Search results

What is considered personal data for survey company

Thank you for this.  I am confused though.  I realize that ethnicity is a "special category" of "personal data" but if we don't collect any PII (name, email, IP address, etc) then how is the data subject to exercise their rights for the erasure of the data?   We have nothing to specifically identify the data record after the survey has been completed.

Question on ISO 27001 Documentation when ISO 9001 is already in place

Unless your client has specific legal requirements (e.g., laws, regulations, or contracts) demanding a separated set of documentation, integrating common documents of both ISO 9001 and ISO 27001 is recommended, to avoid unnecessary duplicated documents (e.g., a procedure for document and record control, internal audit, etc.).

Regarding the integrated toolkit for ISO 9001 and ISO 27001, this one is not available, but you can use the documents referred to in the paper you downloaded as guidance.

These articles will provide you a further explanation about integrated systems:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding ISO 27001 and ISO 9001:

• ISO 27001 implementation: How to make it easier using ISO 9001 [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-implementation-make-easier-using-iso-9001-free-webinar-demand/

RPO, RTO, BC strategies, testing and exercising

RTO (Recovery Time Objective) is defined based on how fast you want to resume your operations after a disruption, while RPO (Recovery Point Objective) is defined based on how much data you can afford to lose due to a disruption.

For example, if an application has an RTO of 1 day and an RPO of 4 hours, it means that this application can be recovered (resume normal operation) in one day, but the information from the last 4 hours before the interruption occurred will be lost.

Business Continuity strategies refer to high-level actions to be developed to achieve defined continuity objectives.

For example, to ensure the objective of recovering operations in a defined timeframe, the strategy adopted may be the use of an alternative site. Another example is a backup strategy (which could be incremental, differential, etc.).

Testing and exercising are activities performed to find what doesn’t work in your business continuity in a controlled situation. In other words, when you lack real incidents, you create simulated ones to be able to improve your plans.

These articles will provide you a further explanation about these concepts:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
• Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/
• Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/
• Can business continuity strategy save your money? https://advisera.com/27001academy/blog/2010/03/15/can-business-continuity-strategy-save-your-money/
• How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

This material will also help you regarding business continuity:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Certification Process

HI, just following on from the webinar last week regarding the Certification Process - which was very good thank you – I’ve a couple of questions if that’s OK:

1 - Training / Awareness

Prior to the webinar we had been led to believe that our planned approach – namely:

Publish the IS policy & notify everyone it is available – but not actually record who has read it
Publish a number of awareness bulletins and encourage people to discuss them at team meetings
Run a small number of online sessions whereby information on various aspects of ISO 27001 / Information Security are presented. The attendee list for these events would be retained
would be sufficient. Would you agree with that or, as I think you implied would the auditor expect that we had a more formal approach to training with people being recorded against the training sessions they have completed?

Please note that while your proposed approaches cover the communication from organization to employees, you are not considering an approach to ensure employees have understood your message, i.e., that they understand the importance of information security, the impacts in case it is compromised, and what they can do to protect information.

So, you should also consider the application of small quizzes or other methods to evaluate employees' understanding.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• What are the benefits of security awareness training for organizations? https://advisera.com/27001academy/blog/2019/03/27/what-are-the-benefits-of-security-awareness-training-for-organizations/

2 - Internal Auditor

Is it mandatory that the internal audit is carried out by a certified auditor (whether that’s an internal member of staff that’s been trained or a 3rd party retained for the audits)? One thought was that following the first initial audit where we would use a qualified third party we would compile questions that would need to be completed for subsequent audits. Selected people would then take those questions round the business at the appropriate time – though they would not necessarily be accredited.

Any information you can give would be greatly appreciated.

Thanks

You do not need a certified auditor to perform an internal audit, provided that you can evidence his audit competencies by other means, like previous experience, or formal education in an audit.

These articles will provide you a further explanation about internal auditor:

• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

These materials will also help you regarding internal audit:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISO 27001 documents

1 - In order to show evidence that ISMS has been implemented, must we show a minimum period of implementation?  For example, 3 months?

This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

These articles may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

2 - What will the external auditor look out for in terms of actual implementation of the ISMS for ISO27001 certification?  Please advise.

The certification auditor will look for all documents and records stated as mandatory by the standard, and those considered applicable by the organization (e.g., policies and procedures related to applied controls).

In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”.

Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Records of training, skills, experience, and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)

These articles will provide you a further explanation about documents required for certification and the certification audit:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding the certification process:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Scope

For organizations with up to 50 employees, the best approach is to include all the organizations in the ISMS scope, because in this situation in the majority of cases the effort to separate elements in the scope from those out of it is not worthy.

When the organization uses a third-party Platform-as-a-Service, the data and all application software should be included in the ISMS scope, while everything else is out, including all system software.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
  Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISMS implementation

1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

Since your whole organization is part of the ISMS scope, you can use a text identifying your core business and including business management and supporting processes. Something like: Software development processes and their related supporting processes, and business administrative processes.

2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

Since your whole organization is part of the ISMS scope, then you can only state that the whole organization is in the scope.

3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

Considering your context, the proper definition here is the one you thought “All networks and IT infrastructure that are located in the <location>”.

This article will provide you a further explanation about defining scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

This material can also help with defining scope:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Are employees of 17025 certified labs required to have transcripts on file?

In terms of ISO 17025 requirements, education and training records and evidence of competence are essential. Typically the diploma without a transcript will be suitable. Laboratories should, however, have recruitment criteria and minimum education requirements documented. If necessary, to verify a specific educational achievement for a particular position, a transcript would be required. This could, for example, be a result (e.g.,>70%) for a specific course; or diploma. Furthermore, depending on the sector, employees may need their transcripts to join a professional body mandated by legislation, for example, a veterinary association or professional scientists association.

To assist you, have a look at the Competence, Training and Awareness Procedure and the four related appendices, available as part of the toolkit, at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ 

See too, the article How to manage competence in a laboratory according to ISO 17025  at https://advisera.com/17025academy/blog/2021/05/26/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/

IATF 16949:2016 for Application software by companies supplying to OEMs

Companies that write and develop software embedded in the vehicle; should work on software design, verification, validation, configuration verification, etc., and document the details. These issues are related to the 8.3 and sub-clauses of the IATF 16949:2016 standard.