Search results

Is Statement of Applicability required for ISO 14001?

The statement of applicability is a unique part of ISO 27001 where you identify the controls applied, and this is not required for ISO 14001. Both standards have a scope and policy for the management system, but only ISO 27001 has a statement of applicability.

You can read a bit more on the ISMS statement of applicability in the article:

• Statement of Applicability in ISO 27001 – What is it and why does it matter?

A.15.2.2 Managing changes to supplier services

Control A.15.2.2 Managing changes to supplier services can be implemented by means of a change management process considering the following steps:

1. identification of what needs to be changed (e.g., hardware, software, documentation, etc.) and on which systems;
2. assessment of the criticality of the systems, information, and processes affected by the change;
3. re-assessment of the risks related to the systems, information, and processes affected by the change (e.g., current risks that may change, risks that may arise);
4. formal approval of proposed changes
5. development of an implementation plan, including, when necessary, procedures for aborting and recovering from unsuccessful changes and unforeseen events;
6. testing of the proposed changes before and after deployment of changes in production environment
7. communication of changes performed to all relevant persons.

You can use your change management procedure as a basis to manage changes related to your supplier.  

You can read more about managing changes in an ISMS according to ISO 27001 A.12.1.2 on our blog.

Missing ISO27001 References in List of Documents

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/0363839e-433b-4db0-bd3b-c44dcdac5764

Screening and vetting policy

Please note that ISO 27001 does not require a Screening and Vetting Policy to be documented, and this is not a common document used in an ISO 27001 implementation.

Considering that, to reduce the administrative effort in managing documents, guidelines for screening and vetting are included in the:

• Statement of Applicability, as implementation method for control A.6.1 – Screening. The SoA can be found in folder 07 Applicability of Controls
• Supplier security Policy template, section 3.2 – Screening. This template can be found in folder 09 Annex A Security Controls

Asset and Risk Owners - can it be a role and also a name of an employee

ISO 27001 does not prescribe how to define asset/risk owner, so both role and name (used together or separated) are acceptable alternatives, compliant with the standard, for defining the asset/risk owner.

We recommend always using only the role of asset/risk owner because changing a role as owner is less frequent than changing an employee, and this way, you will have less administrative effort. 

For more information, check out how to handle an asset register/asset inventory.

Read this article to find out the difference between risk owners and asset owners.

A.15.2.2 Managing changes to supplier services

I have read the implementation guidance in ISO 2002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question. 

Thank you in advance!

Risk Treatment Advice

Hi Rhand,

Many thanks for the comprehensive response.

Annual calibration

Calibration laboratories only certify to ISO 17025. As a testing laboratory, any equipment needing calibration must be calibrated by a competent laboratory that provides a calibration report that meets ISO 17025 clause 7.8.4 Specific requirements for calibration certificates. Typically such laboratories would be accredited. You would need the performance parameters of the device being calibrated and the metrological traceability of the calibration. i.e. the equipment used by the calibration lab has its own calibration and certificate traceable to national and or international standards / SI units. Furthermore, they need the expertise to provide you with the measurement of uncertainty of the measurements/performance of the equipment they calibrate for you.
For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/

Scope

In this scenario, you can simply state in the ISMS scope document, section 3.4 Exclusions of the scope, that servers and networks related to companies B and C are not part of the ISMS scope.

You can access the ISMS scope for editing by clicking on the “Compliance” link in the left-side panel and then “Implementation steps.” From there, you can access the step related to the ISMS document scope and edit it.

For further information, see all you need to know about setting the ISO 27001 scope.

This tool for defining the ISO 27001 ISMS scope can also help you.

Design exclusion

I don’t know if I have all the relevant data from your situation. Based on the information supplied I highlighted two topics:

• part of design and construction
• validation done by external party 

I would not exclude design from the scope of your management system. Why? Because:

• The customer provides part of the design inputs (common situation), but your company does design too.
• Validation done by external party is a very common situation, that is why design validation is different from design verification. Validation is done by the client or someone on its behalf when design inputs were provided by a client. 

You can find more information here:

• ISO 9001 Design Verification vs. Design Validation
• What clauses can be excluded in ISO 9001:2015?
• Enroll for free course - ISO 9001:2015 Foundations Course 
• Book - Discover ISO 9001:2015 Through Practical Examples