Search results

ISO 27001 certifications

1. Is it worth it for me to obtain the ISO 27001 Foundations certification? I would like to get it in April 2022.

 Answer: ISO 27001 certification certainly is worthy for professionals, and it will give you a comprehensive view of the standard, but it is not mandatory for your company to get certified.

For further information, see:
- How personal certificates can help your company’s ISMS https://advisera.com/27001academy/blog/2014/10/06/how-personal-certificates-can-help-companys-isms/
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- Is ISO 27001 the right path for your career? https://advisera.com/27001academy/blog/2021/06/07/is-iso-27001-the-right-path-for-your-career/

2. Are “Lead Implementer” and “Lead Auditor” certifications still adequate?

Answer: These certifications are still adequate as proof of competence on ISO 27001, but they are most recommended for professionals that want to work as consultants.

For further information about these certifications, see:

What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

Question regarding ISO Process

Please note that in the ISO 27001 risks assessment and treatment process the risk treatment needs to be performed before developing the Statement of Applicability.

Broadly speaking, these are the steps:

• ISO 27001 risk assessment methodology
• Risk assessment implementation
• Risk treatment implementation
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

These articles will provide you a further explanation about risk assessment and risk treatment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/ (top of the article) 
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Purchasing information

As part of our ISO 13485 Documentation toolkit, we have prepared two types of quality agreements: one for critical suppliers and a quality agreement for subcontractors.  The subcontractor is a company who produces something especially for you like in your example. Critical suppliers are all those suppliers which can have a significant impact on the quality and/or safety of your product.

Preview of those two contracts you can see on the following links:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/
• Quality Agreement for Critical Supplier https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/

Of course, these contracts cover all mandatory parts, but it is possible that you add important points to you.

Question about ISO22301 template

1 - I am looking for an example of a process dependency matrix. 

Considering ISO 22301, I suggest you take a look at our Business Impact Analysis Questionnaire template at this link: https://advisera.com/27001academy/documentation/business-impact-analysis-questionnaire/

The purpose of this document is to gather all required information for the development of the business continuity strategy, including the relationship between business processes.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2 - I am also buys with a very big clients BCP. They have quite a few emergency and evacuation and other plans (SHE, Fire) being a power station. How does one integrate these into the BCP and how do I link this to the Incident management process?

Please note that the Business Continuity Plan (BCP) can be composed of several plans (e.g., incident response plans, recovery plans, disaster recovery plans, etc.) according to the considered scenario.

The integration of a BCP with the Incident management process is by defining in the Incident management process when an incident is critical enough so activation of the BCP needs to be considered.

Regarding the integration of these plans with the BCP, from our experience, you should consider:

• one top-level document called Business Continuity Plan, where you define the crisis management plan, and the general rules by which all continuity activities will abide, ensuring all plans are aligned.
• separated Incident Response Plans for describing how you would respond to different incidents, covering related activities required by all areas of the organization.
• recovery plans for describing how to recover each of your processes/departments/projects in case of a disruption, also covering related activities required by all areas of the organization. For IT operations this plan is commonly known as the Disaster Recovery Plan.

For more information, please see:

• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

These materials will also help you regarding business continuity planning:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Specific policy/procedure alongside our scope

According to the link you shared the requirement is ISO 17025 accreditation. The specific tests would use to test a random number generator (RMG)  would depend on industry standards. The ISO 17025 toolkit is suitable to assist all testing laboratories implement ISO 17025 for accreditation purposes. Yes, you are correct the technical aspects and the selection of test methods is not within the scope of the toolkit. Note too that there are certification bodies that provide recognition for the Gambling sector. These certification programs would have specific requirements that will also need to be met. in addition to ISO 17025

For more information on ISO 17025 see

The Whitepaper Clause-by-clause explanation of ISO 17025:2017, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

and ISO 17025 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Software Password Storage

I’m assuming you want to know where to record the information about where passwords/keys are stored.

Considering that, please note that the Password policy has an item which defines that “files containing passwords must be stored separately from the application's system data”. 

Since the Password policy does not have a section for record management, I suggest you use Access Control Policy for this purpose.

This Access control policy Integrates the use of the Password Policy in section 3.8, and from this section you can include in its section 4 - Managing records kept on the basis of this document, a record describing how you implement this storage.

In Vivo Test Requirement

For biocompatibility, in vivo testing are necessary considering the type of the product. In ISO 10993-1:2018, there is a table that guides what tests are necessary depending on the type of the product: is it a surface device, external communicated device, or implantable device. So, which kind of tests are necessary for you, you need to go through that table. 

For more information, see this link: https://www.iso.org/standard/68936.html
 

GDPR

Since you offer IaaS and PaaS services to an EU company, you will have access to personal data. You should be a data processor unless you have autonomy in the way you process personal data. According to Chapter V in GDPR, you need to do the data transfer via one of the accepted transfer mechanisms: adequacy decision (Art 45 GDPR), binding corporate rules (Art 47 GDPR), standard contractual clauses, approved code of conduct, approved certification mechanism (Art 46 GDPR) or Derogations (Art 49 GDPR). My recommendation is to use the new EU Standard Contractual Clauses for Controller to Processor, adding the necessary additional technical and organizational measures to offer the same level of protection for transferred personal data as it is offered under GDPR in the EU.

Please read more details:

• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• Article 45– Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• Article 46– Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 47– Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/
• Article 49– Derogations for specific situations: https://advisera.com/eugdpracademy/gdpr/derogations-for-specific-situations/
• Cross Border Personal Data Transfer Procedure: https://advisera.com/eugdpracademy/documentation/cross-border-personal-data-transfer-procedure/
• EU GDPR Toolkit (containing all documentation for GDPR Compliance): https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Clause 4.3: ISMS scope

ISO 27001 ISMS scope can be defined in terms of information, processes, or location to be protected. Considering that, you can make your scope more precise by defining information (e.g., customer information, sales, information, research, and development information, etc.), processes (e.g., software development processes, production processes, etc.), or location (information in the company building, in the finance floor, etc.).

This article will provide you a further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

This material can also be helpful:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/