Search results

Asset inventory

The Asset Inventory spreadsheet and the Risk Assessment spreadsheet do not need to be exactly the same as long as you can relate the information between them, like the way you exemplified.

Typically, Asset inventory (especially for mid-sized and larger companies) will be more detailed than the list of assets in the risk assessment. In case you have assets with similar risks you can add a category to group them to make the risk assessment easier. For example, instead of identifying each laptop individually, you can define a group called "company-owned laptops" and assign it to the laptop models included I your asset inventory.

For smaller companies it makes no sense to have Asset Inventory since all the assets are already recorded in the Risk assessment.

This article will provide you a further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Data Backup and Restore

According to ISO 27001, the need for encryption of backup tapes will depend on the results of risk assessment and identified legal requirements.

If you do not have risks, or legal requirements, that justify the implementation of encryption, you do not need to implement it.

These articles will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Backup policy – How to determine backup frequency https://advisera.com/27001academy/blog/2013/05/07/backup-policy-how-to-determine-backup-frequency/

Control diversification

Indeed, for such small companies, this column is not practical, and it would be better for you to create a shortlist of objectives in the Information security policy or develop a separate document with them.

Besides decreasing incidents occurrence, you can also define some controls objectives like:

• cost reduction of fines related to legal breaches (e.g., to controls A.18.1.4 Privacy and protection of personally identifiable information and A.18.1.5 Regulation of cryptographic controls)
• increase in information systems uptime (e.g., to controls A.16.1.5 Response to information security incidents and A.17.1.2 Implementing information security continuity)
• increase in process effectiveness/efficiency (e.g., to controls A.12.1.3 Capacity management and A.14.1.1 Information security requirements analysis and specification)

Regarding security incidents objectives, you do not need to define one for every clause. You can define a single objective for all the ISMS (e.g., at most 3 incidents for a year).

For further information, see:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

10.1.2 Key management

To audit control 10.1.2 Key management you need to identify the defined requirements for generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. Once these are identified you can start verifying if the implemented processes are being performed according to the requirements.

Examples of evidence are:

• requests for key generation
• records of key delivery to users
• records of key revocation

This article will provide you further explanation about key management:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

Human Resources Policy

1 - In designing an ISMS to ISO 27001 standards, are this non security related policies included or excluded?

You need to evaluate if these policies define some sort of usage or handling of information included in the ISMS scope (for example, the Car Allowance Policy may require the user to provide information about his driver's license, and this information is included in the ISMS scope). The policies which define usage or handling of information Included in the ISMS scope need to be included in the ISMS design.

2 - Another question. My new organization uses the Plan-Do-Check-Act (PDCA) to write individual security policies like the business continuity management policy etc.
My understanding is that the PCDA model is for the structure of the ISMS and not for individual policies. Am I wrong?

The PDCA model can be used either for the structure of the ISMS and for the development of individual documents, such as policies and procedures.

For further information, see:

• Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/

Encryption for Backup/Restore

1 - Do we need to encrypt all data during the backup/Restore process or not?

According to ISO 27001, the need for encryption of backup tapes will depend on the results of risk assessment and identified legal requirements.

If you do not have risks, or legal requirements, that justify the implementation of encryption, you do not need to implement it.

This article will provide you with a further explanation about controls selection:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2 - If yes , do we need to encrypt all the data or we need to classify the data?

In case you have risks or legal requirements that justify implementing encryption, the data to be encrypted will depend on the rules defined by the organization, usually defined in the Information Classification Policy.

So, before defining which data will be classified, you will need to classify it first.

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

3 - Who will decide what data should be encrypted?

The person who will decide if data should be encrypted or not is the person responsible for the data (also called in ISO 27001 as information owner). The decision will be related to the classification level attributed to the data.

Disaster Recovery Plan

1 - May I ask, is the Disaster Recovery Plan a good control to start with, and the most important one. Also, it consists of many other controls that would then be covered at the same time?

In fact, the Disaster Recovery Plan is one of the last controls to work on. The purpose of the Disaster Recovery Plan is to allow the quick resume of information security and information technology activities in case of a disruption, so you need to understand first which information security controls are in place to start developing your plan.

For further information, see:

• Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/

2 - I suppose our Head Software Developer who also is in charge of Server Maintenance, would that be the person to document these steps.  As it is much more complex than just “copy-paste install backup.

The person to be involved in the development of a Disaster Recovery Plan will depend on the defined disruptive scenario.

For example, if the disruptive scenario involves only the loss of a server, then your Head Software Developer will be the person to be responsible for the plan. On the other hand, if the disaster involves not only the loss of the server, but also the loss of the server room, or an entire building, then you will need to involve more people, like the facility manager.

This article will provide you with further explanation about developing a plan:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

These materials will also help you regarding developing a plan:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Calibration program

You asked

How the lab select the verification method "

This depends on the type of test method and its purpose. I assume as you refer to verification, your laboratory is using a Standard Method. If not, you need to perform a more detailed validation.

Have a look at my explanation to the question “Which parameters will be verified for standard methods?” Methods verification at https://community.advisera.com/topic/methods-verification/

If you need more information on Validation, see my reply to Procedures for validation and verification of methods at https://community.advisera.com/topic/procedures-for-validation-and-verification-of-methods/

You also asked

How the lab measure the uncertainty ?"

For information on the use of the toolkit and additional technical expertise required to evaluate measurement uncertainty, have a look my reply to a previous question Measurement uncertainty in chemical process at https://community.advisera.com/topic/measurement-uncertainty-in-chemical-process/

Enquiries on Project Plan and review

On the inputs, you can state if there is already any documented procedure, record, contract with the supplier, so any documentation that you already have and use in your company.

Deliverables mean what will be the output of certain requirements. And resources means whether it is necessary to provide any resources for each phase. For example, people who will spend a certain phase, finances (like these finances that you spent when buying this toolkit).

For more information on the implementation process, please see the following:

• Checklist of ISO 13485 implementation and certification steps https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

• Performing IATF 16949 audits

  I think you are asking this question for internal auditor competency. According to article 7.2.3 of IATF 16949:2016 standard, system auditors should have the following information.

  • understanding of the automotive process approach for auditing, including risk-based thinking;
  • understanding of applicable customer-specific requirements;
  • understanding of applicable ISO 9001 and lATF 16949 requirements related to the scope of the audit;
  • understanding of applicable core tool requirements related to the scope of the audit;
  •  understanding how to plan, conduct, report, and closeout audit findings.

   

  As you know, the basic tools are APQP, PPAP, FMEA, SPC, MSA. In these subjects, it may be necessary to show either the training record or the experience records on the CV.

  In addition, Control Plan, FMEA, and related manufacturing process experience are required within manufacturing process auditors.

  If your ISO 9001 certified internal auditors can demonstrate the above-mentioned competencies, they can carry out inspections. Apart from these, if there is an additional requirement from the customer's special request, it may be necessary to provide evidence on that subject.