Search results

Missing ISO27001 References in List of Documents

Thank you for your question.

We answered it through Experta - you can find the answer here: https://experta.com/shared-post/0363839e-433b-4db0-bd3b-c44dcdac5764

Screening and vetting policy

Please note that ISO 27001 does not require a Screening and Vetting Policy to be documented, and this is not a common document used in an ISO 27001 implementation.

Considering that, to reduce the administrative effort in managing documents, guidelines for screening and vetting are included in the:

• Statement of Applicability, as implementation method for control A.6.1 – Screening. The SoA can be found in folder 07 Applicability of Controls
• Supplier security Policy template, section 3.2 – Screening. This template can be found in folder 09 Annex A Security Controls

Asset and Risk Owners - can it be a role and also a name of an employee

ISO 27001 does not prescribe how to define asset/risk owner, so both role and name (used together or separated) are acceptable alternatives, compliant with the standard, for defining the asset/risk owner.

We recommend always using only the role of asset/risk owner because changing a role as owner is less frequent than changing an employee, and this way, you will have less administrative effort. 

For more information, check out how to handle an asset register/asset inventory.

Read this article to find out the difference between risk owners and asset owners.

A.15.2.2 Managing changes to supplier services

I have read the implementation guidance in ISO 2002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question. 

Thank you in advance!

Risk Treatment Advice

Hi Rhand,

Many thanks for the comprehensive response.

Annual calibration

Calibration laboratories only certify to ISO 17025. As a testing laboratory, any equipment needing calibration must be calibrated by a competent laboratory that provides a calibration report that meets ISO 17025 clause 7.8.4 Specific requirements for calibration certificates. Typically such laboratories would be accredited. You would need the performance parameters of the device being calibrated and the metrological traceability of the calibration. i.e. the equipment used by the calibration lab has its own calibration and certificate traceable to national and or international standards / SI units. Furthermore, they need the expertise to provide you with the measurement of uncertainty of the measurements/performance of the equipment they calibrate for you.
For more information on ISO 17025 refer to Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/

Scope

In this scenario, you can simply state in the ISMS scope document, section 3.4 Exclusions of the scope, that servers and networks related to companies B and C are not part of the ISMS scope.

You can access the ISMS scope for editing by clicking on the “Compliance” link in the left-side panel and then “Implementation steps.” From there, you can access the step related to the ISMS document scope and edit it.

For further information, see all you need to know about setting the ISO 27001 scope.

This tool for defining the ISO 27001 ISMS scope can also help you.

Design exclusion

I don’t know if I have all the relevant data from your situation. Based on the information supplied I highlighted two topics:

• part of design and construction
• validation done by external party 

I would not exclude design from the scope of your management system. Why? Because:

• The customer provides part of the design inputs (common situation), but your company does design too.
• Validation done by external party is a very common situation, that is why design validation is different from design verification. Validation is done by the client or someone on its behalf when design inputs were provided by a client. 

You can find more information here:

• ISO 9001 Design Verification vs. Design Validation
• What clauses can be excluded in ISO 9001:2015?
• Enroll for free course - ISO 9001:2015 Foundations Course 
• Book - Discover ISO 9001:2015 Through Practical Examples 

Internal audit checklist and report combined

Your approach of combining the Internal Audit Report and Internal Audit Checklist is not very common, but probably will be acceptable for the certification audit. However, we feel this will take too much time so it is probably better to use the Internal Audit Checklist and the Internal Audit Report separately. 

Whatever approach you take, make sure that you include all elements from the Internal Audit Report.For more information, see:

• ISO 27001 internal audit: The complete guide https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/#section5

• ISO 27001 Clause 4 - Scope

  The company’s ISMS scope can be different from the certified ISMS scope (i.e., the certified ISMS scope can be only part of the actual ISMS scope).

  Considering the difference, the certification auditor can proceed with the certification audit considering only the initial scope defined in the Audit Application Form (Sales and Marketing departments will not be audited). In case of a successful audit, only the scope defined in the Audit Application Form will be considered certified.