it means that you need to have some etalon, and that etalon must be also calibrated. Etalon is calibrated also in an external accredited laboratory and with each etalon, you will receive the calibration certificate. When you are performing internal calibration with etalons, you have to record with which etalon you have made it.   

  • DPO and GDPR flowchart

    1. Do you have a flowchart diagram for GDPR implementation similar to the one attached to this email (for ISO 27K1) ?

    No, the flowchart is not needed since the GDPR toolkit you purchased gives you the exact steps you should follow in the implementation - the numerated folders in the toolkit are the implementation steps. The best document for managing the project is found in the directory 01_Preparations_for_the_Project, called Project Plan.

    2. I am working for a firm which does not perform a lot of personal data processing and hence, does not need a DPO. In the toolkit what or who should I replace DPO with? as the DPO role is used all across the toolkit.

    You can replace the Data Protection role with the person responsible for data protection in your organization, like the Privacy Manager, the Compliance Manager or even the IT Manager. The DPO role is very formal, it has specific requirements. However, even if you don’t need a DPO, you should have in your organization a go-to person in case there are questions from data subjects or data protection authorities. A person that can assist with guidance related to GDPR-compliance issues. That person should be referenced in the documents.

    Please consult these links as well:

  • SOA Table ISO 27018 specific controls for processing Personally Identifiable Information (PII)

    From your question, I’m assuming by renumbered clauses you mean the clauses related to the reviewed controls in ISO 27002 standard, released in February 2022.

    Considering that, please note that the ISO 27001, 27017 & 27018 toolkit is based on ISO 27001 standard, and a new version of this standard is expected to be released only in May 2022.

    ISO 27002 is only a supporting standard to implement ISO 27001, and it is not mandatory to implement ISO 27001.

    The new toolkit, with the templates updated according to the new standard, will be released as soon as the new standard is published, and customers that bought the toolkit in the last 12 months before the standard’s release date will receive the updated documents free of charge.

    After publication, organizations will have a transition time (defined by the time of the release of the new standard) to change their controls and documentation to the new standard, so you will have plenty of time to make your changes. The transition period is probably going to be 24 months.

    To see how the new controls numbering of ISO 27002:2022 are related to the controls numbering from ISO 27002:2019, please see this free to download the whitepaper:
    - Overview of new security controls in ISO 27002:2022 https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-iso-27002/

  • Use of SCCs and TOMs

    It is important to know the entity that offers the service to your customers. If it is the US entity, a transfer takes place because you manage your Google Cloud Platform instance so you have access to that personal data as a service provider. In its “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”, the European Data Protection Board gives three conditions for an international personal data transfer to take place:

    • A controller or a processor is subject to the GDPR for the given processing
    • This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).
    • The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3
       

    So if the US company is signing the contract with your EU customer, you should sign Standard Contractual Clauses (SCC) with additional Technical and Organizational Measures (TOM), to demonstrate protection of personal data from access by US authorities. If you have an EU company under control signing the contract with your EU customer, you don’t need to sign an SCC. However you must check whether your US company falls under FISA 702, in which case you should adopt additional TOMs to demonstrate protection of personal data from access by US authorities, and add them to the standard Data Protection Agreement. Also I recommend performing a DPIA regarding these transfers.

    Please consult these links as well:
Page 93-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +