Search results

ISO 27001 - exclusion of personal devices in the ISMS scope

You should include personal devices only if your company can have full control over them.

In case it is not possible to have such kind of control, you should keep them out of the scope. In this situation, the security rules for these devices must be regulated by means of agreements with employees who are using them.

Regarding the external auditor, he is not the one to define if risks are high for the company or not. This is the purpose of the risk assessment process. The auditor will only check if you performed the processes properly and if you have proper justification (i.e., risk assessment) for your decision to use or not an asset.

These articles will provide you a further explanation about ISMS scope and risk assessment:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Presenting changes on internal and external issues after a merger

A suggested way to present changes in internal and external issues in a merger situation is separating the issues in what issues were excluded and which ones were added due to the new situation.

Additionally, you also should consider comparing the number of changes with the number of issues that remained the same.

This approach will help management evaluate the impact of changes due to the merge.

This article will provide you a further explanation about internal and external issues:

• How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

Scope question

You need to clearly state both companies in the ISMS scope statement. Affiliated companies are not automatically included in any ISO management systems scopes.

This article will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

ISO 27001 Toolkit - Document 02.1

An item in the List of requirements needs to be specified at a level where the person responsible for its fulfillment understands what is needed to be done.

For example, for some persons you may need to specify only the name of the regulation (e.g., EU GDPR) or contract number, while for others you may need to be more specific, referring to specific clauses (like your example), or even writing them in the register.

This article will provide you a further explanation about requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

ISO 27001:2022

The new version of ISO 27002 will probably be released this year (its FDIS - Final Draft International Standard - is already published).

For further information, see:

• Main changes in the upcoming new version of ISO 27002 https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

Software Development Templates

Please note that such templates are not mandatory for ISO 27001 neither they are commonly adopted by organizations in general.

The closest templates we can suggest you check to see if they can fulfill your needs are these ISO 9001 templates:

• Procedure for Software Development https://advisera.com/9001academy/documentation/procedure-for-software-development/
• Project Task https://advisera.com/9001academy/documentation/project-task/
• Project Plan and Review https://advisera.com/9001academy/documentation/project-plan-review/
• Change Review Record https://advisera.com/9001academy/documentation/change-review-record/
• Design Review Minutes https://advisera.com/9001academy/documentation/design-review-minutes/

For further information, see:

• Case study: Design and development in the software industry https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/

4.2.4 and 4.2.5

1. How would we know what regulation is applicable if they have never stated?

If you are on the EU market, then each manufacturer of a medical device or its components must be in compliance with Harmonised or state of the art standards (Article 8 of the Medical device regulation MDR 2017/745).

Those standards you can find on the following links:

• Commission implementing decision (EU) 2020/437 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC – 25/03/2020
• Commission implementing decision (EU) 2021/610 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2021.129.01.0153.01.ENG – 14/04/2021
• Commission implementing decision (EU) 2021/1182 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2021.256.01.0100.01.ENG&toc=OJ%3AL%3A2021%3A256%3AFULL – 16/07/2021
• Commission implementing decision EU 2022/6 of 4th January 2022 - https://eur-lex.europa.eu/eli/dec_impl/2022/15/oj

Basically, besides ISO 13485:2016, all manufacturers must also be in compliance with ISO 14971:2019 (Risk management for medical devices),  EN ISO 15223-1:2021 (for symbols), and EN ISO 20417:2021 - Information to be supplied by the manufacturer. Is there any other technical standard it would depend on the type of components: is it metal, is it plastic, or something else.

For more information, see:

• EU MDR Article 8 - Use of Harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

2. Can the toolkit ISO 13485:2016 be combined with the ISO 9001:2015?

Yes, it can, several requirements are very similar like internal audit process, corrective actions management, non-conformity process, and document management. At the end of the standard ISO 13485:2016 you have Table B1 Correspondence between ISO 13485:2016 and ISO 9001:2015, and Table B2 Correspondence between ISO 9001:2015 and ISO 13485:2016, therefore from both sides.

3. We don’t have to report to the authorities if we have a customer complaint. How would we right this in our procedure or would we leave this alone? Would we use the form also and if so how would we use this?

This just depends on whether or not your product is registered somewhere as a medical device separately. If not, then you do not have to communicate with regulators.

Question about ISO 27001 and ISO 22301

Implementing ISO 27001 and ISO 22301 considering only internal needs is acceptable for certification purposes. In this case, the “customers” can be some of the organization’s own internal departments (e.g., Projects department as a customer of IT department, Accounting department as a customer of the Sales department, etc.).

Later, when and if you identify the need, you can expand the certification scope to cover the organization’s Customer’s security and Service availability requirements.

These articles will provide you a further explanation about the scoped definition and interested parties:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/ (the same concept applies to ISO 22301)
• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/

Annex A Controls in Conformio

1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.?

Please note that organizing documents as you suggest only makes them more difficult to read and maintain.

Considering your example, instead of a single document defining how incident management is implemented you would have to keep seven independent documents.

Additionally, when you have a document that refers to controls from different sections (e.g., the Supplier Security Policy refers to controls from sections A.7, A.8., A.14, and A.15), reading and maintenance become even more difficult.

 For further information, see:

• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

2. Is there a Tool JUST on Risk Assessment?

To perform just risk assessment we have the Risk Assessment Toolkit (https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/) which comprises of the following documents:

• Risk Assessment and Risk Treatment Methodology
• Risk Assessment Table
• Risk Treatment Table
• Risk Assessment and Treatment Report
• Statement of Applicability
• Risk Treatment Plan

This article will provide you a further explanation about risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/