Search results

ISO 27001 and minor non-conformities

In general, the results of the treatment of minor nonconformities are reported in the next scheduled audit, but the best approach here is for you to contact your certification body and confirm with them when the treatment results should be reported to the certification auditor. 

Labelling information

ISO 27001 does not prescribe what needs to be done with documentation created prior to the implementation of the Information Security Management System, so organizations are free to decide how to classify and label information.

The organization can simply define that documentation created in the past has a standard classification (e.g., internal), and labeled accordingly, or that it is not classified and labeled at all.

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Infosec responsibility for BCP from an IT perspective

Please note that, in general, during the execution of a BCP, the infosec team and the IT team only have a limited number of shared responsibilities, so it does not make much sense to put the infosec team leading the IT response.

The infosec team is also responsible for information that is not on information systems (e.g., information on paper media, and information in the form of people’s knowledge), while the IT team is also responsible for running recovered systems and networks.

As you can see, in terms of a BCP, a better strategy would be for the infosec team to help define IT-related information security objectives to be achieved by the IT team.

For further information, see:

• Business Continuity Management vs. Information Security vs. IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/

Question around contractual and legal requirements

You should go through all agreements of 3rd parties included in the ISMS scope, unless some of your agreements have the same security requirements - in such a case you should review only one such agreement and use it as a representative case for all other agreements with same security requirements.

Depending upon the number of different agreements you have (the point here is not the number of agreements you have but how different they are from each other) this may be in fact a time-consuming exercise. 

In this situation, you can define some criteria to prioritize which agreements to look at first (like the ones related to the biggest 3rd parties, or those with 3rd parties with more agreements, or those related to the most important 3rd parties, etc.)

ISO27001-cryptographic control

thank you for explanation, I should procure the new version of ISO😀

M

Business Continuity Plan and GDPR

The Disaster Recovery Plan should be sufficient in this case. The requirements in Article 32 GDPR - Security of processing are for a data controller to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: […]

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;”.

If your Disaster Recovery Plan matches these requirements, it should be OK.

Please also consult these links:

• Article 32 GDPR – Security of processing: https://advisera.com/gdpr/security-of-processing/
• Can the GDPR trigger better security in a company? https://advisera.com/articles/what-is-the-influence-of-the-gdpr-on-security/

OQC Standard as Importer

Yes, you need to have some input on what you need to monitor and what are the acceptable values. In case you do not receive it from the Manufacturer, then you need to do it by yourself. 

Migration from the 2013 to the 2022 documents

This deadline for certification against ISO 27001:2013 is worldwide applicable, so the deadline for Germany is also October 2023.

Is your ISO 22301 toolkit covering ISO 22361?

Up to this moment, we do not have Documentation Toolkits for ISO 22361:2022 and ISO 22316:2017.

Our ISO 22301 Documentation Toolkit covers only the requirements for the current version of ISO 22301.