Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • 3.6. Documents of external origin

    1. In  the section 3.6 Documents of external origin- in Procedure for document and record control. There is a line saying- “Each external document that is necessary for the planning and operation of the QMS must be recorded in the incoming mail register “ 

    This is basically all emails, from purchase, sales, quality etc etc. basically everyone email that needs to be registered because it can be necessary for the planning and operation of the QMS. This makes it completely inefficient to run the company. 

    What is the absolute minimum to do here?.  We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have a ERP system to track all sales/production/shipments. This email registering system will break us. Why do we need it? Please advise.

    2. In iso 13485. It only states: “ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled” 

    SO why does the tookit refer to that we have to have an advanced document email document system.

  • ISMS - In scope or out of scope

    Hope all is well. In my ISMS Scope doc, I specifically included my company’s two processes and services:  

    Managed Application Services (MAS) that help customers manage and host specific applications
    Software as a service (SaaS) that provide cloud-based software solution for customers
    The CS, TD and DTS are the three technology divisions providing the MAS and SaaS services therefore they are considered as the parties to implement and maintain ISMS.

    Our Sales and Marketing Divisions are considered as the users, but they are, implicitly, responsible for following the ISMS policies and procedures, as users.

    Can we exclude Sales and Marketing from the ISMS scope? Please advise.

  • Generating reports as security manager

    As a security manager, how can she/he generates a report to see the number and progress of incidents in different time periods?

    Or how she/he can report who has handled which incident?

    Or what is the most vulnerable service based on the number of the incidents?

  • Implementation questions

    Hello Dejan,

    I think I got a decent understanding on how to work on how the standard works from the videos, so I went ahead and started the implementation with the help of the documentation toolkit.

    I have a few questions you may be able to help me with:

    We are a small startup and have very little internal bureaucracy, let alone a document template pre-designed for that purpose, so in that sense we can be very flexible as to how we want the ISO 27001 documents to look like. I thought I'd keep everything in electronic format and rely on the word processor's features for things such as authorship, version control, signature and approval of documents, etc. That means that many of the elements present in the templates from the toolkit (the change history table, table of contents, page numbers, etc.) are redundant since they are already available as document metadata outside of the page. I understand these fields would be useful if we were to ever keep a printed copy of the document, but I don't think that is going to be the case. So my question is, should we nevertheless adhere to the format provided in the templates as a best practice or is any format adequate as long as it is consistent with the specifications from the "Procedure for Document and Record Control" document?
    Similarly, the use of job titles seems excessive for a company our size, where a single employee is usually the only one responsible for writing the document, approving it and monitoring compliance. We do not have upper management levels nor board of directors. In that sense, to what extent should we rely on the use of role names such as Information Security Manager, as opposed to a more generic IT Manager? Should these job descriptions be reflected somewhere else, such as in the employment contract?
    While working on some of the documents I noticed that the assessment of things such as requirements and stakeholders can be rather subjective. Is there any possibility of a certification body raising concerns owing to a disagreement on how this assessment was performed? In other words, how can we judge whether these documents contain enough and accurate information for the certification to be successful?
    The documentation toolkit is sold with the premise of it containing all the information we need to become certified, but it refers to the standard itself at various explanatory notes throughout. E.g.: Requirements relevant for ISMS implementation are those established by the standard itself (all statements that contain the word “shall” are requirements). Would you advise purchasing the standard as complementary information to the toolkit?
     

    Thank you in advance.

  • Question about ISO 22301 Project

    I take the opportunity to ask a question about the kit I purchased. 

    in the Project Checklist for ISO 22301 Implementation document, I have references to several documents that I didn't find in the zipped folder I downloaded. 

    Did I do something wrong?

  • Corrective Actions Procedure

    Who is the person in the organization who should document this procedure? 

    The Lead internal Auditor
    The Information Security Manager
    Top Management

    Thank you in advance.

  • ISO 27001 query

    Hi, we are a software company, and we are currently implementing the ISO27k1 according to your documentation kit.

    We do not have a business continuity plan ( ISO22301 might implement in the near future if we succeed with the iso27k1 ). At this point we would just like to implement a disaster recovery plan.

    Background about the company : software company; all of our critical services are in the cloud ; we are cloud agnostic - can migrate the entire infrastructure in a matter of hours; coworkers are used to working from home; we have just one office location; all services running in the local datacenter are also backuped on the cloud and can migrate there in a matter of minutes with minimal data loss; we work exclusively through VPN/IPSec tunnels and we use 2FA authentication for 90% of the services

    My questions are the following:

    In a case of a major event that has led us to start the disaster recovery plan:

    1. Is it possible to describe a scenario when something has happened to our office and all our coworkers just get a laptop and a 4g hot spot and connect to a VPN in the cloud where our services run. So, this means they can work from home and not be in the office. The communication channel will always be secure and encrypted. And in the risk assessment we consider this to be an acceptable risk. The corona virus situation actually has proven this to be quite an effective strategy since we've been working like that for more than a year and we haven't run into problems of any kind. We miss partying together tho ... Would an ISO27k1 auditor be comfortable with a solution like this one?

    2. Our servers and services run in the cloud, so even if there is a breach or some other kind of event related to information loss, we can pretty much return everything to working order in a matter of hours. And we've stated that we are ok with 1 day of loss of information, so based on the risk assessment and scope it's OK. But again, I am not sure an auditor would see it this way.

    3. We are creating copies of the servers/services and backing up those to different cloud providers, so if an event that only takes out one cloud provider happens, we can still operate with just spinning up the infrastructure on another cloud provider. Would that cover all of our bases ? In an event where the internet is lost, or the major cloud providers are gone ... we might not want to continue operations.

    4. How thorough we need to be when describing major events/incidents that can lead to the decision to put the disaster recovery into operation ? Do we need to list every event possible or incident ? Like hacker attack, cryptovariation ransomware attack, worm attack, political embargo on services or war, force majeure conditions ? The only change in the disaster recovery plan is whether the office is still usable and standing - if it is we just continue from backups or migrate everything. If the office is not there all coworkers start working from home. I've tried to find the answers to those questions in your blogs and literature online, but I really don't know the mindset of an auditor and what they consider a good solution or a solution that is in line with the risk assessment that we will present to them. Thank you in advance.

  • Dúvida preenchimento documento ISO 27000

    Bom dia,

    Estamos preenchendo o documento intitulado: Politica_de_classificacao_da informacao_PT.

    Surgiu uma dúvida quanto a definição de quem deverá realizar a classificação da informação quando recebida de fora da organização, uma vez que temos várias pessoas de diferentes áreas de podem receber esse tipo de informação, seja em meio físico, como correspondências, como em meio eletrônico como e-mails ou links de acesso a pastas de repositórios de dados.

    O texto original do modelo é:

    “Se informações classificadas forem recebidas de fora da organização, o [cargo] é responsável por sua classificação de acordo com as regras descritas nesta Política. Esta pessoa torna-se proprietário desses ativos de informação.”

    Podemos colocar da seguinte forma?

    “Se informações classificadas forem recebidas de fora da organização, o recebedor é responsável por sua classificação de acordo com as regras descritas nesta Política. Caso o recebedor não seja o destinatário final da informação, deverá encaminhar para quem de direito, e esta pessoa torna-se proprietário desses ativos de informação."

  • Help us understand each other better

    Dejan,

    I know as part of the toolkit I can ask questions via email – but I am not sure who I am supposed to ask.  So you win 😊

    We are in the process of starting to implement the various components of ISO27001.  Most are not documented yet.  I am also starting my internal audit program planning.  Here is my questions:

    Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit?  It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard.  If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit.  Is that acceptable?   Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit.

    Please let me know if you have any questions

  • ASD ISM to ISO 27001 mapping

    I'm trying to find document that maps the ASD (Australian Signals Directorate) ISM (Information Security Manual) controls to the ISO 27001 elements / controls. Do you know of such a document, or can you point me to someone who may know?

Page 12 of 466 pages