Search results

TISAX and ISO 27001

We are not experts on TISAX, but what we know is that the TISAX evaluation criteria are based on VDA Information Security Assessment (ISA), which in turn is based on ISO 27001 Annex A.

ISO 27001 does not require separate offices or areas for IT personnel. However, if you have a legal or regulatory requirement to have separate offices for IT personnel, or during your risk management process you conclude that such offices are required, then you would need to implement separate offices.

Security Awareness Training Records

ISO 27001 does not require attendance to awareness sessions to be recorded (in general, auditors check awareness levels by interviewing personnel), but it is recommended to have such records for a certification audit.

Advisera's Security Awareness Training automatically creates records of attendance. To download the training report, log in as an admin to your training account and go to "Users." Click the "Training report" button on the top right of the screen, and the PDF report will be downloaded to your computer.

Check our article that will show you how to perform training and awareness for ISO 27001 and ISO 22301.

Clarification Regarding Control Review Frequency in Policy Documents

Controls can be reviewed at a different frequency than those defined for the review of documents related to them. You only need to ensure that control review results are considered in the next document review. Please also note that, depending upon the controls review results, an immediate review of documents may be necessary. 

Check our article for further information on performing monitoring and measurement in ISO 27001.

Risk levels and decision-makers

ISO 27001 does not prescribe who needs to determine the level of risk, but as a good practice, this definition is made by the risk owner, who needs to accept the residual risk defined after the selection of risk treatment (see ISO 27001 clause 6.1.3 f).

His decision is based on the risk levels defined in the Risk Assessment and Risk Treatment Methodology Document (the risk assessment and treatment processes need to be documented as required by clauses 6.1.2 and 6.1.3).

For further information, see:

• 6 main steps in risk management 
• Risk assessment methodology 
• Risk assessment 

Food Packaging Testing

ISO 17025 is applicable for calibration and testing laboratories. If you seek ISO 17025 accreditation as a testing laboratory, the laboratory needs to meet all the mandatory requirements for the Standard. The processes and procedures that would be part of the scope relate to all general quality management and technical requirements.  
I suggest you become familiar with ISO 17025 and perform a gap assessment (internal audit) of the requirements of ISO 17025 against what you already have in place for your Medical Device Manufacturer QMS.

For more information on ISO 17025 and the processes and documents, to put in place start here https://advisera.com/iso-17025 and the available resources, including the Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025 Then have a look at what the toolkit can offer to assist with requirements of internal audits https://advisera.co/ISO17025Toolkit

ISO 27001 Internal Auditor Course Question

Please note that the Audit Program and Audit Plan are different documents.

An Audit program refers to all audits planned for a period of time, while an Audit plan specifies the details of one specific audit; Audit program is mandatory, while Audit plan is not.

For further information, see our complete guide for internal audit.

Certification scope

Regarding certification, you should consult your customers and regulators' requirements (i.e., contracts, laws, and regulations) to identify if they demand all sites to be certified or only specific sites. Based on these requirements, you can define which entities need to be certified. For example, if your customers' contracts only require Site A to be certified, and regulators do not demand certification, then certifying only Site A would be enough. 

Regarding setup, documents, actions, and other elements related to the ISMS, those that are similar can be shared between entities (e.g., document and record control, internal audit, management review, etc.), while those with specific requirements may require separate implementation (e.g., disaster recovery plans). 

Security Awareness Course Password Question

Thanks for the clarification - basically you are right, the scenario is not clear enough - we have to change the question to "In the news, you have heard that your favorite social media site has been hacked, and the user password database has been breached. You should:"

Change management and Change classification

I’m assuming that by change management, you are referring to control A.8.32 Change Management.

Considering that, any change involving information, processes, or facilities stated in the ISMS scope needs to be regulated by Change Management. 

For example, if R&D information is included in the ISMS scope, then any change that may impact this information (e.g., a change in an information system that processes R&D data) needs to be controlled by Change Management. 

This article will provide you with further explanation about change management (although the article is about ISO 27001:2013 control for change management, the concepts are the same for the ISO 27001:2022 control).

Audit Questions

As resources for performing internal audit, we recommend these contents:

• ISO 27001 internal audit: The complete guide
• Free online training ISO 27001:2013 Internal Auditor Course

Regarding procedural documents, the documents that you already have in the ISO 27001 Documentation Toolkit are completely adequate for the certification if you are a small or mid-sized company. Adding more documents would only create an overhead and would not contribute to your overall security. 

For example, in the Toolkit you have the Backup Policy - for a smaller or mid-size company there is no need to create additional Backup Procedure, because the content of the Backup Policy is enough for describing backup activities.

However, if you want we can help you create additional documents - for that purpose the best would be to schedule a call with our expert by clicking here.