Search results

Pre audit visit by our assessment organization

I can offer some comments here, but am not in a position to recommend a particular approach – it is up to your company to consider the benefit and risk. The optional pre-assessment on-site visit by the accreditation body (AB) will increase you accreditation costs significantly. The initial document review step that is included as part of the optional pre-assessment, is part of the non-optional initial assessment activity and fee anyway. Many laboratories do not go for a AB pre-assessment, accepting the risk of nonconformance findings (along with the financial benefit) as the document review step of the initial assessment will indicate if there are significant gaps that need to be addressed before the initial on site assessment by the AB. Even if the initial assessment onsite audit results in certain nonconformances, the laboratory will have time to address them. The only risk is possible delay in accreditation if the laboratory does not have a good understanding of the requirements for major activities. This could result in absent or ineffective implementations that are only observed as non-conformances during the onsite visit. The impact could be not being recommended for accreditation at the time of the initial assessment and having to re-apply after finishing the implementation. However, if your laboratory has given attention to the major mandatory requirements and technical competencies, then the likelihood of this should be low.

Furthermore, consider that in the current pandemic environment, many initial assessments are still being performed remotely, so it is not clear if the accreditation body would do an pre-assessment on-site visit. I suggest you engage with the accreditation body to help make your decision.

As a minimum, it is advisable to at least perform a full pre-accreditation gap assessment, including the technical scope using inhouse (independent internal auditors) or by a third party organisation or consultant, as part of your internal audit program. 

For further information see the article ISO 17025 technical internal audit: The basics

at https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/

The following will also provide more information on internal audits:

ISO 17025 document template: Internal Audit Procedure at https://advisera.com/17025academy/documentation/internal-audit-procedure/

The Five Internal Audit Procedure appendices Internal Audit Program, Internal Audit Checklist, Audit Nonconformity Report, Internal Audit Process Checklist and Internal Audit Report available separately from the procedure link above; or included in the toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Privacy Notices

You need to consider the purpose of data processing, not the mean. Why do employees fill these forms? If they fill the form to perform their job task, then, the processing is included in the employee privacy notice which is attached to the employment agreement (if not, you should).

If the form is a survey to better understand the education or expertise of your staff it may fall under the legitimate interest of the data controller (art. 6 lett. F) GDPR)

In case the processing is not included in the employee privacy notice you can decide whether to make a specific privacy notice or to implement the employee privacy notice.  

Here you can find more information on the legal basis to process personal data according to the GDPR:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

Normative Reference

You can include in the manual or use a List of compliance including regulations and statutory references. My recommendation is to have a separate document where you write this list. This is actually part of the needs and expectations from interested parties, for example complying with a law is a need from a government institution. 

For more information about normative references in ISO 9001:2015 see the following materials:

- How to include statutory and regulatory requirements in your QMS: https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/

- Free on-line course - ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/

- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Can company share their employee personal data?

No, it means that in the agreement with your client you state that personal data connected to the performance of the contract will be processed as stated in the attached privacy notice. You may also link to the web portal, but if you attach the privacy notice to the contract it is easier to demonstrate compliance to the obligation of providing information about data processing.

ISO 9001 Audit

You just need to include the records that have been produced when the implementation starts. During the first steps of the implementation you must to do an assessment of the training gaps that the personnel of your company have in order to prepare a training plan. The records produced from those training will be the ones you can include to demonstrate the competence of your people to  carry out the processes in an effective way.

For more information about training in ISO 9001, see the following materials: 

- https://advisera.com/9001academy/knowledgebase/how-to-ensure-competence-and-awareness-in-iso-90012015/

- Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

- ISO 9001 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Sample data for MSP

Please note that is our policy does not offer such sample artifacts.

This is so because even organizations of the same industry and using the same IaaS provider have unique objectives and risk appetites, so the use of such sample artifacts can mislead organizations into adopting a security profile that does not fit their needs.

These genetic papers can provide you an idea about a filled in risk register:

- Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home - Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

Please note that you can schedule a call with our ISO 27001 expert, where he can give some tips on how to adapt Risk register, Statement of Applicability and your documents to your specific circumstances.

Additionally, since Conformio can automatically suggests threats, vulnerabilities, and applicable documents based on the specific assets you enter, you can use the examples provided in the abovementioned papers to see how the process goes through the platform.

Copying documents

I’m assuming the question you refer to is about the usefulness of using ISMS documents from other organizations on your own.

Considering that, the correct answer is that documents from other organizations are only useful as a starting point for developing your own.

This is so because documents from other organizations will not be adjusted to your context, so they can become too bureaucratic, or not provide proper security.

There wasn’t an alternative stating that it was forbidden to copy documents from other organizations because this is not always true. You may have access to documents from other organizations because they are of public nature, or because you may have some sort of agreement you have with them.

Conformio - setting up people and departments

1 - I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far.

Answer: Please note that the contracts in the list of requirements are those which prioritize the clauses your organization needs to comply with regarding interested parties (e.g., contracts with your customers).

Contracts that prioritize the clauses the interested parties need to comply with on your behalf are controlled through the Supplier Security Policy, which is provided by Conformio.

For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

2 - What detail is required.

2.1 - As far as legislation is concerned, I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”.

Answer: The level of detail must be sufficient to allow the designated person for complying with the requirement to understand what needs to be fulfilled, or where to find such information. Your example falls in the second type (i.e., you identify where the details to fulfill the clause can be found). An example for the first type would be including the information that a clause from a contract with a customer specifying that a full backup of all his information needs to be performed weekly.

2.2 - You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc., are specifically relevant to ISO 27001? For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. 

There are quite a lot of acts etc., that I have heard for but don’t know in detail e.g., the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job!

Answer: Please note that the list of legislation provided in Conformio is a starting point. Since each organization can have different levels of compliance needs for each one, it is unfeasible to provide a more detailed analysis. Our recommendation is for companies to hire local expert advice to help identify your specific needs.

3 - Valid from and deadline dates

3.1 - What are these dates aimed at?

Answer: The valid from date refers to the date when the requirement was published (i.e., when the law/regulation was published).

The deadline date refers to the date by when the requirement must start to be enforced in the organization (in most cases it is related to an enforcement date defined in the law/regulation).

ISO27001 Implementation

ISO 27001 consists of two parts:
1 - the main part of the standard, from clauses 0 to 10, out of which clauses 4 to 10 are mandatory. These clauses defined what an Information Security Management System (ISMS) needs to perform, document, record, and deliver.

2 - Annex A, which has 14 sections - it starts from A.5 to A.18. These sections contain the 114 controls, which defines information security requirements and controls objectives

ISO 27001 Annex A is based on British Standard BS 7799-1 (Information technology - Code of practice for information security management ), which had the following structure:

Foreword
0 introduction
1 scope
2 terms and definitions
3 structure of this standard
4 risk assessment and treatment
5 security policy
6 organization of information security
7 asset management
8 human resources security
9 physical and environmental security
10 communications and operations management 
11 access control
12 information systems acquisition, development and maintenance
13 information security incident management
14 business continuity management
15 compliance
Bibliography
Index

So, when this content was incorporated to ISO 27001 Annex A, version 2005, to facilitate the transition for those who used the BS standard, the names and section numbers from sections 5 to 15 of the old BS 7799-1 were kept, only including the "A." to indicate they are part of the ISO 27001 Annex. When ISO 27001 was updated to version 2013 this sequence was maintained.

Here you can see a further explanation:
- A list of sections in Annex A: https://advisera.com/27001academy/iso-27001-controls/
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/

This whitepaper also can help you:
- Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001