Search results

Training sessions

Questions to be asked will depend on the content of the workshops, but in general, you can propose a scenario related to the presented topic and ask the attendee what the best course of action in a multiple answer list is.

For example, on the topic use of mobile storage units, in case you find a pen-drive at the door of your company, what you should do?
a) leave it there
b) pick it up and connect it to your computer to see its content
c) pick it up and deliver it to IT personnel

As for results and statistics, to be used by you or to present to management, completed status for workshop training or completed quizzes can be used to check if the workshop was successful, or if any adjustments are needed. 

This article will provide you a further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

By the way, this functionality you want is available in our Company Account https://advisera.com/training/etraining-company-account/

Question on enterprise risk management framework

I’m assuming that you are thinking about an enterprise risk management framework to support you BC framework.

Considering that, to make your implementation of business continuity easier, you should consider ISO 22301 only. This ISO standard for business continuity management does not need anything else (you do not need to implement a complete risk management framework).

These articles will provide you a further explanation about ISO 22301:
- What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
- 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

To see how risk assessment documents, as well as other required documents compliant with ISO 223301 looks like, please take a look at the free demo of this toolkit: https://advisera.com/27001academy/iso22301-documentation-toolkit/

management of measuring instruments

The IATF 16949:2016 standard makes calibration and/or verification possible. All measuring instruments you use for manufacturing and quality control must be calibrated and/or verified. Calibration or verification frequency may vary depending on the frequency of use and protection conditions of the measuring instrument. This frequency may vary depending on the situation, such as monthly, annually, 2 years, 3 years. As you know, calibration is done with an external company and this company must be accredited according to ISO 17025 standard. The verification process is to done using in-house calibrated equipment. My personnel advice is; 

• First, review the calibration or verification frequency based on equipment usage conditions and frequencies.
• Identify the equipment that can be verified in-house and thus your external calibration cost will decrease.

Complying with ISO 14971

Yes, because requirement 7.1 Planning of product realization points to the ISO 14971 for further information regarding the risk management for the medical devices. Furthermore, all medical device manufacturers must be in compliance with the harmonized standards which are published in the Official Journal of the European Commission (Annex 8 of the MDR 2017/745). On that list, ISO 14971:2019 is the only standard that covers risk management.

For more information, see: 

EU MDR Article 8 – Use of harmonised standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

ISO 27001-Advice- Clause 6.1.3 d)

To meet this requirement you should consider these fields from your example:

• Annex A reference
• Control title
• Applicability (yes/no)
• Justification for inclusion/exclusion (you do not need separated columns because these situations are mutually exclusive)
• Status

You should also consider these additional fields:

• Control objectives (because security objectives are required by the standard, this field can help you fulfill this requirement in this same document)
• Implementation method (this field can help in the understanding of your security environment by providing a short description of controls that do not require a specific document to be written, or by providing a link to a developed document).  

To see a Statement of Applicability compliant with ISO 27001 looks like, please access this free demo: https://advisera.com/27001academy/documentation/statement-of-applicability/

This article will provide you a further explanation about the Statement of Applicability:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding the Statement of Applicability:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A.16

1.            How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance, incidents related to SFTP server and SQL server should be forwarded to IT department, but our SaaS service issues should be forwarded to software development department.

Answer: ISO 27001 does not prescribe how to define roles and responsibilities, so organizations can adopt the approach that better fit their needs. For your stated scenario, defining roles and responsibilities considering which department handles which type of incident is an acceptable and effective approach.

To decrease complexity for users, you should consider defining unified channels of communication, i.e., all types of incidents would be reported through the same channels, and the person, or system, receiving them would evaluate to which department forward the reports.

For further information, see:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Using ITIL to implement ISO 27001 incident management https://advisera.com/27001academy/blog/2015/11/10/using-itil-to-implement-iso-27001-incident-management/t/

2. Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

Answer: Please note that an incident response plan is not required for ISO 27001. In case you want to write such a document, the usual practice for smaller companies is including all plans within one document, and for larger organizations each incident is covered in a separate incident response plan.

Question about IT Security Policy

Thank you very much for the clarification Rhand, after turning the points so much I realized that they are problems in the Spanish translation.

In my case and as a contribution to you, I finally translated them as follows:

Utilizar herramientas criptográficas (encriptado) sobre ordenadores locales sin la correspondiente autorización de Tecnologías de Información (TI).

Descargar e instalar programas, aplicaciones y/o software desde dispositivos de almacenamiento externos personales o no suministrados por Tecnologías de Información (TI).

Replacement for Directive 93/42/EEC

Each manufacturer that produces medical devices under the MDR will have an audit and if he can prove to the notified body that his medical device is in compliance with MDR 2017/745, then notify body will issue a certificate. After this certificate, the manufacturer will be allowed to place a CE mark on the medical device.

Procedure for Identification of Requirements

1 - We have two Business units. One located in site A and the other here in the site B.

The unit that will be certified will be that of the site B. Do I need to include information from site A as well, such as laws and regulations?

You only need to include legal requirements from your site A that may define information security requirements for your site B.

For example, if both sites exchange information, and a customer contract signed with site A states that information needs to be protected in a specific way (e.g., by using a specific cryptographic technology), then a reference to this contract need to be included in the list of legal requirements of site B, the one to be certified.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - Another question, do we need to specify names and type of customer contract?

ISO 27001 does not prescribe which information needs to be recorded in a list of requirements, so you can define the information that better suits your needs. You can either use type of contract, when you have, for example, many contracts which follow the same model, or naming them specifically, when it is important to track the requirements of a specific customer.

Toolkit question

The ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit you bought can be used to implement only ISO 27001 on non-cloud environments, because it also includes the templates used for implementing only ISO 27001.

Included in the toolkit you bought there is a List of documents file which shows which documents are related to each standard. In case you want to implement only ISO 27001 on non-cloud environments you can use only the templates marked in the ISO 27001 standard column in this file.

For further information, see:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/