Search results

Certification scope

Regarding certification, you should consult your customers and regulators' requirements (i.e., contracts, laws, and regulations) to identify if they demand all sites to be certified or only specific sites. Based on these requirements, you can define which entities need to be certified. For example, if your customers' contracts only require Site A to be certified, and regulators do not demand certification, then certifying only Site A would be enough. 

Regarding setup, documents, actions, and other elements related to the ISMS, those that are similar can be shared between entities (e.g., document and record control, internal audit, management review, etc.), while those with specific requirements may require separate implementation (e.g., disaster recovery plans). 

Security Awareness Course Password Question

Thanks for the clarification - basically you are right, the scenario is not clear enough - we have to change the question to "In the news, you have heard that your favorite social media site has been hacked, and the user password database has been breached. You should:"

Change management and Change classification

I’m assuming that by change management, you are referring to control A.8.32 Change Management.

Considering that, any change involving information, processes, or facilities stated in the ISMS scope needs to be regulated by Change Management. 

For example, if R&D information is included in the ISMS scope, then any change that may impact this information (e.g., a change in an information system that processes R&D data) needs to be controlled by Change Management. 

This article will provide you with further explanation about change management (although the article is about ISO 27001:2013 control for change management, the concepts are the same for the ISO 27001:2022 control).

Audit Questions

As resources for performing internal audit, we recommend these contents:

• ISO 27001 internal audit: The complete guide
• Free online training ISO 27001:2013 Internal Auditor Course

Regarding procedural documents, the documents that you already have in the ISO 27001 Documentation Toolkit are completely adequate for the certification if you are a small or mid-sized company. Adding more documents would only create an overhead and would not contribute to your overall security. 

For example, in the Toolkit you have the Backup Policy - for a smaller or mid-size company there is no need to create additional Backup Procedure, because the content of the Backup Policy is enough for describing backup activities.

However, if you want we can help you create additional documents - for that purpose the best would be to schedule a call with our expert by clicking here. 

Conformio questions

Answer: Please note that the Information Security Policy document generated by Conformio is fully compliant with ISO 27001 as it is, so most of the elements you mentioned do not need to be included in the Information Security Policy (some are already included in other low-level policies, or are not needed at all – they would only increase administrative effort unnecessarily). 

About each specific point:

• Exception Handling: exceptions are not mentioned in ISO 27001, and a good practice is either not to define them at all, or to define them for certain processes. For example, you could define an exception for granting access in the Access Control Policy.
• Consequences of Non-Compliance: reference to consequences of non-compliance and violations of security rules are included in the Statement of Acceptance of ISMS Documents
• Links to Other Policies and Procedures: The Policies, Procedures and other documents which supports the ISMS are identified in the Statement of Applicability Module
• External Parties: The external parties are identified in the Register of Requirements Module
• Review Frequency: Of course, the review could be done more often in various cases. However, we found that a large majority of our clients like the documents that are not too lengthy and are simple to read, and this is why we try not to explain such scenarios.
• Audit and Monitoring: Audit and monitoring rules are defined in the Internal Audit Procedure
• Document Storage and Versioning: Storage, versioning rules are defined in the Procedure for Document and Record Control. Who are allowed access to the policy is defined in section 1 of the document – Purpose, scope and users.
• Terminology: Large majority of our clients find the listed terms enough for their purpose; as mentioned before, our clients prefer to have shorter documents and this is why we limited the terms to those that are listed.

In case you want to develop an Information Security Policy with the elements you want, you can use the blank template provided by Conformio, which can be found by clicking on the Documents link in the left panel on the main screen, and after that, the folder Templates for manual editing. 

Definition of a non-conformity

In the context of medical devices, non-conformities refer to instances where a device does not meet the established requirements or standards. These non-conformities are classified into major and minor categories based on their significance and potential impact on patient safety.

Major Non-Conformity: A major non-conformity indicates a significant deviation from the established requirements. It poses a high risk to patient safety and may result in serious harm or adverse events. Major non-conformities typically involve critical aspects of the device's design, manufacturing, performance, or documentation. Correcting major non-conformities is of utmost importance to ensure the safety and effectiveness of the medical device.

Minor Non-Conformity: A minor non-conformity refers to a deviation from the established requirements that has a relatively lower impact on patient safety. While minor non-conformities do not pose an immediate risk to patients, they still need to be addressed to maintain compliance with regulations and standards. Examples of minor non-conformities may include minor labeling issues, documentation errors, or non-critical deviations in manufacturing processes.

It is crucial for manufacturers to properly assess and classify non-conformities as major or minor to ensure appropriate corrective actions are taken. Major non-conformities require immediate attention and remediation, while minor non-conformities should be addressed in a timely manner to maintain compliance and quality in the manufacturing and distribution of medical devices.

Environment and Scope

1 - As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

Since the current ISMS scope is confined to the IT department, the assets to be considered for the ISMS should be those directly under the control of the IT department (e.g., on-premise resources, in-house application development, data for SaaS, data and applications for IaaS etc.).

2 - Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

Each company can decide what ISMS scope best fits their needs. This is usually done based on customer requirements - if the customers require only the IT department to be certified, then this is usually enough.

3 - When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

Besides the IT-related security objectives, the ISMS objectives should also be considered in terms of added value to the company. For example, to decrease the number of information security incidents by 50% in the next year.

These articles will provide you with further explanation about defining the ISMS scope and objectives:

• All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

This tool for defining the ISO 27001 ISMS scope can also help you.

ISO 9001 in Maintenance Companies

Implementing ISO 9001 in a company that specializes in maintaining refrigeration systems or installing refrigerators, is certainly possible. ISO 9001 is a quality management system standard that can be applied to various types of organizations, including service providers like maintenance companies.

Apply procedure for document and record control only to information security policies in Conformio?

Please note that there is no need to change the text in the procedure to reflect what is stated in Conformio description of the document.

ISO 27001 requires documents and records related to the ISMS to be controlled, so the procedure needs to have the text "This procedure is applied to all documents and records related to the ISMS" as it is.

If you want to apply the same rules outside of the ISMS, you can do it, but there is no need to change this sentence in the procedure.

Can a company be certified by someone who works for them?

Please note that companies can only be certified by certification bodies (independent organizations that employ their own certification auditors for the process).

For further information, check out the differences in accreditation, certification, and registration in the ISO world.