Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 questions - Conformio/Toolkit

    We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center. The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix?  What I understand is that we should mark ourselves as number 2 in this table. Am I correct?

    Considering that you are managing the servers in the data center, then your understanding is correct, you only need to include the servers, their software, and data in the ISMS. The physical location is out of scope.

    The impact in the risk matrix is that any risk related to datacenter physical environment will be treated by transferring the risk to the provider (in general by including information security clauses in the contract or service agreement you have with them)

    In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent? In that case this asset should not be included, is that correct?

    The data center needs to be considered in your risk assessment, but since the data center is out of the scope, it cannot be listed as an asset. In Conformio you need to list as a third-party service, something like  “colocation services” or "Renting the data center space" and use it in your risk assessment.

    Should we also include storage media as an asset, considering the scope of our business.

    In case the information you want to protect may be stored in such assets, and you have control over them at such a level you can implement and manage security measures, then you should consider them in the ISMS scope. Otherwise, you should keep them out of the scope. 

    When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough?

    The rule of thumb here is that if the assets share the same risks, then you can treat them as a single asset, like “servers”. In case specific assets have specific risks, you should treat them separately, like “development servers” and “production servers”.

    For further information, see:

    When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service?

    As for "Operating system" you need to consider any computers you have in the scope.

  • ISO 27001 Expert question

    1 - Is «System Management & processes» the good classification way for documents when wanting to respect ISO 27001 ?

    Answer: I’m assuming your questions is linked to this one: https://community.advisera.com/topic/documents-classification-plan-storage-for-process-documents-like-policies/

    Considering that, first is important to note that “classification” in ISO 27001 context is related to how sensitive information is to loss of its security properties (e.g., confidentiality, integrity, and availability). From this question, and the previous one, “classification” to you seems to be related to how documentation is organized, so for the rest of this answer I’ll use the term “document organization scheme”, and similar, to answer your doubts.

    Now, organizing documents according to which management system they belong is as good as any other organization approach, provided the organization scheme fulfills the standard's requirements for document management. Please not that additionally to this “document organization scheme”, when considering ISO 27001 you also may need to consider the information security classification. For example, documents from an ISO 9001 Quality Management System classified as “public” must not be stored in the same place with documents classified as “confidential”. 

    The key issue you need to observe is how users will perceive this. It will be useless if users do not feel easy to create, find, use, and update documents.

    For further information, see:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

    2 - If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ?

    Answer:  The use of metadata to index documents is a good approach to organize them, because regardless of where you store the documents, you can use metadata to filter then and show the users only the documents defining according to business requirements and information security criteria, and also it makes changes easier and more transparent to users. 

    3 - If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ?

    Answer: ISO 27001 does not prescribe how to organize documents. It only requires that documents and records be easy to find and access when required. In terms of access control, the main requirement is that access rights consider business and legal needs.

    To see a tool which covers document management requirements in an ISO 27001 environment, I suggest you take a look at our solution Conformio (https://advisera.com/conformio/)

    In conformio, documents are organized in folders such as:
    - Main Folder (ISO 27001)
    - Lists Reports Statements and Plans
    - Policies and Procedures
    --- Internal procedures
    --- Top management
    - Templates for manual editing

    You can add and customize folders according to your needs.

    For further information, including examples, see:
    - What kind of Document Management System (DMS) do you need for handling ISO 27001 documents? https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
    - How to handle user access management in an ISO 27001 project through Conformio https://advisera.com/conformio/blog/2021/05/05/how-to-handle-user-access-management-for-iso-27001-project-through-conformio/
    - Enable confidentiality in handling ISO 27001 documentation https://advisera.com/conformio/blog/2020/08/13/enable-confidentiality-in-handling-iso-27001-documentation/

  • ISO 27001 - exclusion of personal devices in the ISMS scope

    You should include personal devices only if your company can have full control over them.

    In case it is not possible to have such kind of control, you should keep them out of the scope. In this situation, the security rules for these devices must be regulated by means of agreements with employees who are using them.

    Regarding the external auditor, he is not the one to define if risks are high for the company or not. This is the purpose of the risk assessment process. The auditor will only check if you performed the processes properly and if you have proper justification (i.e., risk assessment) for your decision to use or not an asset.

    These articles will provide you a further explanation about ISMS scope and risk assessment:

  • Presenting changes on internal and external issues after a merger

    A suggested way to present changes in internal and external issues in a merger situation is separating the issues in what issues were excluded and which ones were added due to the new situation.

    Additionally, you also should consider comparing the number of changes with the number of issues that remained the same.

    This approach will help management evaluate the impact of changes due to the merge.

    This article will provide you a further explanation about internal and external issues:

  • Scope question

    You need to clearly state both companies in the ISMS scope statement. Affiliated companies are not automatically included in any ISO management systems scopes.

    This article will provide you a further explanation about scope definition:

  • ISO 27001 Toolkit - Document 02.1

    An item in the List of requirements needs to be specified at a level where the person responsible for its fulfillment understands what is needed to be done.

    For example, for some persons you may need to specify only the name of the regulation (e.g., EU GDPR) or contract number, while for others you may need to be more specific, referring to specific clauses (like your example), or even writing them in the register.

    This article will provide you a further explanation about requirements:

  • ISO 27001:2022

    The new version of ISO 27002 will probably be released this year (its FDIS - Final Draft International Standard - is already published).

    For further information, see:

  • Software Development Templates

    Please note that such templates are not mandatory for ISO 27001 neither they are commonly adopted by organizations in general.

    The closest templates we can suggest you check to see if they can fulfill your needs are these ISO 9001 templates:

    For further information, see:

  • 4.2.4 and 4.2.5

    1. How would we know what regulation is applicable if they have never stated?

    If you are on the EU market, then each manufacturer of a medical device or its components must be in compliance with Harmonised or state of the art standards (Article 8 of the Medical device regulation MDR 2017/745).

    Those standards you can find on the following links:

    Basically, besides ISO 13485:2016, all manufacturers must also be in compliance with ISO 14971:2019 (Risk management for medical devices),  EN ISO 15223-1:2021 (for symbols), and EN ISO 20417:2021 - Information to be supplied by the manufacturer. Is there any other technical standard it would depend on the type of components: is it metal, is it plastic, or something else.

    For more information, see:

    2. Can the toolkit ISO 13485:2016 be combined with the ISO 9001:2015?

    Yes, it can, several requirements are very similar like internal audit process, corrective actions management, non-conformity process, and document management. At the end of the standard ISO 13485:2016 you have Table B1 Correspondence between ISO 13485:2016 and ISO 9001:2015, and Table B2 Correspondence between ISO 9001:2015 and ISO 13485:2016, therefore from both sides.

    3. We don’t have to report to the authorities if we have a customer complaint. How would we right this in our procedure or would we leave this alone? Would we use the form also and if so how would we use this?

    This just depends on whether or not your product is registered somewhere as a medical device separately. If not, then you do not have to communicate with regulators.
Page 110-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +