Search results

Risk owner problem

Thank you!

ISO 22301 toolkit - audit procedure

Please note that ISO 22301 does not require clause 6.1 (Actions to address risks and opportunities) to be documented. Since they are related to the implementation of the BCMS, such actions are considered in the project plan, located in folder 01 Preparation for the Project.

Items related to clause 6.2 of ISO 22301 are covered in the template “Preparation Plan for Business Continuity”, located in folder 06 Business Continuity Strategy.

10.3 Appendix 3 Internal Audit Checklist

In case you are implementing only ISO 27001, you can exclude the references to ISO 22301 from your internal audit checklist. A certification auditor will not look for compliance against ISO 22301 if it is not part of the certification scope.

The checklist for ISO 27001 contains all necessary information to cover requirements related to cover continuity of information security in questions related to controls from section A.17.

This article will provide you a further explanation about building a checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

For further information, see:

• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Key management template

Please note that control A.10.1.2 is covered in the template Policy on the Use of Encryption, located in folder 08 Annex A Security Controls >> A.10Cryptography

Included in your toolkit there is a List of documents file which will show which controls and clauses of the standards are covered by each template

This article will provide you a further explanation about key management:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

Vendor security clauses

Please note that “relevant clauses”, and how they are written, will depend on the context of each organization (i.e., results of risk assessment and applicable legal requirements), so we do not recommend such an approach when developing your own agreements.

In general terms, clauses to be considered would cover:

• Right to audit
• Notification about security breaches
• Adherence to security practices
• Response time to vulnerabilities
• Demonstration of compliance
• Management of supplier’s supply chain risks
• Communication of changes
• Maintenance of service levels

For further information, see:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Question about BIA form

Please note that included in your toolkit you have access to a video tutorial that can help you on how to fill out this document, using real-life examples of what you need to write.

To access the tutorial, in your Inbox, find the email that you received at the moment of purchase - there, you will see a link that will enable you to access the video tutorial.

KPI requirements

The key performance indicators are used to analyse if an the QMS objectives have been achieved, so if the sales department includes some quality objectives in its processes and is included in the QMS scope, then KPIs should be used to measure if the objectives were achieved.

The following material will provide you more information:

- How to define Key performance indicators for a QMS based ISO 9001: https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
- How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- Please check this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/  - how to relate processes and objectives
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Define Locations if all staff are remote

In terms of scope definition, you can state as location (company's headquarters) the home address of the founder / CEO of the company or the address of the office where the people accountable for the company can be found. You can define this address as the company's scope.

Regarding the remote workers, normally you do not control the environment where they are, so these are kept out of the scope, and you treat remote access as a risk in your assessment.

These articles will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Scope definition

1 - We established customers are interested parties in the ISMS.  I understand that.  My question is: if you then share the underlying infrastructure, for example a physical server that is running a virtual machine that the MSP owns, and a virtual machine of the customer.  The MSP has a responsibility to the customer as defined in the contract to keep the virtual machine available that resides on that physical server.  Then as far as the MSP is concerned with regards to ISO 27001 the physical server will be within scope as it is MSP owned along with the virtual machine that resides on the physical host because it is MSP owned.

This means the MSP has a physical host and a virtual machine that is in scope but the virtual machine that belongs to the customer is out of scope since it is only the MSP and not the customer that is looking for certification.  In addition, the MSP can’t be responsible for certifying all its customers.  So how do you define the Scope in this situation?  The customer virtual machine and MSP virtual machine on the same physical host are separated logically.   

Answer:  In the scope, you need to state just that: that your scope covers your physical environment and the virtual environment controlled by the organization, and that virtual machines not controlled by the organization are not part of the scope. Additionally, you should inform how the VM that is no controlled by you are separated from your virtual environment.  

To see how an ISMS scope document compliant with ISO 27001 looks like, please access this free demo: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

2 - I’ve also been looking at your Conformio product. The problem we have is given the nature of our business MSP / ISP; I think we would need some additional support more so than just email.  Some one that understands our business and who we can speak to ask questions. A combination between Consultant and your product.  Do you offer anything like this?  Would there be an opportunity to work something out with Advisera to achieve this that meets our needs?

Thank you

P.S: I found your book Secure and Simple along with your website very helpful and well written. So thank you for that.

Answer: We provide one-on-one consultations with an expert who will help clarify any questions related to the implementation of ISO 27001 - this is not consulting, but through these consultations we transfer the know-how to our clients.