Search results

Partial certification

Certification is possible only if you fulfill all clauses from sections 4 to 10, and the applicable controls from ISO 27001 Annex A, so it is not possible to be certified against only part of ISO 27001 clauses.

What you can do is define an ISMS scope covering only part of the organization, a part for which you can fulfill all requirements of the standard.

For certification we suggest you take a look at these Advisera’s resources:
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/

These articles will provide you a further explanation about ISO 27001 implementation:
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Question about how to identify ISO 27001 ISMS Assets

Your understanding that an asset needs to have a security element for it to be considered in the ISMS scope is correct.

To ISO 27001 an asset is anything of value to the organization in terms of confidentiality, integrity, and availability of information.

Considering that, if the asset is related to information that your ISMS needs to protect, then it needs to be considered. In your examples, users' passwords need to be protected, making the work instruction procedure to change users' password part of the scope, while marketing brochure, that does not need to be protected, would not be considered.

In the Risk Assessment Sheet included in the toolkit there is a list of assets you can use.

Contestation

We have the same understanding.

The correct understanding of the assets, and related threats and vulnerabilities, is a critical factor for a successful risk assessment and treatment.

To handle them properly, you need to consider involving personnel that works with such assets during the assessment.

This article will provide you a further explanation about risk assessment:

• ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide - How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section8

Clause 7.2 (Competence)

Great, thanks. I have a training and awareness plan policy already so I guess this should cover it.

Company merger - System Requirments

Since ISO 9001 is the basic standard and IATF 16949 is a requirement above it; IATF 16949 and ISO 9001 are considered together; Quality manual, processes, procedures, etc. can be documented jointly in one system.  You can define scopes separately for each location in the quality manual. Exclusion for IATF certified location is only if there is no product design, product design input, and output.  

Inquiry for missed document

Our ISO 13485 Documentation toolkit is in compliance with all requirements from ISO 13485. FDA revealed plans to harmonize its CFR 21 with ISO 13485 in 2018. Due to the Corona pandemic, this process has been a little bit delayed, but it is expected to be solved soon.

For more information see this link: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201904&RIN=0910-AH99

Considering the EU MDR 2017/745; there are some more documented requirements for QMS (stated in Article 10) as part of our ISO 13485 & MDR toolkit.

For more detail on this topic, please see following article:

• List of worldwide regulations that require implementation of ISO 1348 https://advisera.com/13485academy/blog/2021/03/09/list-of-worldwide-regulations-that-require-implementation-of-iso-13485/

• Number of policies and procedures required by Annex A

  ISO 27001 does not prescribe the number of policies or procedures to be written, so you can choose the approach that best fits your needs.

  From the new set of ISO 27001 Annex A controls, only controls A.5.10 (Acceptable use of information and other associated assets), A.5.26 (Response to information security incidents), and A.5.31 (Legal, statutory, regulatory and contractual requirements), requires documentation (but does not specify they need to be separated documents).

  The main criteria to decide the number of documents to be written are their content (i.e., if each one covers similar purposes) and if by writing them this way they would not become documents too big to understand or read.

  So, in this case, if a single document covering several controls becomes too big to use and manage, you should consider writing separate documents.

  These articles will provide you a further explanation about developing policies:
  - One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
  - 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  - How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

  Our ISO 27001 Documentation Toolkit has 45 documents that cover the mandatory documents, and the most commonly used ones, providing an optimized quantity of documents for small and mid-sized organizations. You can see a demo of them at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  Regarding ISO 27002, please note that while it is not mandatory for the implementation of ISO 27001, it provides guidance and recommendation about how to implement controls from Annex A (ISO 27001 Annex A only provides the requirements of the controls, not how to implement them).  

  For further information, see:
  - 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

• Question about Conformio project results

  1 - Why are the mandatory documents reflected here https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision not mentioned in Conformio project results?

  Answer: I’m assuming you are referring to the Project Plan document.

  Considering that, please note that in the project results section (3.2) we have two paragraphs:

  “During the ISMS implementation project, the following documents (some of which contain appendices that are not expressly stated here) will be delivered:”

  In this paragraph, the mentioned “…appendices that are not expressly stated…” refer to some of the mandatory documents. For example, the Internal audit program is an appendix of the Procedure for Internal Audit.

  “Policies and procedures that describe specific security activities will be determined only after the Statement of Applicability is completed. Detailed timing for those security policies and procedures will be determined in the Risk Treatment Plan.”

  This paragraph covers the remaining mandatory documents that are not explicitly mentioned. Some documents are only mandatory if related controls are applicable, and this information you can have only during project execution. So, until you have this information you cannot state some documents explicitly as project results.  

   

  2 - If Conformio project results are not mandatory, why do we need it?

  Answer: Project plan document is used to help you evaluate project progress, since they provide a measurable way to check performed activities.

  For example, if you have 17 steps in your project, and you already have delivered 7 of them, you can roughly evaluate that 40% of the project has been completed.

• Rule 19 nanoparticle antibacterial coatings

  All medical devices which have nanoparticles are classified according to rule 19. If you are a manufacturer of nanocoating material that some other manufacturers put on the endotracheal tube, in that case, you do not have a medical device. Nanoparticle coating is not a medical device alone.