Search results

Recording serial numbers when destroying hard drives

ISO 27001 does not prescribe which information should be added and recorded about assets to be destroyed, so organizations are free to include the information they see fit for their needs, based on results of risk assessment and applicable legal requirements.

Recording serial numbers for each HDD would be a good practice, because serial numbers are unique identifiers, and you wouldn’t need to create your own to keep track of destroyed assets in case of need.

These articles will provide you a further explanation about assets disposal:

• Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
• 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/

Audit query

In such cases, to decide if this is a finding or not you need to check if the events that trigger the procedure to be performed had occurred or not.

For example, if the trigger is something like “every 6 months” or “6 months of the last occurrence”, and such period has not been completed yet by the time of the audit, then it is acceptable that the procedure has not been carried yet, and it is not a finding. Otherwise, it should be considered a finding.

An example of a document that may not be activated when an audit takes place is the Disaster Recovery Plan or an incident treatment for a specific incident.

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

Customer Service Procedure

There will be some changes, although the procedure is applicable to inhouse and external clients. Depending on the organizational structure, there may be few or more changes. Simply go over the procedure step by step and customize for your context. For example, a legal contract is not required if the laboratory is part of the same legal structure as the mine /production.  

Either way the clients (internal or external) requirements should be known, agreements and deviations presented in writing for inhouse clients as well.  In most cases the way you record the evidence and results, can be simplified.

Have a look at my response to a similar topic at https://community.advisera.com/topic/iso-17025-for-internal-quality-control-laboratory/

You can also get a detailed description of the ISO 17025 Documentation Toolkit and free preview, at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Criteria to distinguish between deleting and not deleting data

Anonymized data is not personal data. Moreover, the process of anonymization of personal data is equivalent to the deletion of personal data, because the process is irreversible and data cannot be used to identify a data subject, directly or indirectly. So, according to GDPR, you do not need to delete data that is not personal data. However, please pay attention that the data controller does not refer to pseudonymized data, which according to Art 4 GDPR – Definitions – is “personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;”. In this case, pseudonymized data is personal data and is subject to GDPR requirements, including obeying a controller request for personal data deletion.

As part of our GDPR Toolkit, we have a document called Anonymization and Pseudonymization policy that you can use. Please check the links below:

• Anonymization and Pseudonymization Policy: https://advisera.com/eugdpracademy/documentation/anonymization-and-pseudonymization-policy/
• EU GDPR Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/

Risk assessment: minimum content?

1 - In our Risk Assessment table, is there any "minimum" content we should have to be "credible" from an auditor point of view ? Seeing our scope and assets I've listed I think I'll end up around 150 lines in the table.

ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.

As for the number of risks you mentioned, 150 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

These articles will provide you a further explanation about risk assessment and treatment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/

2 - Is this Risk Assessment Table a good document you would be able to review for me and provide feedback on ? Or is this too specific to certain business (like ours that is focused on our SaaS platform) ?

As part of your toolkit, you can submit a certain quantity of documents for our review, so we can provide feedback about your work, and the Risk Assessment Table can be one of them.

Process of ISO 27001 Audit

I’m assuming your question is about a certification audit.

Considering that, to successfully clear a certification audit you need to implement the Information Security Management System according to ISO 27001 requirements, which involves:

1. getting management buy-in for the project;
2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational and requirements of interested parties;
3. development of risk assessment and treatment methodology;
4. perform a risk assessment and define a risk treatment plan;
5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6. people training and awareness;
7. controls operation;
8. performance monitoring and measurement;
9. perform internal audit;
10. perform management critical review; and
11. address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27 001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

About required documents, please see this article:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Finding SOC 2 auditor

We are not aware of specific boards or professional associations of SOC 2 auditors, so your best approach would be looking for them on professional social networks like LinkedIn, Security groups on Google Groups, or the American Institute of Certified Public Accountants (AICPA), which certifies accountants to audit for SOC 2.

This article will provide you a further explanation about SOC2:

• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

Toolkit content

I’m assuming you are referring to the content of the documentation toolkit.

Considering that, please note that the Risk Assessment Table included in the ISO 27001 toolkit contains separated tabs listing examples of assets, threats and vulnerabilities to be used to fill in the Risk Assessment Table (in the cells of each specific column you can chose an item from a list). The only difference from Conformio platform is that Conformio automatically suggests threats and vulnerabilities, while such functionality does not exist in the Excel sheet from the toolkit.

For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

In case you are referring to Conformio, please note that the content of the paper “Diagram of ISO 27001 Risk Assessment and Treatment Process” is a visual presentation of how risk assessment and treatment is performed through the Conformion Risk Register module. You have the same resources available in the Risk Register. It’s only not shown in a graphical format.  

For each risk entry you perform the exact same steps:
- when you chose an asset a set of related vulnerabilities is presented
- for each chosen vulnerability, a set of threats is presented
- when impact and likelihood are defined, for those risks calculated as unacceptable, there will be presented suggested controls to treat them.

When you access the Risk Register, there is a video presenting how to perform risk assessment and treatment in Conformio.

Implementing verification and validation of method in microbiology lab

In order to implement ISO 17025 in a microbiology laboratory all mandatory requirements must be met. In addition for each method that you wish to be accredited for, the labaortory must perform verification of all standardized methods and full validation for in-house methods.

Have a look at a similar topic Properly implementing section 7.2 and 7.6 for a microbiological lab at https://community.advisera.com/topic/properly-implementing-section-7-2-and-7-6-for-a-microbiological-lab/ and look at the provided links to the Toolkit documents.

For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the ISO 17025 Academy toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ 

Diferent references for manufacturer and distributor

The best way is to use the code that is on the product because that code will be one day in the EUDAMED database. This will make it easier for you to monitor if something is happening with the product on the market, eg if there will have to be a product recall.