Search results

Defining scope of application and scope for ISMS

The best ways to define an ISMS scope consider the information, processes, or locations you want to protect. An application cannot be defined as an ISMS scope.

Considering that, for your context, you can define the ISMS scope in terms of:

• the development and maintenance processes that support the web application
• the information processed by the web application

Please note that for companies up to 50 employees, the best alternative is to include all organizations in the ISMS scope, because the effort to keep only the organization in the ISMS scope is not worthy.  

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 14001 and Fire response

A fire is a risk in your environmental management system (EMS). Also, fire is an environmental aspect under abnormal situations.

So, you determine fire as a possible environmental aspect. Is there any mandatory prevention and or response preparation under your organization’s compliance obligations?

Even without any compliance obligations, your EMS should evaluate the significance of that environmental aspect and its impacts. If it is deemed to be significant you should consider ISO 14001:2015 clause 8.2 and prevent and or prepare a response to a possible fire in your facilities.

You can find more information below:

• ISO 14001 emergency preparedness and response - https://advisera.com/14001academy/knowledgebase/iso-14001-emergency-preparedness-and-response/
• 5 steps to set up an emergency plan according to ISO 14001 - https://advisera.com/14001academy/blog/2014/07/23/5-steps-set-emergency-plan-according-iso-14001/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-foundations-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

BC Strategy

Please note that departments in the scope may use different strategies depending on their needs (e.g., time to recover business operations, amount of acceptable data loss, etc.). For example, depending on the number of required personnel, the transport channel will vary between using own cars to taxis or buses. In case of reimbursement, some may be in cash or by means of wire transfer.

The point is that you may not assume that the strategy will be more or less the same. You need to take into account recovery objectives.

For further information, see:

• Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
• Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/

Vendita di un piccolo centro estetico

La cessione dell'intera azienda comporta il subentro del nuovo acquirente in tutti i rapporti giuridici, attivi e passivi, pertanto nella disciplina della vendita sarà possibile cedere l'intero database dei clienti regolamentando nel contratto l'intera cessione. Al momento del subentro, il nuovo proprietario dovrà rilasciare ai clienti ceduti un'informativa ai sensi dell'art. 14 GDPR nella quale li informa del cambio di titolarità.

Qui puoi trovare alcuni articoli sul trattamento dei dati personali:

• È necessario il consenso? Sei basi giuridiche per il trattamento dei dati in conformità con il GDPR https://advisera.com/eugdpracademy/it/knowledgebase/e-necessario-il-consenso-sei-basi-giuridiche-per-il-trattamento-dei-dati-in-conformita-con-il-gdpr/

Se vuoi saperne di più qui trovi il corso gratuito EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/ 

Audit report

The common practice is to gather robust evidence to support the findings (i.e., concrete evidence of the observed facts and that defined requirements and/or plans are not being fulfilled) and keep constant communication with top management during the audit process (e.g., meet with them at the end of each audit day). Keeping information flowing is the best way to prevent top management from being surprised by the results of an audit.

For further information, see:

• 7 ways to improve the internal audits of your ISO 27001 ISMS https://advisera.com/27001academy/blog/2017/08/28/7-ways-to-improve-the-internal-audits-of-your-iso-27001-isms/

12.7 Internal systems audit considerations

The audit documentation included in the toolkit can be used for the general planning and agreement on how to audit operational systems (by using the Annual Internal Audit Program template) and the record of results (by using the Internal Audit Report), but please note that the detailed plan cannot be developed on these documents.

For the detailed plan you can use a 5W2H table, or the Risk Treatment Plan, located in folder 07 Implementation Plan, template as a base document.

Managing impartiality

Impartiality is the presence of objectivity. In the  context of the owner being the lab manager this means that through the recruitment and management of personnel, taking on and dealing with external providers of services and clients , the manager /owner needs to show awareness of impartiality risks, commitment and fair unbiased behaviour.  This is to ensure that the outcome or result of an activity is not compromised by a situation or action of the owner.

Have a look at the article How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ for further guidance.

Meeting requirements for impartiality is about firstly structuring the organisational responsibilities and management to safeguard impartiality, then identifying and eliminating impartiality risks on an ongoing basis.

An independent auditor is essential and appointment of a (contract) independent quality manager would be a good mitigation of this risk. This is the best approach by having an organisational structure that safeguards and avoids any conflict of interest all risk to impartiality.

The managers commitment to safeguarding impartiality must be aligned to the objectives of the laboratory. This can be shown through a statement in the quality policy, ongoing discussions about impartiality with personnel, performing risk assessments and discussion in Management reviews.

Lastly, it  is essential to have a positive culture about quality so that personnel reporting to the manager are given the responsibility and authority to safeguard the quality and objectives of the laboratory. If for example, the owner decides to procure inferior quality reagents from a family member, this is an obvious risk to impartiality and risk to the quality of the laboratory results. In this case independent people (personnel and/or contract Quality manager) should be responsible for review of client contracts and new supplier and should be able to bring it to the owner / manager without any consequences.

The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ may also be useful.

IATF Requirements

During the incoming inspection of the product, the features of the part according to the technical drawing should be checked. These are both size checks and visual checks. For example, controls such as color, burrs, deformation, and rust are visual controls.

If such features are specified in the technical drawing, visual checks should be made during incoming inspection. 

Smart devices

You can find a lot of useful information on the ENISA site: https://www.enisa.europa.eu/

For this specific need, you should take a look at ENISA’s control map at this link: https://www.enisa.europa.eu/topics/incident-reporting/for-telcos/guidelines/technical-guideline-on-minimum-security-measures/metaframework

Other useful information:

• https://www.enisa.europa.eu/publications/guideline-on-security-measures-under-the-eecc
• https://www.enisa.europa.eu/publications/5g-supplement-security-measures-under-eecc

Incident Management

While ISO 27001 only defines one objective for information security incident management, and seven controls that can be applied, it does not specify processes or activities to be performed. ISO 27035 defines detailed phases to be considered:

• Plan and prepare
• Detection and reporting
• Assessment and decision
• Responses
• Lessons learned.

The incident management procedure template included in the Iso 27001 toolkit presents a simple way to cover these phases in a general level to fulfill Iso 27001 requirements (where details related to the specific organizational context are needed, they are identified by comments in the template).

In this link, you can find more information about this standard: https://www.iso.org/obp/ui/#iso:std:iso-iec:27035:-1:ed-1:v1:en