Search results

ISO 27001 / ISO 27002 Update

First is important to note that as of this date (4-Mar-2022) a new version of ISO 27001 has yet to be published.

Considering that, some templates in the current ISO 27001 Documentation Toolkit will need to be updated to become fully compliant with the new ISO 27001.

We will update the toolkits as soon as the new revision of the standard is published, and customers that bought the toolkit in the last twelve months from the release of the new ISO 27001 will receive the updated documents, as well as information about what has changed and guidance on what change in other documents.

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

Risk Assessment - Must Risk Assessments include business processes and activities?

You need to perform the Risk assessment over all the elements defined in the ISMS scope (e.g., information, processes, or locations).

Please note that business systems and IT asset groups are only some categories you need to consider for the Risk assessment. For example, you also may need to consider human resources, facilities, and external services, when assessing information security risks.

These articles will provide you a further explanation about risk assessment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

This material will also help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

ISO 27001 certifications

1. Is it worth it for me to obtain the ISO 27001 Foundations certification? I would like to get it in April 2022.

 Answer: ISO 27001 certification certainly is worthy for professionals, and it will give you a comprehensive view of the standard, but it is not mandatory for your company to get certified.

For further information, see:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- Is ISO 27001 the right path for your career? https://advisera.com/27001academy/blog/2021/06/07/is-iso-27001-the-right-path-for-your-career/

2. Are “Lead Implementer” and “Lead Auditor” certifications still adequate?

Answer: These certifications are still adequate as proof of competence on ISO 27001, but they are most recommended for professionals that want to work as consultants.

For further information about these certifications, see:

What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

Question regarding ISO Process

Please note that in the ISO 27001 risks assessment and treatment process the risk treatment needs to be performed before developing the Statement of Applicability.

Broadly speaking, these are the steps:

• ISO 27001 risk assessment methodology
• Risk assessment implementation
• Risk treatment implementation
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

These articles will provide you a further explanation about risk assessment and risk treatment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/ (top of the article) 
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Purchasing information

As part of our ISO 13485 Documentation toolkit, we have prepared two types of quality agreements: one for critical suppliers and a quality agreement for subcontractors.  The subcontractor is a company who produces something especially for you like in your example. Critical suppliers are all those suppliers which can have a significant impact on the quality and/or safety of your product.

Preview of those two contracts you can see on the following links:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/
• Quality Agreement for Critical Supplier https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/

Of course, these contracts cover all mandatory parts, but it is possible that you add important points to you.

Question about ISO22301 template

1 - I am looking for an example of a process dependency matrix. 

Considering ISO 22301, I suggest you take a look at our Business Impact Analysis Questionnaire template at this link: https://advisera.com/27001academy/documentation/business-impact-analysis-questionnaire/

The purpose of this document is to gather all required information for the development of the business continuity strategy, including the relationship between business processes.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2 - I am also buys with a very big clients BCP. They have quite a few emergency and evacuation and other plans (SHE, Fire) being a power station. How does one integrate these into the BCP and how do I link this to the Incident management process?

Please note that the Business Continuity Plan (BCP) can be composed of several plans (e.g., incident response plans, recovery plans, disaster recovery plans, etc.) according to the considered scenario.

The integration of a BCP with the Incident management process is by defining in the Incident management process when an incident is critical enough so activation of the BCP needs to be considered.

Regarding the integration of these plans with the BCP, from our experience, you should consider:

• one top-level document called Business Continuity Plan, where you define the crisis management plan, and the general rules by which all continuity activities will abide, ensuring all plans are aligned.
• separated Incident Response Plans for describing how you would respond to different incidents, covering related activities required by all areas of the organization.
• recovery plans for describing how to recover each of your processes/departments/projects in case of a disruption, also covering related activities required by all areas of the organization. For IT operations this plan is commonly known as the Disaster Recovery Plan.

For more information, please see:

• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

These materials will also help you regarding business continuity planning:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Specific policy/procedure alongside our scope

According to the link you shared the requirement is ISO 17025 accreditation. The specific tests would use to test a random number generator (RMG)  would depend on industry standards. The ISO 17025 toolkit is suitable to assist all testing laboratories implement ISO 17025 for accreditation purposes. Yes, you are correct the technical aspects and the selection of test methods is not within the scope of the toolkit. Note too that there are certification bodies that provide recognition for the Gambling sector. These certification programs would have specific requirements that will also need to be met. in addition to ISO 17025

For more information on ISO 17025 see

The Whitepaper Clause-by-clause explanation of ISO 17025:2017, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

and ISO 17025 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Software Password Storage

I’m assuming you want to know where to record the information about where passwords/keys are stored.

Considering that, please note that the Password policy has an item which defines that “files containing passwords must be stored separately from the application's system data”. 

Since the Password policy does not have a section for record management, I suggest you use Access Control Policy for this purpose.

This Access control policy Integrates the use of the Password Policy in section 3.8, and from this section you can include in its section 4 - Managing records kept on the basis of this document, a record describing how you implement this storage.

In Vivo Test Requirement

For biocompatibility, in vivo testing are necessary considering the type of the product. In ISO 10993-1:2018, there is a table that guides what tests are necessary depending on the type of the product: is it a surface device, external communicated device, or implantable device. So, which kind of tests are necessary for you, you need to go through that table. 

For more information, see this link: https://www.iso.org/standard/68936.html