Search results

Question around contractual and legal requirements

You should go through all agreements of 3rd parties included in the ISMS scope, unless some of your agreements have the same security requirements - in such a case you should review only one such agreement and use it as a representative case for all other agreements with same security requirements.

Depending upon the number of different agreements you have (the point here is not the number of agreements you have but how different they are from each other) this may be in fact a time-consuming exercise. 

In this situation, you can define some criteria to prioritize which agreements to look at first (like the ones related to the biggest 3rd parties, or those with 3rd parties with more agreements, or those related to the most important 3rd parties, etc.)

ISO27001-cryptographic control

thank you for explanation, I should procure the new version of ISO😀

M

Business Continuity Plan and GDPR

The Disaster Recovery Plan should be sufficient in this case. The requirements in Article 32 GDPR - Security of processing are for a data controller to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: […]

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;”.

If your Disaster Recovery Plan matches these requirements, it should be OK.

Please also consult these links:

• Article 32 GDPR – Security of processing: https://advisera.com/gdpr/security-of-processing/
• Can the GDPR trigger better security in a company? https://advisera.com/articles/what-is-the-influence-of-the-gdpr-on-security/

OQC Standard as Importer

Yes, you need to have some input on what you need to monitor and what are the acceptable values. In case you do not receive it from the Manufacturer, then you need to do it by yourself. 

Migration from the 2013 to the 2022 documents

This deadline for certification against ISO 27001:2013 is worldwide applicable, so the deadline for Germany is also October 2023.

Is your ISO 22301 toolkit covering ISO 22361?

Up to this moment, we do not have Documentation Toolkits for ISO 22361:2022 and ISO 22316:2017.

Our ISO 22301 Documentation Toolkit covers only the requirements for the current version of ISO 22301.

Latest version of Statement of Applicability

Current controls to be included in the Statement of Applicability are those from the 2022 version of ISO 27001.

This 2017 version refers to the British version of ISO 27001:2013 (this version's official name is BS EN ISO/IEC 27001:2017).

The 2022 version of ISO 27001 has 93 controls in its Annex A, against 114 controls from the 2013 version.

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/10/25/iso-27001-iso-27002/

How to keep being trained and skilled and best way to find work?

The best approach for exercising your competencies and finding work would be to look for information security and audit groups on professional social networks like LinkedIn, and ISO 27001 security group on Google Groups.

Question about tools and scope

1 - what are the tools free for e.g. evaluation and you have also a repository for the documents.

You can test for free our Conformio solution, which can help you implement and maintain an Information Security Management System compliant with ISO 27001. This solution has a module for document management.

You can access Conformio through this link: https://advisera.com/conformio/

2 - Can you tell me which tools are free and where i can see the list of document templates and which are mandatory for the certification ??

Additional free tools are:

• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
• ISO 27001/ISO 22301 Implementation Duration Calculator https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
• Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

You can access them through this link: https://advisera.com/resources/?type=tools|templates&standard=iso-27001

3 - What is in case of a Scope Extension when I want to incorporate also SW Products ???

Please note that products cannot be certified against ISO 27001. In this case you should look for the certification of the process related to the product (e.g., SW development and maintenance processes, software operation, etc.).

For further information, see:

• All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/