Expert Advice Community

Guest

Legal requirements and security awareness

  Quote
Guest
Guest user Created:   Jun 25, 2019 Last commented:   Jun 25, 2019

Legal requirements and security awareness

I bought the ISO 27001 some months ago and now I'm implementing the standard in one company called XXXX which I'm partner and tech lead. We talked last week with Rhand Leal using the one hour call included in the bundle.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 25, 2019
Although the call was very interesting for us, some new questions are still emerging and we would like to get support from emails. I will start with two questions:

1. When I'm looking for my suppliers and they only have EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield creditations for information privacy, is that enough assuring compliance with ISO 27001 ? And What about SOC2 and SOC 3 ?

Answer: Considering ISO 27001, your suppliers need to be compliant with the legal requirements your own organization must be compliant with regarding information security, if they will have access to information in the scope of your ISMS. Considering that, if your organization must be compliant with SOC2 and SOC3, and your suppliers will have access to information related to these two requirements, then your suppliers will also have to be compliant with SOC2 and SOC3. If this is not the case, then your suppliers do not need to be compliant with such legal requirements.

2. Now talking about security awareness for all employees, is the confirmation that all employees watched a series of security awareness videos (like the ones in Advisera eTraining) enough for being compliant with ISO 27001 A.7.2.2 ?

Answer: Regarding awareness, a confirmation that an employee has watched security awareness videos will be sufficient to comply with control A.7.2.2. But you must note that this controls also cover training and education, and for these evaluations of improvement after the training or education activities are also required.

This article will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 25, 2019

Jun 25, 2019