I have been appointed to help the company get ISO and EIDAS certification. I have to start from scratch as I know NOTHING about security or compliancy… So this newborn Compliancy Officer hopes she can turn to you to help her – I am very nervous about the whole thing. I purchased the toolkit and I am currently working on WIP00_Procedure_for_Document_and_Record_Control_Integrated_EN
The questions I have:
1. “Mail significant for the planning and operation of the ISMS/compliance with GDPR” should be recorded. This can be an exell on our Sharepoint or an actual paper/pen notebook at the office I assume. What would, in reality, be such mail? I can think e.g. someone who would send a letter executing his “right to be forgotten”.
I will have to explain to the others in the company which mail they will have to register and what will not be considered as “mail significant for the planning and operation of the ISMS/compliance with GDPR”, but I don’t really know the answer to that myself yet…
2. I want to make a list per function/role in the company of all the responsibilities and tasks as described trough the policies and procedures. Is there already a template for this? I don’t find it in the kit.
3. Also, is there a list of all ISMS related type of roles? As CISO, Senior Management, Compliancy Officer, DPO…?
Assign topic to the user
1. “Mail significant for the planning and operation of the ISMS/compliance with GDPR” should be recorded. This can be an exell on our Sharepoint or an actual paper/pen notebook at the office I assume. What would, in reality, be such mail? I can think e.g. someone who would send a letter executing his “right to be forgotten”.
I will have to explain to the others in the company which mail they will have to register and what will not be considered as “mail significant for the planning and operation of the ISMS/compliance with GDPR”, but I don’t really know the answer to that myself yet…
Yes, you could receive a letter related to the right to be forgotten, consents, data subject access requests, etc.; you could also receive official letters from data protection authorities, or from agencies that regulate information security. As you mentioned, you can record them in Excel, SharePoint, or in a simple note.
2. I want to make a list per function/role in the company of all the responsibilities and tasks as described trough the policies and procedures. Is there already a template for this? I don’t find it in the kit.
First is important to note that ISO 27001 does not require a central document for all responsibilities and tasks defined for the ISMS. The description of these on each template in the toolkit is sufficient to cover requirements for certification. Considering that, we do not recommend the creation of such a list, because it will only duplicate information (increasing the risks of having outdated information) and increase administrative effort.
3. Also, is there a list of all ISMS related type of roles? As CISO, Senior Management, Compliancy Officer, DPO…?
ISO 27001 does not prescribe roles to be created to implement an ISMS, so organizations to define them as they see fit. You can either create roles you understand are important, or you can designate responsibilities o already existing roles in your organization. I general the most common role created if the chief information security officer (CISO).
These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
Comment as guest or Sign in
Dec 04, 2019