Search results

Operational Security Objectives

I’m assuming you are referring to the Information Security Policy document.

Considering that, ISO 27001 is pretty flexible when it comes to defining your security objectives. In this case, when you didn’t have incidents in the year, you can set as an objective 0 incidents, or focus on other objectives.

This absence of incidents can in fact help to acquire new customers and increase revenue (potential customers will have more confidence to work with you), but please note that keep an objective of 0 incidents is a pretty hard one. 

Normally 3 to 4 objectives allow an ISMS to support properly the business, for example:

• one operational objective: system uptime
• one financial objective: increased revenue
• one business objective: entering a new market
• one compliance objective: fulfillment of GDPR

This article will provide you a further explanation about information security objectives:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

In this free online training, you'll find detailed guidance on setting the objectives:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Advisory

My personal advice, to begin with, you can get a 2-day quality management system and ISO 9001:2015 standard training. If you are going to implement the IATF 16949:2016 system, this training can be 3-4 days. After that, you can review your work with the help of a consultant, and I think this will help you improve. You can get an online consultancy service, like 2 days a month.

Advisera tool kit helps you with reference documents in the documentation structure, but in my personal opinion, consultant assistance may be needed for a while.

For more information, see:

• How to define roles and responsibilities within an IATF 16949-based QMS https://advisera.com/16949academy/blog/2017/11/29/how-to-define-roles-and-responsibilities-within-an-iatf-16949-based-qms/
• How to establish QMS Statistical Process Control according to IATF 16949 https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/
• How to define the scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
• IATF 16949:2016 Documentation Toolkit  https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

Register of Legal, Contractual, and Other Requirements

The content of this register is defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this document.

For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

Regarding contracts, you need to consider not only contracts with customers but also with employees and suppliers, i.e., with all parts that are relevant to information security.

You do not need to list all your customers. You can list only the more relevant ones (e.g., those with the highest values, the strategic ones, etc.), which can be identified by codes to protect privacy.

If you have signed the same agreements with e.g. customers, you do not need to list each party separately - you can only list them together, e.g. "customers" and specify the security requirements from those standardized agreements.

This article will provide you a further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Basic question on GDPR

No, there is no international standard that certifies GDPR requirements, although some standards can help you to implement GDPR principles and design correctly policies. I.e,  ISO27001 on information security or ISO17000 on conformity. Therefore, there is no expiration date and you will apply GDPR as soon as it will be enforceable. The previous EU directive had been enforceable for more than 10 years, so the time frame is long.

In order to verify the requirements to pass the CIPM certification, you should consult the IAPP website.

Here you can find more information about ISO standards:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

If you want to know how to implement ISO 27001 standards or the EU GDPR, you may consider enrolling in our free online foundations courses:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

   

• CISSP

  ISO certification of persons works in a different way.

  Accredited ISO training providers comply with ISO 17024 – which provides general requirements for bodies operating certification of persons.

  Provided they fulfill this standard’s requirements, each training provider can have their own sets of questions to use in their exams.

  These articles will provide you a further explanation about ISO 27001 personnel certifications:

  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  These materials will also help you regarding ISO 27001 personnel certifications:

  • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
  • Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Cyber security certificates that guarantee entry-level work

  Please note that the answer to this question depends on the type of work you are considering (e.g., database security, network security, cloud security, security management, etc.).

  For ISO 27001, the lead ISO standard for information security management, the entry-level certifications would be:

  • ISO 27001 Foundations
  • ISO 27001 Internal Auditor

  More advanced certifications are:

  • ISO 27001 Implementer
  • ISO 27001 Lead Auditor

  These articles will provide you a further explanation about ISO 27001 personnel certifications:

  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  These materials will also help you regarding ISO 27001 personnel certifications:

  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
  • Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Error proofing

  I don't think there is a standard for Error-proof devices. But according to article 10.2.4 of the IATF 16949.2016 standard; Both production and product verification methods of error-proof devices must be specified in the control plan. For example, let's assume that there is 100% control of the product on the production line with a camera. You verify this camera with the "NOK" master sample per shift. Here in the control plan, you need to enter the verification of each shift with the "NOK" master sample. 
   

• Question about training

  1 - I wanted to know for the Security Awareness Training, if we have our own training, can this be used and we just have to log when the training was completed? Who should participate in the training as all employees take this training.

  You can have your own training, but you need more than a log when the training was completed. You need to identify the training content and results achieved (e.g., who has participated, by means of attendance lists, who was approved, by means of exams results or certificates, etc.). In your toolkit, you have a Training and Awareness plan, located in folder 9 Training and awareness, that will help log all information you need to be compliant with ISO 27001 related requirements.

  Regarding whom needs to participate, you need to identify which security competencies need to be fulfilled, so you can identify who needs them. These are the people who need to attend the activities.

  For example, if you need to fulfill a gap related to clean desk and clean screen, may all employees in the scope will need this one. On the other hand, if you need to fulfill a gap in network security, maybe only IT personnel need to attend the activity.

  For further information, see:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  2 - It's from a site KnowBe4. I wanted to know for this part can our employees use this site or they have to use your site for ISO? Do we have to show who has had training?

  ISO 27001 does not prescribe how to perform awareness and training, so organizations can use their own training/awareness material, use a training provider, or adopt a mix of these approaches.

  Regarding training providers, you can use anyone you see fits your needs.

  Regarding records to be kept, the same records you keep when you perform training by yourself need to be kept.

• Classification

  To my understanding of this equipment, equipment that generates oxygen for medical applications is not a medical device. A medical device is the oxygen tank if that oxygen has a medical device purpose and not as medicine.  

• Checklist for medical device labeling including advertising and claims

  The best way to prepare the audit checklist is to go through the Annex 1 General safety and performance requirements of the Medical device regulation MDR 2017/745. There in Chapter 3 – Requirements regarding the information supplied with the device you have all requirements that need to be covered in labels and instructions of use

  For more information, see:

  • EU MDR Annex 1 – General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/