Search results

Home / Search

Category:
Select
Select

11277 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Role of CISO

    Please note that considering ISO 27001, if private information is part of the Information Security Management System scope, the CISO will have to protect it anyway. The fact that the organization may need to be compliant with some legal requirements related to private information (e.g., EU GDPR) will only mean that there are additional requirements to be considered by the CISO for the protection of this kind of information.

    In cases where all private information handled by the organization is part of the ISMS scope, the CISO may also be designated as the DPO.

    In such scenarios, you may want to consider the use of ISO 27701 which defines requirements for a Privacy Information Security Management System. 

    For further information, see:

  • Security concepts

    I’m considering that when you mention “security concepts”, and the listed standards, you mean “information security” concepts.

    Considering that, the three standards can be useful to you because together they cover concepts for both governance and management of information security:
    - ISO 27000 covers the general concepts about information security
    - ISO 27001 presents concepts related to information security management, i.e., how to identify and treat information security risks, and this standard requires the engagement of management
    - ISO 27014 covers concepts of Information Security Governance, i.e., on how to evaluate, direct, monitor, and communicate the information security-related activities within the organization

    You can also check this doctoral thesis from Dejan Kosutic that describes a holistic approach to cybersecurity management through a socio-technical system that balances strategic, organizational, risk & technology, and people aspects: https://www.researchgate.net/publication/357826918_The_Impact_of_Cybersecurity_on_Competitive_Advantage

    For further information, see:
    - Should information security focus on asset protection, compliance, or corporate governance? https://advisera.com/27001academy/blog/2017/03/13/information-security-focus-asset-protection-compliance-corporate-governance/
    - Integration of Information Security, IT and Corporate Governance https://info.advisera.com/27001academy/free-download/integration-of-information-security-it-and-corporate-governance

  • Changes affecting the documents

    1 - I would like to know how these new controls affect our purchased toolkit (Cloud_EN)?

    Reference: https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-fdis-iso-27002

    Included in the toolkit you purchased you are entitled to receive free updates for one year after your purchase date. In this situation, you will receive documents considering the appropriate changes.

    2 - Should we include this new change in our implementation?

    Yes, you will need to implement the changes in controls.

    Is important to note that any required changes will have a transition period to be implemented after the release of a new version of ISO 27001 (in general this transition period is of two years after a change in a management system standard, which is plenty of time to do this transition for most controls).

  • Reporting

    You asked

    7.8.2.1  i) The date of the test or calibration.

    For geology/mineral reports, is this necessary? I know there have been some changes in reporting requirements, but if the date of testing does not affect the validity of the results, is 7.8.2.1 i) necessary?

    Note that ISO 17025 states that all must be included unless you have a valid reason for not. This tells you if you have considered the risk and are confident the results are reported suitably (not ambiguously) then you can justify a simplified report. As long as the information is retained, i.e as long you can find the raw data if you have a query and need to troubleshoot.

    You also asked about clause 7.4.3.


    The standard requires you to a have a process to a) assess against a requirement, that a sample is suitable for testing. For example the criteria may be water in a 1 litre glass bottle, filled to the cap, temperature below 5 degrees Celsius); b) to consult the customer and agree on the way forward if there are deviations and c) record deviations and agreements and keep the records.

    For more information on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  • Mass pieces for verification of balance

    You asked

    Does this mean that if you have mass pieces that are verified on a balance right after calibration of the balance, this is insufficient to prove 'fit for purpose'?

    No that would not be sufficient. To meet the requirement of clause 6.4.5 and 6.4.6, as well as 6.5 such mass pieces should be calibrated (not verified) by a “competent” laboratory. i.e either by a calibration laboratory accredited to ISO 17025 for mass, or at least one which meets the requirements to perfom and report the calibration competently according to ISO 17025.

    You also asked a number of questions regarding reporting. Note that ISO 17025 states that all must be included unless you have a valid reason for not. This tells you if you have considered the risk and are confident the results are reported suitably (not ambiguous) then you can justify a simplified report.

    7.8.2.1 e)  - If this is an inhouse client, then a simplified report is suitable – as long as the sample is traceable and you have evidence of who the report was provided to.

    7.8.2.1 o) The way the authorisation takes place is not the issue, as long as it is traceble as to who authorised the report.

    7..8.1.3 No not necessarily in a report, but the information must be available and traceble. Imagine there is a query – all information should be protected (from change) and be available on looking, for example, within a LIMS, database or a record.

  • ISO17025 Stage 1 Application- Covid Testing

    You asked

    However our method is not CE Marked and potentially need to apply for derogation. Is this something you have encountered before and can provide advise on how to go about this.

    I cannot tell, based on your comments, if your Quantitative Polymerase Chain Reaction (qPCR) is laboratory-based or point-of-care. For molecular point-of-care COVID-19 Tests, the accreditation body will have specific requirements. 

    Regarding the CE marking, I assume you are referring to the kit you use for your test. A CE conformity marking is applicable to goods not a method. A CE-IVD mark is required for regulatory approval for a product for in vitro diagnostic use in Europe and other areas. I advise you to contact your accreditation body to determine if this impacts on your accreditation.

    You also asked

    Secondly any advise on what is required for Stage 1 Declaration Application."

    Application for COVID testing accreditation as a private provider is government and accreditation body specific. The minimum standards depends on the type or purpose of test. This will be available from the Accreditation body’s website.

    For example see https://www.gov.uk/government/publications/minimum-standards-for-private-sector-providers-of-covid-19-testing

    Stage 1 Declaration Application typically involves a declaration stating that your tests meet the appropriate standard, and that you have at least applied for accreditation for relevant international standard. That would be ISO/IEC 17025 or ISO 15189 for lab-based providers and ISO 15189 and ISO 22870 for point of care testing providers.

  • New versions of ISO 27002 and 27001

    I am interested in this too. I have a customer who would like to be certified in Q1 2024. Project will start in June 2022. There seem to be 2 options:
      1. Go for version 27001:2013 certification in Q1 2024, and recertify in Q1 2027 on 27001:2019

      2. Go directly with 27001:2019

    How would the pro & cons look like? Is option 1 even possible? This is purely subjective, but somehow I imagine that once 2019 is out, 2019 audits will be more severe than 2013 audits because it's new. I imagine auditors being zealous with the updated standard ;-)

    Please note that in 2019 ISO 27001:2013 was confirmed without changes, so ISO 27001:2013 still is the current version of the standard.

    A new version of ISO 27001 is expected to be released by the second half of 2022, reflecting the changes of new ISO 27002 in its Annex A, so if you want to be certified in 2024 it is better to go with the new set of controls, to avoid reworking on adapting implemented controls to the new version of ISO 27001 Annex A.

  • Use of Internal QMS Audit Checklist

    It would be more effective to make an automotive process approach for quality management processes system audits, the use of a checklist is not recommended.

    For this, it may be necessary to receive training in internal auditors and the automotive process approach. During the audit, each QMS process should be asked about goals, risks, opportunities, responsibility, authority, training, etc. 

    Apart from that, as an example, if the purchasing process is to be audited, 8.4 clauses of the IATF 16949:2016 standard should be audited as the main subject. For the production process system internal audit, the IATF standard should be focused on articles 8.5-8.6-8.7-9.1.

    But if you want to use a checklist to increase the practice of internal audit; you should prepare a question for each requirement specified as "shall" in the IATF standard.  

  • ISO 27001 questions - Conformio/Toolkit

    We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center. The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix?  What I understand is that we should mark ourselves as number 2 in this table. Am I correct?

    Considering that you are managing the servers in the data center, then your understanding is correct, you only need to include the servers, their software, and data in the ISMS. The physical location is out of scope.

    The impact in the risk matrix is that any risk related to datacenter physical environment will be treated by transferring the risk to the provider (in general by including information security clauses in the contract or service agreement you have with them)

    In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent? In that case this asset should not be included, is that correct?

    The data center needs to be considered in your risk assessment, but since the data center is out of the scope, it cannot be listed as an asset. In Conformio you need to list as a third-party service, something like  “colocation services” or "Renting the data center space" and use it in your risk assessment.

    Should we also include storage media as an asset, considering the scope of our business.

    In case the information you want to protect may be stored in such assets, and you have control over them at such a level you can implement and manage security measures, then you should consider them in the ISMS scope. Otherwise, you should keep them out of the scope. 

    When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough?

    The rule of thumb here is that if the assets share the same risks, then you can treat them as a single asset, like “servers”. In case specific assets have specific risks, you should treat them separately, like “development servers” and “production servers”.

    For further information, see:

    When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service?

    As for "Operating system" you need to consider any computers you have in the scope.

  • ISO 27001 Expert question

    1 - Is «System Management & processes» the good classification way for documents when wanting to respect ISO 27001 ?

    Answer: I’m assuming your questions is linked to this one: https://community.advisera.com/topic/documents-classification-plan-storage-for-process-documents-like-policies/

    Considering that, first is important to note that “classification” in ISO 27001 context is related to how sensitive information is to loss of its security properties (e.g., confidentiality, integrity, and availability). From this question, and the previous one, “classification” to you seems to be related to how documentation is organized, so for the rest of this answer I’ll use the term “document organization scheme”, and similar, to answer your doubts.

    Now, organizing documents according to which management system they belong is as good as any other organization approach, provided the organization scheme fulfills the standard's requirements for document management. Please not that additionally to this “document organization scheme”, when considering ISO 27001 you also may need to consider the information security classification. For example, documents from an ISO 9001 Quality Management System classified as “public” must not be stored in the same place with documents classified as “confidential”. 

    The key issue you need to observe is how users will perceive this. It will be useless if users do not feel easy to create, find, use, and update documents.

    For further information, see:
    - Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
    - Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
    - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

    2 - If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ?

    Answer:  The use of metadata to index documents is a good approach to organize them, because regardless of where you store the documents, you can use metadata to filter then and show the users only the documents defining according to business requirements and information security criteria, and also it makes changes easier and more transparent to users. 

    3 - If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ?

    Answer: ISO 27001 does not prescribe how to organize documents. It only requires that documents and records be easy to find and access when required. In terms of access control, the main requirement is that access rights consider business and legal needs.

    To see a tool which covers document management requirements in an ISO 27001 environment, I suggest you take a look at our solution Conformio (https://advisera.com/conformio/)

    In conformio, documents are organized in folders such as:
    - Main Folder (ISO 27001)
    - Lists Reports Statements and Plans
    - Policies and Procedures
    --- Internal procedures
    --- Top management
    - Templates for manual editing

    You can add and customize folders according to your needs.

    For further information, including examples, see:
    - What kind of Document Management System (DMS) do you need for handling ISO 27001 documents? https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
    - How to handle user access management in an ISO 27001 project through Conformio https://advisera.com/conformio/blog/2021/05/05/how-to-handle-user-access-management-for-iso-27001-project-through-conformio/
    - Enable confidentiality in handling ISO 27001 documentation https://advisera.com/conformio/blog/2020/08/13/enable-confidentiality-in-handling-iso-27001-documentation/
Page 110-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +