Search results

Scope definition

1 - We established customers are interested parties in the ISMS.  I understand that.  My question is: if you then share the underlying infrastructure, for example a physical server that is running a virtual machine that the MSP owns, and a virtual machine of the customer.  The MSP has a responsibility to the customer as defined in the contract to keep the virtual machine available that resides on that physical server.  Then as far as the MSP is concerned with regards to ISO 27001 the physical server will be within scope as it is MSP owned along with the virtual machine that resides on the physical host because it is MSP owned.

This means the MSP has a physical host and a virtual machine that is in scope but the virtual machine that belongs to the customer is out of scope since it is only the MSP and not the customer that is looking for certification.  In addition, the MSP can’t be responsible for certifying all its customers.  So how do you define the Scope in this situation?  The customer virtual machine and MSP virtual machine on the same physical host are separated logically.   

Answer:  In the scope, you need to state just that: that your scope covers your physical environment and the virtual environment controlled by the organization, and that virtual machines not controlled by the organization are not part of the scope. Additionally, you should inform how the VM that is no controlled by you are separated from your virtual environment.  

To see how an ISMS scope document compliant with ISO 27001 looks like, please access this free demo: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

2 - I’ve also been looking at your Conformio product. The problem we have is given the nature of our business MSP / ISP; I think we would need some additional support more so than just email.  Some one that understands our business and who we can speak to ask questions. A combination between Consultant and your product.  Do you offer anything like this?  Would there be an opportunity to work something out with Advisera to achieve this that meets our needs?

Thank you

P.S: I found your book Secure and Simple along with your website very helpful and well written. So thank you for that.

Answer: We provide one-on-one consultations with an expert who will help clarify any questions related to the implementation of ISO 27001 - this is not consulting, but through these consultations we transfer the know-how to our clients.

Question on ISO 27001

First is important to note that ISO 27001 does not prescribe such a requirement about the restriction of user IDs. This information can be found in ISO 27002, a supporting standard that defines guidance and recommendations for implementation of ISO 27001 Annex A controls, and these are no mandatory and can be adopted at the discretion of each organization.

Additionally, in the recommendations for implementation of control A.9.2.1, you can find that shared IDs may be permitted where they are necessary for business or operational reasons, and in such cases, this use should be approved and documented.

Considering that, you can argue with your supplier that the use of shared accounts is possible without compromising ISO 27001 compliance, provided it is specifically approved and documented, but please note that the provider may have a business or legal reason to define this specific rule in its policy about no shared IDs and may not be allowed to open any exceptions. In this case it is your decision to accept this condition or do not make deal with this provider.

As an alternative, you can open an email address in a specific name to which the supplier will send service tickets, and then automatically forward all received emails to service email.

These articles will provide you a further explanation about ISO 2700e and access control:
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

Assessing quality system

Where you start assessing your quality system will depend on what you currently have in place. If you already have a management system documented, that meets the requirements, for example, of ISO 9001 or ISO 13485, then you would perform a gap assessment against the requirements of ISO 17025.

I suggest you start with the project plan. You can download a free Project Plan for ISO 17025:2017 implementation at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation. The ISO 17025 toolkit has an Internal Audit checklist that can be used for this purpose. You can preview it from https://advisera.com/17025academy/iso-17025-documentation-toolkit, under “Performance and Evaluation”. It is also available for separate purchase.
For more information on ISO 17025 requirements, download the free whitepaper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

Holding data

UK is no longer part of the EU so it has the Data Protection Act 2018 and the UK GDPR which is almost identical to the EU GDPR. I suggest you follow the ICO guidelines, which is the UK Data Protection Authority for transfers of data because many steps to implement will depend on the country where data are stored or processed. You will need to apply UK GDPR to data processing worldwide.

If you need to know more about how to transfer data in third countries under the EU GPDR here you can find more information:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
• Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Examples of Risk Management

Have a look at a previous reply for an approach that applies to all situations - Implementing Risk clause in food testing laboratory at https://community.advisera.com/topic/implementing-risk-clause-in-food-testing-laboratory/. 
Also feel free to join the next webinar How to manage risks in laboratories according to ISO 17025, or download a recording from https://advisera.com/17025academy/webinars.  Here some specific examples are covered, using the Advisera Risk Register. The ISO 17025 Advisera Toolkit preview at https://advisera.com/17025academy/iso-17025-documentation-toolkit/; includes a procedure and registry for Risks.

You can also download a helpful diagram, Diagram of the ISO 17025 Risk Management Process, which will show you the steps in the ISO 17025 risk management process. The diagram presents:

• An overview of the risk management process
• Tasks you should consider while implementing ISO 17025 risk management
• Links to additional resources that will help you understand risk management
  https://info.advisera.com/17025academy/free-download/diagram-of-the-iso-17025-risk-management-process

File storage of embedded software source code

IATF does not prescribe how to store source code files or any other type of information, and at this point, there are some semi-regulatory quasi-technical documents that can be considered:

• https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles/the-key-principles-of-vehicle-cyber-security-for-connected-and-automated-vehicles
• https://www.enisa.europa.eu/publications/cyber-security-and-resilience-of-smart-cars
• https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
• https://unece.org/fileadmin/DAM/trans/doc/2018/wp29grva/GRVA-01-17.pdf

Basically, they do not define as good practice using external web-based storage sites such as GIT, which provides you implement security measures to ensure only authorized personnel can have access to the code, like access control, cryptography, etc. Considering ISO 27001, the leading ISO standard for information security, you should perform a risk assessment to identify if these controls are enough to provide the security you want in this scenario (for example, for basic applications, such controls may be enough, but for more sensitive applications you should be considering not using this approach).  

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
• How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Gap analysis and key performance indicators

1. How to conduct gap analysis for ISO 13485?

You did not specify in your question what kind of GAP analysis you need. Gap analysis is about comparing the current situation of a company with standard requirements. 

So please check the following link about performing gap analysis regarding the ISO 13485: https://advisera.com/13485academy/iso-13485-gap-analysis-tool/

You can make also a GAP analysis between ISO 9001 and ISO 13485 if you have implemented a quality management system according to the ISO 9001:2015 and you need now to implement ISO 13485:2016. The best way to conduct this GAP analysis is to take a cross-references table at the end of the ISO 13485:2016 standard (Annex B).

2. How to determine key performance indicators?

The term Key Performance Indicator refers to measurements you used to determine the performance and effectiveness of the QMS. This is completely up to you, but the main question you need to ask yourself is "What do I need to measure to know that my QMS processes are performing as expected and that they are effective?". KPIs also depend on what is a company’s strategy and competitive advantage. KPIs for a manufacturer of commodities are different from a manufacturer of innovative or differentiated stuff.

For more information regarding the KPI, please see the following article, regardless of what is their mention of the ISO 9001 standard:

• How to define Key Performance Indicators for a QMS based on ISO 9001 https://advisera.com/9001academy/blog/2016/05/24/define-key-performance-indicators-qms-based-iso-9001/

• CMMC guidance

  For information about becoming a certified CMC registrar or auditor, please access these sites:

  • https://cmmcab.org/
  • https://pecb.com/en/education-and-certification-for-individuals/cybersecurity-maturity-model-certification/cmmc-ab-certified-professional

• Operational Security Objectives

  I’m assuming you are referring to the Information Security Policy document.

  Considering that, ISO 27001 is pretty flexible when it comes to defining your security objectives. In this case, when you didn’t have incidents in the year, you can set as an objective 0 incidents, or focus on other objectives.

  This absence of incidents can in fact help to acquire new customers and increase revenue (potential customers will have more confidence to work with you), but please note that keep an objective of 0 incidents is a pretty hard one. 

  Normally 3 to 4 objectives allow an ISMS to support properly the business, for example:

  • one operational objective: system uptime
  • one financial objective: increased revenue
  • one business objective: entering a new market
  • one compliance objective: fulfillment of GDPR

  This article will provide you a further explanation about information security objectives:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  In this free online training, you'll find detailed guidance on setting the objectives:

  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Advisory

  My personal advice, to begin with, you can get a 2-day quality management system and ISO 9001:2015 standard training. If you are going to implement the IATF 16949:2016 system, this training can be 3-4 days. After that, you can review your work with the help of a consultant, and I think this will help you improve. You can get an online consultancy service, like 2 days a month.

  Advisera tool kit helps you with reference documents in the documentation structure, but in my personal opinion, consultant assistance may be needed for a while.

  For more information, see:

  • How to define roles and responsibilities within an IATF 16949-based QMS https://advisera.com/16949academy/blog/2017/11/29/how-to-define-roles-and-responsibilities-within-an-iatf-16949-based-qms/
  • How to establish QMS Statistical Process Control according to IATF 16949 https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/
  • How to define the scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
  • IATF 16949:2016 Documentation Toolkit  https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/