Search results

ISMS Scope Statement

From your question, it is not clear whether you are referring to the content of the ISMS Scope Document, or about the scope text that will be displayed in the ISO 27001 certificate.

If the former is the case, then the statement is far too short, and you should consider using the ISMS scope template included in your toolkit (it contains comments on how you can provide detailed information to fulfill the standard’s requirements). If the latter is the case, then the statement is too long – in this case, you should consult with your certification body about how to develop this text.

These articles will provide you a further explanation about ISO 27001 scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding ISO 27001 scope:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Defining the scope of the ISMS

Considering you referred to “…overall IT infrastructure and security of all departments…”, then your last bullet makes sense because it basically defines all your organization in your ISMS scope.

In case you want something specific out of the scope (e.g., a specific process or department), you can state this part as an exclusion in your scope document.

Please note that you do not need to include in the scope references to contractual agreements (this may unnecessarily restrict your scope) because these can be defined in a separated document (the List of Regulatory, Contractual and Other Requirements template, include in folder 2 of your ISO 27001 Documentation Toolkit).

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Security Awareness Training

Completed status for attended training or completed quizzes can be used as evidence for ISO 27001 clause 7.2 (competence). As additional evidence of fulfillment, in case more evidence is needed, an auditor can use other methods, like observation or interviews.  

This article will provide you a further explanation about awareness and training:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

These materials will also help you regarding awareness and training:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Risk assessment treatment

First of all, sorry for this inconvenience. This particular video was made for an earlier revision of the standard, and you can disregard the information about controls identification (this situation does not affect the logic of the risk assessment implementation presented in the tutorial).

In the current version of the standard (2013), control A.7.1.2 refers to "Terms & Conditions of Employment".

Every time you find similar discrepancies between the tutorials and documentation, please consider the information in the templates as the correct one, because they are the most updated version.

If you still feel you need more information about this topic, you can schedule a meeting with one of our consultants. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

Pen-test

ISO 27001 does not prescribe a pen-test from a third party as a requirement for ISO 27001 certification.

Pen-tests, including those performed by third parties, are only required if there are relevant risks (i.e., risks evaluated as unacceptable according to your criteria), or legal requirements (e.g., laws, regulations, or contracts).

These articles will provide you a further explanation about selections of controls and pen tests:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/

These materials will also help you regarding controls selection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Are ISO 22716 and ISO 13845 comparable as certification scheme?

ISO 22716:2007 is a standard that covers Good Manufacturing Practices for cosmetic products, while ISO 13485:2016 is a standard that covers requirements for developing quality management for the manufacturers of medical devices. The main principle regarding the production itself is rather similar - both standards require traceability of raw materials, confirmation of the correctness of the entire production process, traceability in the production itself, to maintain the required purity of the product and production (depending on product type), etc. 

Furthermore, the similarity is that both standards require an internal audit, that deviations and nonconformities are managed, and that documentation is managed appropriately. However, in ISO 22716 there is no requirements management review. 

Given this review, it can be said that these two standards are comparable. 

A lot of information about ISO 13485 you can find on the following links:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
• How to get ISO 13485 certified? https://advisera.com/13485academy/iso-13485-certification/

• ISO 27001 implementation

  The Risk Assessment and Risk Treatment Methodology template included in your toolkit are compliant with ISO 27005.

  Please note that ISO 27005 is a supporting standard to ISO 27001, detailing how to implement risk management for information security (basically covering ISO 27001 clauses 6.1.2 and 6.1.3).

  This article will provide you a further explanation about implementing risk management:

  • ISO 27001 risk assessment & treatment – 6 basic steps: https:// advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

• Need for consent

  "Thanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required.1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

  The bank can share data with third-party processors, but in the privacy notice the bank should mention that data will be shared and for what purpose. The privacy notice should be given with the contract because the data subject should be able to know what data will be processed and how in the contract relationship.

  2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state?

  The bank should declare if data will be transferred outside the EU and what are the legal basis of data transfers and the destination of data. If the destination is several countries they should write to contact them to know the exact list of countries and the safeguards implemented.

  3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?Thanks and looking forward for your expert opinion"

  The privacy notice is the document where all this information should be given. The controller doesn’t need to be specific if third-party processors are different (they may also change), but the data subject is allowed to contact the controller to know who are the processors.

• Transferring Risk using Insurance

  Yes, in some cases you can transfer the risk to insurance (e.g. for a risk of fire, you can insure your physical assets), however such insurance can only cover a smaller number of your risks. Therefore, you cannot expect to treat all risks through risk transfer using the insurance. 

  For the risks for which you use the insurance, you will not need to perform monitoring and review of supplier services.