Search results

Level of implementation in a country’s companies

You can find information about ISO certification by country in the ISO Survey, which can be accessed through this link: https://www.iso.org/the-iso-survey.html

Nivel de implementación en las empresas de un país

Puede encontrar información sobre la certificación ISO por país en la Encuesta ISO, a la que se puede acceder a través de este enlace: https://www.iso.org/the-iso-survey.html

Certification for IATF 16949 Section 8.3 (Design and Development of Products)

Since you will also design products for automotive, you are responsible for all clause 8.3 of the IATF 16949:2016 standard. There is no special list, but; you should prepare for all "shall" requirements written between 8.3-8.3.6.1 in the IATF 16949:2016 standard. 

Filling out documents in integrated toolkit

In the toolkit folder, you will find the file named "List of Documents" where you can find the reference to the EU GDPR or the ISO standard, I suggest you follow the order of the folders and fill documents with EUGDPR reference.

For example, you can begin with Folder 1 "Preparation for the project" and file 01.1 EU GDPR Readiness Assessment in order to verify what is your current status and the preparation for the project at file 01.2. The next step is folder 4 with General policies and document 04.2 Personal Data Protection Policy and keeps following the EU GDPR relevant documents.

Recurring task in Conformio

The Information Security Policy requires in section 3.3 (Secure engineering principles) that responsible person issues “procedures for secure information system engineering, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum security standards which must be complied with.” Please note that the mentioned procedures are not included in the policy but need to be developed because of it.

Considering that, the recurrent task refers to the publication of these required procedures, i.e., you only can set this task as completed when all needed procedures are published. This task is not related to the publication of the Information Security Policy itself.

Consider this example: when developing this policy, you identify you have a financial system, a production monitoring system, and a mobile app, all developed with different technologies. When the Information Security Policy is implemented, this recurrent task will remember you every 10 days after Information Security Policy implementation date that you need to publish these needed procedures.

Once these related procedures and standards are published you can mark this task as completed, and the review cycle of these documents will be performed as defined in the document control procedure (e.g., at least annually).

Question about Scope of Work

All departments included in the ISMS scope need to be involved in the risk assessment.

Regarding risk owners, you should consider the roles with the most interest and authority to treat them. For example, in case you identify risks related to a server, you should consider as the risk owner the IT manager.

These articles will provide you a further explanation about risk assessment and risk owners:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

These materials will also help you regarding risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Recovery site

1 - Do we need another recovery site?

Considering that there is a chance that another disruptive scenario can hit your organization at any moment (e.g., fire, flood, storm, etc.), and now, because Covid 19, you will not have recovery space available to fulfill your needs in case of a new disruptive event, then you should consider another recovery site if you still want to achieve continuity objectives defined pre-Covid 19.

The alternative would be to adjust continuity objectives according to your current operational capacity and situation (e.g., if your initial continuity objective was to work with 50% capacity during disruption, maybe now a possible objective would be only 25%, due to social distancing requirements).

Just for a mindset adjustment, you should keep thinking of your recovery site as a recovery site, not as a daily office, since it is being used like that only because you are in a disruptive scenario, i.e., social distancing required due to Covid 19.

2 - If we do, how do I convince management?

The direct answer is that you need to perform an assessment of your current allocation of continuity resources to identify what you can still use in case of a new disruption hits you (e.g., it is possible to allocate more people in the recovery site, up to the limit defined by social restrictions?).

With this information in hand, you can go to management and present it to them, making clear what can be achieved in terms of business continuity under the current situation and allocation of resources, so they can make an informed decision between adjusting continuity objectives to feasible ones or allocating more resources for a new recovery site.

 This article will provide you a further explanation about business continuity objectives:

• Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/

Stage 2 Audit and ISMS completion status and Assets listing

1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

ISO 27001 does not prescribe the content of an asset list, so organizations are free to define the data they want to record (usually minimal data to be considered are asset name, asset category, and asset owner).

For further information, see:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

 Regarding risk management, it is highly improbable to have a risk assessment with only residual risks (i.e., risks with controls already applied to reduce them to acceptable levels), so you should review your assessment to confirm inf any relevant risk has not been missed (including people which works directly with the situation being assessed is a good way to check that). In the case of risk treatment, the objective is to have all listed risks as residual, i.e., by defining a treatment to them.

 For further information, see:

• Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be.

I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion.

My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

For certification purposes you need to fulfill all requirements from clauses 4 to 10, i.e., they need to be implemented and audited. The auditor will expect a fully implemented ISMS according to the standard's requirements.

What can be postponed is the implementation of controls related to less relevant risks, and to support this decision you can use management review and work plans to evidence the situation.

This article will provide you a further explanation about certification audit:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding ISO 27001 certification:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Filling documents

The purpose of this template is not to define requirements, only to identify where they can be found, who defined them, who are responsible for their implementation, and by which date.

Requirements are defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this annex.

For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

Considering that:
1 - Requirements for the procurement, commissioning, and approval for the use of non-organizational IT services may be determined by the IT manager together with the key users of such services and documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
2 - Requirements for the use of confidentiality agreements when passing on sensitive information may be determined by information owners, and their way of implementation documented in the “Information Classification Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
6 - Requirements from business relationships (e.g., reporting obligations to the client) are documented in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in documents which will depend on the requirements defined.
7 - Requirements for key sovereignty may be determined by the IT manager together with the users of services that use these keys, and their way of implementation documented in the “Policy on the Use of Encryption”, located in folder 08_Annex_A_Security_Controls >> A.10_Cryptography.
8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.
9 - Extended requirements for the control and administration of networks are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.

Once requirements are defined and identified in the List of Legal Regulatory Contractual and Other Requirements:
3 - The procedures for user authentication are documented in the “Access Control Policy”, located in folder 08_Annex_A_Security_Controls >> A.9_Access_Control
4 - The requirements for development and test environments are documented in the “Secure development policy”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
5 - Measures to meet the procurement and license management requirements with regard to intellectual property rights and the use of software products protected by copyright are documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance, and in the “IT Security Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management.

This article will provide you a further explanation about requirements identification:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

How can I tag an instrument which is not in use as per ISO norms?

We assigned an ID for those documents to keep the track where they are, who is responsible for handling, etc., we identified those equipments with the ID and also a red legend of "Just reference";  in our procedure we specified that those type of equipments, can not be used on production floor or in any process where the quality of product or process will be confirmed. 

We also audit those equipment, to confirm the proper storage and area. No issues during external audits with this process.