Search results

Incident Response and Business continuity Disaster Recovery instructor led training

We do not have knowledge of instructors for these specific training, so your best approach would be looking for them on professional social networks like LinkedIn, or organizations that issue certificates for business continuity professionals like BCI and DRII. You may find the information you are looking for on these sites:

• https://www.thebci.org/
• https://drii.org/

Business impact analyses questionnaire

1 - What impact analyses should I document?

The business processes to be considered are those related to the defined business continuity objectives. For example, if your business objective is to ensure continuity of customer support services, then the processes related to these services need to undergo business impact analysis (e.g., customer service tickets management, escalation process, etc.).

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2 - Do I do a granulate approach and document things like power outages or does things like power outages become a prerequisite to a process not being available.

Please note that for Business Impact Analysis you do not need to take into account risks, only the impact of the disruption over the processes. Risk identification (so you can identify the ones with the most chance to occur) can be performed either before or after BIA, but it is a completely different and independent process.

For further information, see:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

Calling organization's products after certified ISO 13485 QMS in place

1. GMP grade products or
2. ISO13485 conforming products or
3. ISO 13485 and GMP conforming products

Clause 5.1 / internal audit

To evidence fulfillment of clause 5.1, you need to look for evidence like:

• management meeting minutes, where decisions like approval of information security policy and of information security objectives are recorded.
• policies and procedures, where you can find definitions of security roles and responsibilities.
• performance reports, where you can find the results related to information security objectives.

As examples of questions, you can find them in the internal audit checklist template included in your toolkit, in the folder Internal Audit.

This article will provide you a further explanation about the internal audit checklist:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

ISO 27001 questions

1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough?

We are not legal experts, and without more information about your scope, we cannot provide a more robust solution.

Please note that you may have other interested parties which may define requirements for information security, like suppliers, and the government. Additionally, as a translation company, you may have requirements regarding how translations should be performed (and if you do not comply with these your translation may have information integrity issues).

Considering that, we advise you to hire legal expert advice to help you identify these requirements.

For further information, see:

• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001?

It is not enough your service providers are certified according to ISO 27001. You need to ensure they treat the risks you identified as relevant that are related to them as you expect (e.g., if unauthorized access to information is a relevant risk to you, you need to ensure they treat this risk properly). This is normally treated by defining a contract or service level agreement with them including information security clauses covering the risks you want them to treat.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general?

When separation of duties is not feasible to treat relevant related risks, you need to consider compensatory controls, like monitoring activities and management supervision, to ensure that even without segregation of duties the identified risks are properly handled.

For further information, see:

• Segregation of duties in your ISMS according to ISO 27001 A.6.1.2 https://advisera.com/27001academy/blog/2016/11/21/segregation-of-duties-in-your-isms-according-to-iso-27001-a-6-1-2/

Asset inventory

First is important to note that an asset inventory is required for ISO 27001 only if:

• there are unacceptable risks that treatment demands such inventory
• there are contracts, laws, or regulations you have to follow which demands such an inventory
• there is a top management decision demanding such inventory

If none of the above-mentioned situations occurs, then there is no need to keep such inventory.

In case the inventory is required, the assets should be included considering those that can affect the information you want to protect. For example, if you want to protect R&D information, you need to identify on which servers, networks, and workstations this information flows through, is processed, or stored.

For further information, see:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Risk Management and FMEA

FMEA is the risk method that best meets all the requirements of ISO 14971: 2019, so it is recommended that it be used for class I medical devices.

ISO 27001 Beginner

To help beginners to understand, implement and audit ISO 27001 Advisera provides several articles and downloadable materials the can provide guidance.

Additionally, I suggest you take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit has the mandatory and most commonly used documents for an ISO 27001 implementation, and they include comments that can help to customize the documents to your organization's needs.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Free online training ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/  

Query Regarding Internal Audit

1 - Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit

The internal audit can be performed in terms of implemented ISMS policies. You only need to ensure that all mandatory clauses and applicable controls are audited before the next certification/surveillance audit.

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

2 - Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements

First is important to note that audit criteria need to be something against which ISMS policies are compared, not within ISMS policies, so you should think about requirements “applied” to ISMS policies, not “within” them.

Considering that, requirements used to develop ISMS policies can be used as audit criteria. In your example, BS7858 requirements are the criteria against which you evaluate your HR screening policy.

Question about A.7.1.2

1 - As I have understood control A.7.1.2 requires mandatory documentation on both above with organization’s own employee.

I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)?

ISO 27001 does not prescribe mandatory documentation to cover the description of information security responsibilities, so you can adopt the document that best fits your needs (e.g., a contract, a service agreement, a job proposal, a code of conduct, etc.).

For further information, see:

• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/
• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us.

Are the regular IT system vendors part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements?

The supplier security policy is defined according to the results of your risk assessment and applicable legal requirements, and depending upon these elements they may have mandatory documents to write.

For example, if your risk assessment identifies that these vendors need to comply with control A.9.1.1 (Access control policy), then they have to document such policy.

This article will provide you a further explanation about supplier security:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/