Search results

Process map according to ISO standard

There is no generic model based on the process approach that is valid for all companies. The best models are those designed specifically for each company and using language that people in the company understand. I recommend watching the free on-demand webinar called The Process Approach - What It Is, Why It Is Important, and How to Do It - where I try to explain how to design a model.

Another possibility is to participate in this Live Virtual Training.

Risk assessment Guidance

1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?

Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist

Please note that risk assessment for each standard has different purposes and different assessment criteria, so it is not common to find a single tool to cover these at the same time.

2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?

On these links, you will find demos for risk assessment documents for each standard, so you can evaluate if they can help you:

• ISO 9001:2015 Risk Management Toolkit https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
• Risk Management Policy (ISO 20000) https://advisera.com/20000academy/documentation/risk-management-policy/
• ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

Validity and document management

This is an acceptable approach compliant with the standard to evidence document review.

Please note that a document review not necessarily needs to lead to changes in it, so you can update the change history of the document to include the information about when the document was last reviewed and that no need to change was identified.

ISO 27001 Toolkit for consultants questions

1 - Printed documents
The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer 

We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.

We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?

Answer: An ‘uncontrolled when printed’ statement is not included in the templates because the Procedure for Document and Record Control, section 3.3 - Publishing and distributing documents; withdrawal from use, does not make a distinction between handling electronic and printed versions of documents, i.e., the documents in all formats need to be controlled.

This is so because the purpose of ISO 27001 is to protect the information, and printed documents, in current or obsolete versions, may still contain classified information that needs to be protected, so they need to be controlled until the information becomes unclassified.

On top of this, ISO 27001 clause 7.5.3 requires all ISMS documents to be controlled.

2 - Improvement / non-conformance log
I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.

We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.

Answer: Please note that nonconformities and opportunities for improvement are recorded in the Internal Audit Report template, located in the folder Internal Audit.

The approach you are suggesting is a good idea for a better management of improvements, but we found that our customers prefer to have the least amount of documents - since such Register of nonconformities is not a mandatory document, we decided not to create this extra document. Of course, if a customer wants to create such an additional register, we support them in such an effort.

3 - Document control
I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)

Again, we would not call this a non-conformity, but it would be raised in the improvement log prior to any change of document being authorized. What is this ‘Track changes’ referring to please?

The procedure states:
All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Each document should preferably have a "Change History" table used to record every change made

Answer: ISO 27001 does not prescribe how to start the process of changing a document, only that changes need to be reviewed and approved. 

Again, we are aiming at having the least amount of documents because this is what customers prefer.

You can summarize the need for change in the section ‘Change history’ included in each template.

About the ‘track change’, it is a feature of text processor software, like MS Word, which allows the identification of excluded and included texts in a document. 

4 - The toolkit does not contain a document register?

This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register. 

Hope that makes sense and apologies if I am missing something

Answer: ISO 27001 does not require a master document register to be maintained (this would only add another document to be maintained). As an alternative, we suggest that customers keep the documents in the same folder structure as of the toolkit, only including a sub-folder “obsolete” in each folder, so each folder will have the current version of each document, and the sub-folder will store the obsolete versions.

Showing the document version can be resolved very easily by adding the version number to the file name - e.g., 'Information Security Policy EN ver 1_2.docx'.

Gap Analysis for ISO 27001:2022

Hi There

looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?

Many thanks

Checklist for ISO 27001

1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?

From your question, I’m assuming you want to audit an ISMS compliant with ISO 27001:2013, which Annex A has 14 sections (from A.5 to A.18) and 114 controls (from A.5.1.1 to A.18.2.3), while your Internal Audit Toolkit is compliant with ISO 27001:2022, which Annex A has 4 sections (from A.5 to A.8) and 93 controls (from A.5.1 to A.8.34).

To audit an ISMS compliant with ISO 27001:2013, you will need the checklist compliant with the ISO 27001:2013 version of the standard.

Considering that, we will send you a copy of the internal audit checklist for the ISO 27001:2013 version of the standard free of charge.

2. Also should the policies and procedure documents be specifically named individuals rather than Job title?

Responsibilities in policies and procedures can be defined in terms of individuals instead of a job title, but we do not recommend this approach, because every time the responsible person changes you will have to update all documents related to that person.

What asset to list when Risks relate to general or high-level assets?

Please note that to properly identify the assets you need to talk to personnel from all the processes included in your ISMS scope, because these people will help you identify:

• the most relevant risks that you should consider, and from that you can identify the assets.
• the most valuable assets from their point of view, and from that you can identify related risks.

For example, HR personnel might tell you that the most relevant risks are related to payroll software.

Another example: company’s laptops can be considered a valuable asset exposed to the same risks, and in this case, you can consider a single asset (laptop), but in some cases, you may need to have specific assets like financial laptops, development laptops, or sales laptops, because they are exposed to different risks.

The most important point is that you need to talk to the personnel that works with the information you want to protect because they are the ones with the experience to identify the assets you need to consider.

For further information, see:

• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

ISO 27001 2013 vs. 2022 revision

Since the company is compliant with ISO 27001:2013, you should use the 2013 version for the audit, but you also can ask them about their planning for migrating to the 2022 version, because their re-certification will most probably be against the 2022 version.

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/10/25/iso-27001-iso-27002/

Competent Authority Reporting

It sounds to me as if this is only a customer complaint. Since there was no harm to the patient, user, or public, it is not necessary to report it to the competent authority.   

Do we need VPN to comply with GDPR?

No, you don’t need to have VPN for all employees in order to be GDPR or ISO 27001 compliant. 

Regarding GDPR, you must take all necessary technical and organizational measures to ensure appropriate protection for the personal data you process, according to Article 32 GDPR - Security of processing, so deciding whether you need VPN for all employees should be done after evaluating all the risks towards data subjects.

Regarding ISO 27001, the process is similar - you have to assess the relevant risks for your sensitive information, and based on those risks, decide whether to use VPN. 

Please also consult these links:

• Article 32 GDPR - Security of processing: https://advisera.com/gdpr/security-of-processing/
• Can the GDPR trigger better security in a company https://advisera.com/articles/what-is-the-influence-of-the-gdpr-on-security/