Search results

Paper documents found in warehouse

In a general way, the proper treatment of such information will depend on the results of risk assessment and applicable legal requirements.

For example, if the risks are low and there are no legal requirements, you do not need to apply specific protections for those documents. On the other hand, you may have a legal requirement (e.g., law, regulation, or contract) requiring the use of safes to protect such information.

In case you already have the Information Classification Policy implemented, you need to consider the information classification this information has, and the related treatments identified in the policy.

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
• Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/

Complying with EU GDPR

If your company provides services to individuals based in the EU you will need to appoint an EU representative, according to Article 27 GDPR. Of course, you don't have if your service to EU individuals is occasional. You can offer your services internationally from UAE and if your customer base in the EU grows and services will not be occasional, then you can appoint an EU Representative.

Here you can find more information about the roles in the EU GDPR:

• Key roles defined in EU GDPR https://advisera.com/eugdpracademy/knowledgebase/key-roles-defined-in-eu-gdpr/9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/ 

If you need to understand how to comply with the EU GDPR you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

ISO 22301 toolkit - disaster recovery plan

Please note that while ISO 22301 requires recovery plans to be documented, the standard does not define how to document them.

The disaster recovery plan template included in the toolkit, as explained in the previous answer, has all the content structure you need to define the recovery plan (i.e., plans to return to normal). This was made this way to avoid creating additional documents, which would only unnecessarily increase the administrative work to maintain the documentation. In case you want recovery plans as separated documents, then you should use the blank template to develop this specific document.

Please note that included in your toolkit there is a List of documents files that shows which clause of the standard is covered by each template. There you will find out that clause 8.4.5 is covered by templates Appendix 6 – Disaster Recovery Plan and Appendix 7 – Activity Recovery Plan.

Question about ISO 27001 and ISO 27002

I’m assuming you are referring to ISO 27001 documentation toolkit.

First is important to note that ISO does not evaluate organizations against its standards. This role is performed by certification bodies.

Considering that, compliance with ISO 27002 is not required for certification against ISO 27001.

Regarding toolkit documents, they cover all mandatory requirements and the most commonly applied controls. ISO 27001 does not prescribe that there must be a document for each control. Controls are selected based on the results of risk assessment and applicable legal requirements.   

For more information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This way we avoid make our documentation unnecessarily complex to use and maintain.

This article will provide you a further explanation about mandatory and most commonly used documents for ISO 27001 (all these are included in your toolkit):

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Questions regarding ISO 27001 documentation

1 - Regarding the users (destinatari in italian), in your documents the term used is employees of the company. Since other subjects could be involved in the politics and procedures, we were wondering if we could use the following sentence for all the documents:

Destinatari di questo documento sono tutte le persone che rientrano nel perimetro di applicabilità del SGSI di ***.

Translated in english: The users of this document are the subjects who are included within the perimeter/scope of the company ISMS applicability.

ISO 27001 does not prescribe who are the users in the information security documents, so the suggested change is possible and will not impact the certification process.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/
• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

2 - The second question:

Within the Documentation in A.9.1 Politics for the Access Control there is a document called La Dichiarazione di Accettazione dei documenti del SGSI. The translation in english should be something like Declaration of the ISMS documentation Acceptance. What is this document actually about? Is there a form of this document that we could use?

Thank you in advance for your help.

I’m assuming you are referring to the document “Statement of Acceptance of the ISMS Documents”.

The purpose of this document is to provide a single register to oblige employees to observe all the documents prescribed by the organization in its information security management system (i.e., employees do not have to sign acceptance of each document separately).

You can find a template for this document in folder 08 Annex A Security Controls >> A.7 Human Resource Security

local country leadership in trying to align ISO 27001 certs

Considering your scenario, the possibility for alignment and consistency would be based on using a single certification body for all companies, or by reviewing the scopes in a way that they cover roughly similar processes (e.g., software development, R&D, or whatever these companies have in common).

In case these possibilities aren’t feasible, then those companies may be very different, and it might not make sense to align them. 

These articles will provide you further information:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Applicable ISO 9001 clauses for implementation in a software company

If they decide to go for ISO 9001 certification only clauses from section 8 can be candidates for classification as non-applicable. ISO 9001:2015 is a generic standard applicable to all kinds of organizations. The company:

• Has clients and consumers – clause 8.2 is applicable.
• Develops software - clause 8.3 is applicable.
• Buys resources - clause 8.4 is applicable.
• Software must be manufactured, lines of code have to be written and tested, bugs must be removed - clauses 8.5, 8.6, and 8.7 are applicable.
   

Inside 8.5 typical candidates for non-applicability are:

• Subclause 8.5.3 – does the company works with confidential information provided by the client? Does the company install the software at the client’s premises? If a new version of software originates problems for the client, does the company is liable? If yes to one of these questions the clause is applicable.
• Subclause 8.5.4 – preservation seems not applicable at first sight but then look into the “NOTE”. You can find there the word “transmission”. What is that about? It is about how information is transmitted and protected, preventing risks of loss, tampering, and protection of information which may include property of the customer and supplier. There are examples of this information transmitted electronically such as electronic payments, mail, electronic files, computer files, information available on websites, etc.
• Subclauses 8.5.5 and 8.5.6 – include after-sales support and new versions

It seems that all clauses are applicable. 

While considering the use of ISO 9001 for software development activities, consider this support ISO/IEC/IEEE 90003:2018 - Software engineering — Guidelines for the application of ISO 9001:2015 to computer software - https://www.iso.org/standard/74348.html

For more information about exclusion, the right ISO wording is applicability, consider the following:

• Case study: Design and development in the software industry - https://advisera.com/9001academy/blog/2017/02/08/case-study-design-and-development-in-the-software-industry/
• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
• Free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/
• Enroll for a free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

PPAP, FMEA, QP, PSW in ISO 13485 toolkit

Our course will cover these documents, and these documents are part of our toolkit. Our courses and documentation toolkit are designed to cover all the requirements of the standard. But for any other questions, we are at your disposal.

Supplier information security requirements

Please note that the supplier information security requirements are based on the results of risk assessment and applicable legal requirements, which are exclusive for each organization because they are related to their context and risk appetite.

For example, two organizations may have the same cloud provider, but because they have different risk appetites, a requirement for the less risk+tolerant organization may not be used by the more risk +olerant one.

Included in your toolkit there is a list of commonly adopted security clauses for suppliers and partners that can help you define your supplier information security requirements. This template is on folder 08 Annex A Security Controls >> A.15 Supplier Relationships

This article will provide you a further explanation about security clauses for suppliers:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/