Search results

ISO 27001-Advice- Clause 6.1.3 d)

To meet this requirement you should consider these fields from your example:

• Annex A reference
• Control title
• Applicability (yes/no)
• Justification for inclusion/exclusion (you do not need separated columns because these situations are mutually exclusive)
• Status

You should also consider these additional fields:

• Control objectives (because security objectives are required by the standard, this field can help you fulfill this requirement in this same document)
• Implementation method (this field can help in the understanding of your security environment by providing a short description of controls that do not require a specific document to be written, or by providing a link to a developed document).  

To see a Statement of Applicability compliant with ISO 27001 looks like, please access this free demo: https://advisera.com/27001academy/documentation/statement-of-applicability/

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding the Statement of Applicability:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A.16

1.            How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance, incidents related to SFTP server and SQL server should be forwarded to IT department, but our SaaS service issues should be forwarded to software development department.

Answer: ISO 27001 does not prescribe how to define roles and responsibilities, so organizations can adopt the approach that better fit their needs. For your stated scenario, defining roles and responsibilities considering which department handles which type of incident is an acceptable and effective approach.

To decrease complexity for users, you should consider defining unified channels of communication, i.e., all types of incidents would be reported through the same channels, and the person, or system, receiving them would evaluate to which department forward the reports.

For further information, see:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/

2. Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

Answer: Please note that an incident response plan is not required for ISO 27001. In case you want to write such a document, the usual practice for smaller companies is including all plans within one document, and for larger organizations each incident is covered in a separate incident response plan.

Question about IT Security Policy

Thank you very much for the clarification Rhand, after turning the points so much I realized that they are problems in the Spanish translation.

In my case and as a contribution to you, I finally translated them as follows:

Utilizar herramientas criptográficas (encriptado) sobre ordenadores locales sin la correspondiente autorización de Tecnologías de Información (TI).

Descargar e instalar programas, aplicaciones y/o software desde dispositivos de almacenamiento externos personales o no suministrados por Tecnologías de Información (TI).

Replacement for Directive 93/42/EEC

Each manufacturer that produces medical devices under the MDR will have an audit and if he can prove to the notified body that his medical device is in compliance with MDR 2017/745, then notify body will issue a certificate. After this certificate, the manufacturer will be allowed to place a CE mark on the medical device.

Procedure for Identification of Requirements

1 - We have two Business units. One located in site A and the other here in the site B.

The unit that will be certified will be that of the site B. Do I need to include information from site A as well, such as laws and regulations?

You only need to include legal requirements from your site A that may define information security requirements for your site B.

For example, if both sites exchange information, and a customer contract signed with site A states that information needs to be protected in a specific way (e.g., by using a specific cryptographic technology), then a reference to this contract need to be included in the list of legal requirements of site B, the one to be certified.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - Another question, do we need to specify names and type of customer contract?

ISO 27001 does not prescribe which information needs to be recorded in a list of requirements, so you can define the information that better suits your needs. You can either use type of contract, when you have, for example, many contracts which follow the same model, or naming them specifically, when it is important to track the requirements of a specific customer.

Toolkit question

The ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit you bought can be used to implement only ISO 27001 on non-cloud environments, because it also includes the templates used for implementing only ISO 27001.

Included in the toolkit you bought there is a List of documents file which shows which documents are related to each standard. In case you want to implement only ISO 27001 on non-cloud environments you can use only the templates marked in the ISO 27001 standard column in this file.

For further information, see:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Relation of ISMS with CMM level

Dear Dejan,

Thank you for your response.

Your knowledge sharing has boosted my confidence in this standard.

Converting numeric revision

ISO standards do not prescribe specifics about version management (only requires version control), so organizations are free to adopt any approach that better fits their needs, and converting numeric revision upon approval is an acceptable approach.

• Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Question on identifying organization’s customer

  If you are producing for your automotive customer and your customer wants you to get IATF 16949; You can apply the certification audit by doing the necessary work for the IATF 16949:2016 standard.