Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Report on selection of software technology
ISO 27001 does not prescribe such a type of report. In terms of systems development/acquisition, one document you can take a look at is the Specification of Information System Requirements: https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/
The purpose of this specification is to document all requirements for new information systems, and for improvements of existing information systems. This information can be used as input for your report.
This article will provide you with a further explanation about system development:
- How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
-
Questions about laws and regulations
1. Is the information updated? Can we use it as it is? We operate in USA, Germany, China, also a bit in Spain, and England
Please note that this list is not fully up-to-date because it depends on voluntary contributions from our readers. To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser. You can use it as a starting point.
2. Is this list valid for both the control A.18.1 Compliance with legal and contractual requirements and clause 4.2 Understanding the needs and expectations of interested parties? Or, what is the difference?
You can use the information in this list to partially cover both clause 4.2 and control A.18.1.1 (you also need to consider contractual requirements).
This article will provide you a further explanation about needs and expectations:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
-
Conformio - Bring your own device policy
Please note that the BYOD concept is related to all kind of devices that belongs to employees that are allowed to access the company’s information/information systems, so personal mobile phones are naturally part of the BYOD policy scope. In section 3.3 of this policy (Which devices are allowed), you can define which personal mobile phones, or other personal devices, are allowed to access the company’s networks.
This article will provide you a further explanation about BYOD policy:
- How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/
-
Template for guideline for testing and controlling measures for protection of information security
We are not experts on German BaFin, but as a guideline for testing and controlling the measures for the protection of information security we suggest you take a look at this template:
- Internal Audit Checklist https://advisera.com/27001academy/documentation/internal-audit-checklist/
This article will provide you a further explanation about an audit checklist:
- How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
-
Data center questions
1 - We can get a certificate for an empty data center? I mean that the data center is now empty without any IT equipment. The equipment will be connected later after we certify
Please note that ISO 27001 is about the protection of information security, and if there is no information to be protected in your data center it cannot be certified against ISO 27001.
2 - And what are the data center dependencies if my ISO scope is going to be a datacenter only?
When the ISO scope is the datacenter only, examples of dependencies can be:
- business units that use the data center (they define requirements for the protection of information)
- manufacturers of data center equipment
- providers of communication links and electric power
These articles will provide you a further explanation about defining the ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
-
Purchasing and Evaluation of Suppliers
Section 3.3 Evaluating suppliers and 3.4 Criteria for selecting suppliers are considered to the already approved suppliers. In section 3.2 is described the process of employing the new suppliers.
-
Toolkit content - A.6.1
Please note that control A.6.1.1 Information security roles and responsibilities is implemented in all templates of the toolkit (it does not require a separate document). Also, top-level roles and responsibilities are listed in the Information Security Policy.
Controls A.6.1.2 Segregation of duties, A.6.1.3 Contact with authorities and A.6.1.4 Contact with special interest groups do not require specific documentation, so there is no need to develop a policy or procedure for them.
In cases like this, you only need to provide a record showing how it was performed. For example, for control A.6.1.2 you only need to provide a list of which activities were divided. For controls A.6.1.3 and A.6.1.4, you need to provide a list of which authorities / special interest groups need to be contacted. Since the presentation of this information can vary according to the information systems of each organization, it is unfeasible to provide a template for recording this information.
About control A.6.1.5 Information security in project management, here's an article that explains the details of its application:
-How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ -
Context of the Organization, where is this in Conformio?
Clause 4 (Context of the organization) of ISO 27001:2013 has 4 sub-clauses:
- 4.1 Understanding the organization and its context – ISO 27001 does not require internal and external issues related to the ISMS to be documented. These internal and external issues need to be taken into account when defining the scope (please see the explanation below).
- 4.2 Understanding the needs and expectations of interested parties – the evidence for this sub-clause is the list of applicable legislation and contractual requirements, available in the Register of requirements module, an in the List of Legal, Regulatory, and Contractual Requirements report, generated by this module.
- 4.3 Determining the scope – the evidence of this sub-clause is the ISMS Scope document
- 4.4 Information security management system – all documents and records created in Conformio are evidence for this sub-clauseIn case the auditor request evidence of clause 4.1, you can use the ISMS scope document and the Risk assessment and Risk Treatment report, because internal and external issues are used as input for their elaboration.
This article will help you:
- Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/ -
Accessories and standalone SaMD
This is a rather specific situation and I would like to propose the call. But before that, I advise you to go through these guidelines published by EU Commission:
Is your software a medical device - https://ec.europa.eu/health/system/files/2021-03/md_mdcg_2021_mdsw_en_0.pdf MDCG 2019-11 Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR - https://ec.europa.eu/health/system/files/2020-09/md_mdcg_2019_11_guidance_qualification_classification_software_en_0.pdf
I believe that you will find your answers here. If not, let me know and we will arrange a meeting.