Search results

Corporate using of Conformio

To answer this question properly it is necessary to evaluate how different the implementation of the applicable controls will be on both sites. In case single documents, like policies and procedures, can be used for both Business Units, then only a single license will be enough. In case the differences in implementation may require that two policies covering the same topic are written (e.g., you need to have two different Access Control Policy), then the use of two licenses are recommended.

Accreditation duration

It can realistically take from six to twelve months for the accreditation process to be completed. i.e from application to accreditation.

Once you have applied for accreditation with an accreditation body (AB) and submitted all the required documents they will do a document review. This could take a few months depending on how busy the AB is. Depending on the extent of laboratory “readiness”(if documents are available and requirements met) it can be another month or more to close any gaps. It may then take another month or two before the initial assessment (audit) of your processes and documents. Finally the laboratory may need another month or more to close any non-conformances,  before accreditation is achieved.

For more information have a look at the webinar What are the steps in the ISO 17025 accreditation process?  at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/

SoA - controls

When only a task is defined as the implementation method of control it means that this control does not require specific documentation, so you do not need to develop your own policy or procedure.  

In cases like this, you only need to provide a record showing that the task was performed. For example, for control A.6.1.2 you only need to provide a list of which activities were divided. For control A.6.1.3 you need to provide a list of which authorities need to be contacted.

For further information, see:

• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/
• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

ISO 27001 Risk Assessment

1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?)

“Existing controls” refers to controls that are currently implemented (i.e., documented, implemented as a process, as a technology, etc.), so it is not about “how secure does it need to be”, but “how secure it is” at the moment of the assessment.

For example, for a data loss risk, you can mention that you already have a backup solution implemented (e.g., a software solution).

2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk? 

Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable.

If you already have a control implemented, identified during risk assessment, you need to identify this information in the SoA, reporting the associated control as implemented.

Considering the previous example, you need to report in the SoA that control A.12.3.1 Information Backup is applicable and its status is implemented.

For further information, see:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

ISO 27001 query

I’m assuming that by DaaS you mean Device as a Service.

Normally, control A.12.4.4 applies only to on-premise servers because these are the servers you fully control. If your risk assessment or requirements ask that both on-premise and cloud servers need to be synchronized, then regardless of the environment or cloud model, to be compliant with control 12.4.4 all servers in the same security domain (i.e., under the influence of the same controls) need to be synchronized to a single reference time source.

Toolkit content

Please note that identification of which activities need to be restored first are done through the business impact analysis (this template can be found in folder 08 Annex A Security Controls >> A.17 Business Continuity >> 02_Business_Impact_Analysis_Methodology)

For a summary of which server or service or process has to be restored first, and related dependencies, you can use the Recovery Time Objectives for Activities template, located in folder 08 Annex A Security Controls >> A.17 Business Continuity >> 03 Business Continuity Strategy.

Security asset inventory

For a smaller company it is much quicker if the assets are listed during the risk assessment process - first the assets are listed, then relate threats and vulnerabilities to those assets. Essentially, the same effect is achieved as you suggested.

For further information, see:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Query on SOC 2 certification

Considering the 45 templates in the ISO 27001 Documentation Toolkit, roughly 80% of the documents can be used to support a SOC 2 certification.

This article will provide you a further explanation about ISO 27001 and SOC2:

• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

Privacy by design and privacy by default

Data Protection By Default and By Design is one of the key principles in GDPR, as stated by Article 25 and recital 78 (Appropriate Technical and Organisational Measures). Article 25 GDPR actually focuses on the implementation of the data protection principles stated in Article 5 GDPR through a proactive approach. It mentions that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”. Thus, according to Article 25 GDPR, data protection must be thought of as ex-ante.

Privacy by design is a concept first mentioned in 1995 by Ann Cavoukian, former Information & Privacy Commissioner, Ontario, Canada, and it encompasses 7 principles:

Conformio - acceptance of residual risk in reports

The residual risk is accepted in the Risk Register module, in the risk treatment step. After the definition of the risk treatment option and selection of applicable controls, the residual risk is automatically calculated and approved by the risk owner.

Additionally, in the Risk Assessment and Treatment Report, the accepted residual risks are listed, and in the Statement of Acceptance of Residual Risks, there is a summary of the accepted residual risks and their respective risk owners. These documents can be found in the Documents module, ISO 27001 folder, Lists Reports Statements, and Plans sub-folder.