Search results

Management Representative role choice

There is nothing in ISO 14001:2015 about the management representative. So, organizations can chose a temporary employee to fulfill the role. Even in previous versions where the role of the management representative was included allowed the use of a temporary employee to fulfill the role. Some years ago I acted as management representative for a company, while being a service supplier

Scope in Conformio

In the context of ISO 27001, interested parties are any entities (e.g., persons or organizations) that can influence your information security, or that can be affected by your information security activities. Considering that, and your examples, “local community” wouldn’t be an interested party, while your client would be.

Regarding provided services, these are not part of the interested parties or interested parties’ requirements. They would be part of the ISMS scope, i.e., the elements of your organization you want to protect considering interested parties and their requirements

For further information, see:

• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

This material can also help you:

• ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Best approach in evaluating time and effort for certification

The implementation duration and costs depend on many variables (e.g., size and complexity of the scope, financial resources, and expertise available, etc.), but for very small and small-sized business generally is possible to implement ISO 27001 within 3 months.

For more information about the time needed for the implementation, I suggest you see this article: 

• How long does it take to implement ISO 27001/BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - you should note that the timing in this article is what is needed for companies that use our toolkit (https://advisera.com/27001academy/iso-27001-documentation-toolkit/)

Regarding costs, what I can tell you are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

These materials can provide you more information:

• How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
• 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
• How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
• ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

ISO 17025:2017 witnessing audit

Witnessing is a technique use during internal auditing that is applicable to many activities. Typically a laboratory would as a minimum include technical witnessing of personnel. You would decide which activities to witness, based on risk.  Look at the scope of work and for a particular activity, e.g a test method, why you would decide what steps to audit.  Take the process of receiving samples to releasing results as an example. If  you have new personnel performing sample preparation, one Internal witnessing could be them demonstrating that step. If for example there have been nonconforming events raised due to problems with reagents, then plan to witness that activity.

For more information on technical audits, see
https://advisera.com/17025academy/blog/2020/11/10/iso-17025-technical-internal-audit-the-basics/

Risk Assessment Questions

1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?

You do not need to list individual laptops and servers in the Risk Assessment Table.

You can adopt a generic term like “laptop” or “server” if they share similar risks. In case there are laptops with specific risks, you can use specific assets like "laptop", "development laptop ", and "finance laptop ". The same concept applies to servers.

For further information:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?

The devices only need to be listed as risks in your Risk assessment table if you have control over them (i.e., the outsourced datacenter only provides the physical facilities, and you need to handle the risks related to the devices).

In case they are controlled by the provider, then you should list the outsourced data center as an asset in your Risk Assessment Table (in this case you need to look for risks related to the supplier not protecting the devices).

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

3. I am assuming that much of the risk will be transferred to the outsourcer?

This decision will depend on which part has control over the assets. For example, if you have control over the servers (e.g., you need to configure them), then it does not make sense to transfer the risks for the outsourcer. In case you only use the services provided by the servers, which are controlled by the outsourcer, then the risks related to them can be transferred to the outsourcer.

This article will provide you a further explanation:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Toolkit content

First of all, we're sorry about this misunderstanding. 

In the context of ISO 27001, "analysis" means the assessment of consequences and likelihood to define how big a risk is, and there is no need to perform any additional analysis. The Methodology document in your toolkit explains the criteria for assessing consequences and likelihood, and the Excel sheet enables you to do it quickly by selecting the values and the risks are calculated automatically.

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Implementation process

Roughly speaking, ISO 27001 implementation steps can be resumed in:

1. getting management buy-in for the project;
2. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
3. development of risk assessment and treatment methodology;
4. perform a risk assessment and define the risk treatment plan;
5. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
6. people training and awareness;
7. controls operation;
8. performance monitoring and measurement;
9. perform internal audit;
10. perform management critical review; and
11. address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These materials will also help you regarding the ISO 27001 implementation:

Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Regarding the selection of a consultant, the process needs to consider their experience & skills, reputation, and customized service.

For more information, please read this article:
- 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/ 

Implementation duration

The duration from starting implementation to achieving accreditation depends on the size of the scope of work to be accredited and the resources available for the project. Typically it can take from 12 to 24 months. The process involves adopting and implementing all the mandatory activities and documenting the mandatory procedures to meet the  requirements of ISO 17025. Then it involves actively recording evidence using forms and having records available before applying for accreditation.

For more information on ISO 17025 see What is ISO 17025?at https://advisera.com/17025academy/what-is-iso-17025/ and the Free webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar/

Acting as DPO

It is better to avoid any conflict of interest, but if you work in a small company, and you are the only person that has the knowledge to act as a Data Processor Officer (DPO), your company may take some organizational measures to avoid any conflict of interest (i.e., implementing authorization process for some decision that may conflict with your role as DPO).

Here you can find some information about the DPO role:

• The role of the DPO in light of the General Data Protection Regulation https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

Cancellazione dati positivi in corso presenti nelle banche dati sic (crif. ctc. experian)

No, la base giuridica del trattamento nelle banche dati pubbliche è da rinvenirsi nella legge e nell'interesse pubblico. Il diritto di cancellazione, di cui all'articolo 17 GDPR, consente all'interessato di ottenere la cancellazione dei propri dati in alcune circostanze e a condizione che non si applichino le eccezioni. Tra le eccezioni, l'art. 17 paragrafo 3 lett. b) GDPR include l'interesse pubblico ed è il motivo per cui non è possibile ottenere la cancellazione.

Se vuoi sapere di più sui diritti dell'interessato, qui puoi trovare un articolo:

• I diritti degli interessati secondo il GDPR https://advisera.com/eugdpracademy/it/knowledgebase/gli-8-diritti-degli-interessati-secondo-il-gdpr/

Se invece vuoi saperne di più su come implementare il GDPR, puoi iscriverti al corso EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/