Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Gap Analysis for ISO 27001:2022
Hi There
looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?
Many thanks
-
Checklist for ISO 27001
1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?
From your question, I’m assuming you want to audit an ISMS compliant with ISO 27001:2013, which Annex A has 14 sections (from A.5 to A.18) and 114 controls (from A.5.1.1 to A.18.2.3), while your Internal Audit Toolkit is compliant with ISO 27001:2022, which Annex A has 4 sections (from A.5 to A.8) and 93 controls (from A.5.1 to A.8.34).
To audit an ISMS compliant with ISO 27001:2013, you will need the checklist compliant with the ISO 27001:2013 version of the standard.
Considering that, we will send you a copy of the internal audit checklist for the ISO 27001:2013 version of the standard free of charge.
2. Also should the policies and procedure documents be specifically named individuals rather than Job title?
Responsibilities in policies and procedures can be defined in terms of individuals instead of a job title, but we do not recommend this approach, because every time the responsible person changes you will have to update all documents related to that person.
-
What asset to list when Risks relate to general or high-level assets?
Please note that to properly identify the assets you need to talk to personnel from all the processes included in your ISMS scope, because these people will help you identify:
- the most relevant risks that you should consider, and from that you can identify the assets.
- the most valuable assets from their point of view, and from that you can identify related risks.
For example, HR personnel might tell you that the most relevant risks are related to payroll software.
Another example: company’s laptops can be considered a valuable asset exposed to the same risks, and in this case, you can consider a single asset (laptop), but in some cases, you may need to have specific assets like financial laptops, development laptops, or sales laptops, because they are exposed to different risks.
The most important point is that you need to talk to the personnel that works with the information you want to protect because they are the ones with the experience to identify the assets you need to consider.
For further information, see:
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
-
ISO 27001 2013 vs. 2022 revision
Since the company is compliant with ISO 27001:2013, you should use the 2013 version for the audit, but you also can ask them about their planning for migrating to the 2022 version, because their re-certification will most probably be against the 2022 version.
For further information, see:
- ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/10/25/iso-27001-iso-27002/
-
Competent Authority Reporting
It sounds to me as if this is only a customer complaint. Since there was no harm to the patient, user, or public, it is not necessary to report it to the competent authority.
-
Do we need VPN to comply with GDPR?
No, you don’t need to have VPN for all employees in order to be GDPR or ISO 27001 compliant.
Regarding GDPR, you must take all necessary technical and organizational measures to ensure appropriate protection for the personal data you process, according to Article 32 GDPR - Security of processing, so deciding whether you need VPN for all employees should be done after evaluating all the risks towards data subjects.
Regarding ISO 27001, the process is similar - you have to assess the relevant risks for your sensitive information, and based on those risks, decide whether to use VPN.
Please also consult these links:
- Article 32 GDPR - Security of processing: https://advisera.com/gdpr/security-of-processing/
- Can the GDPR trigger better security in a company https://advisera.com/articles/what-is-the-influence-of-the-gdpr-on-security/
-
Is ISO 17025 needed?
You said “We need to do test that requires that they are doing under a laboratory quality management system compliant to ISO 17025 or alike standards”
I do not have the background whether you are referring to testing medical devices and if you offer contract testing or internal testing of your own medical devices. I suggest you obtain some specific information from the party requiring this, as there are regulatory requirements related to medical devices.
As an overview, ISO 9001 is a general management system not applicable to provide assurance that a laboratory is competent to perform a particular test, from a technical perspective. The ISO 9001 requirements for management are included in ISO 17025, so with your ISO 9001 system certification you can implement the additional ISO 17025 requirements to work in accordance with ISO 17025 and thereafter achieve accreditation. ISO 17025 is specifically applicable to testing and calibration. Both ISO 17025 and ISO 13485 are competency-based standards with some overlap. Typically an medical device manufacturer does not need ISO 17025 accreditation, however when it comes to testing medical devices many of the ISO 71025 practices are beneficial.
For some more information on ISO 17025 see this Q&A reply and links within: https://community.advisera.com/topic/17025-vs-13485/
-
Impact column in Asset Inventory
Thanks for your answer Rhand.
I don't see the benefit for us while there is also an Impact column in the risk spreadsheet.
Is this an ISO 27001 requirement? i.e., do we have to have this impact column in the inventory of asset? -
Documentation package content
The Documentation Toolkit based on ISO 27001:2022 is organized differently from version 2017 of the toolkit.
Documents based on the controls from ISO 27001:2022 Annex A are located in folder 09 Annex A Security Controls. The documents are not organized considering section 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls because most documents cover controls from multiple sections and this kind of organization wouldn’t make sense.
For example:
- the template Clear Desk and Clear Screen Policy covers physical (A.7.7 - Clear desk and clear screen), and technological (A.8.1 - User endpoint devices) controls
- the template Bring Your Own Device (BYOD) Policy covers organizational (A.5.14 - Information transfer), people (A.6.7 - Remote working), and technological (A.8.1 - User endpoint devices) controls