Search results

Scope definition

1 - Clauses 4.1 and 4.2, are they based on the organization as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organization, only to not cover them as they aren’t covered by our scope.

Answer: Please note that for clauses 4.1 and 4.2 you need to consider the organization as a whole because if you consider only your intended scope in terms of the IT department, you may miss elements that may impact the organization’s purpose, intended Information Security Management System (ISMS) outcomes, and/or interested parties and their requirements, but are not directly related to your intended scope. 

For example, for a web store, the purpose can be selling products, the intended outcomes for the ISMS can be the protection of data related to buyers and products, and an interested party may sales department. In this context, if the web store’s sales department needs to keep part of buyers’ data out of IT systems for some reason (e.g., regulation or contract), and the IT department is not aware of this situation, the scope may be incorrectly defined (e.g., if you want to keep only the IT department in the ISMS scope, then you need to state that buyers’ data that exists out of IT systems are out of scope).

For further information, see:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?

Answer: This answer will depend on what you consider for the organization’s purpose and intended ISMS outcomes.

For example, if the organization’s purpose and intended ISMS outcomes are related to education or customer data, then students should be considered as interested parties. Regarding GDPR, because the related information can be considered PII, the information of students of all ages must be protected if you need to comply with GDPR. What will happen is that for students under the age of consent you will need to consider additional protections.

3 - Also, do you know if any schools or multi-academy trusts in the *** have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?

Answer: We are not aware of specifics on certifications in this industry in the country you mentioned. From 2019 ISO Survey (https://www.iso.org/the-iso-survey.html and https://isotc.iso.org/livelink/livelink?func=ll&objId=21414015&objAction=Open&nexturl=%2Flivelink%2Flivelink%3Ffunc%3Dll%26objId%3D18808772%26objAction%3Dbrowse%26viewType%3D1) you can see the number of ISO 27001 certifications issued for this industry. To know about specifics, you need to contact the certification bodies in your country and ask for this information.

Some references you may find useful:
- https://www.gov.uk/government/publications/school-and-college-security/school-and-college-security
- https://www.beaming.co.uk/insights/cybersecurity-safeguarding-approach-schools/
- https://www.ncsc.gov.uk/information/resources-for-schools

4 - Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?

We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!

Answer: Please note that you first need to consider if the protection of these services/equipment the IT department provides for others to use is relevant to your information security objectives. If so, you need to consider them as part of the scope of the IT department, because the implementation of controls will be focused only within the scope.

These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 design and development

If your service is clearly defined and there is no innovation in it then you can consider clause 8.3 as non-applicable.

The following material will provide you more information about exclusions:

• What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Waste management company

Is ISO 14001 really the best certification for your particular case?

Everything depends on what your organization need.

Let me try to explain, as a waste management company, I believe your organization has some kind of official qualification issued by a particular relevant authority. With that official qualification a potential client may look to your organization and think something like “OK, this company is officially qualified to do the job of collecting waste”. The point is, why should a particular potential client choose your company among several waste management companies all equally qualified by the same or equivalent particular relevant authority?

What kind of benefits is your organization looking for? Will your brand benefit from being ISO 14001 certified? And from being ISO 9001 certified? If your company is looking for cost reduction, higher efficiency, perhaps ISO 9001 can be recommended. If your company is looking for improving image among community and the job market perhaps even ISO 45001 certification can be recommended.

If your organization decides to go for ISO 14001, basically you have to determine how your organization interacts with the environment while collecting and managing waste. You start by determining the environmental aspects and impacts, the how your organization interacts with the environment:

Each one of these interaction vectors’ is a specific type of environmental aspect.

So, for each type of environmental aspect check where they appear, or can appear, in your organization’s activities products and services. Consider operation under normal, abnormal and emergency situation.

You have also to determine the legislation and regulation applicable to your organization (compliance obligations). From there you determine priorities for improvement:

Them you have to define an environmental policy and objectives. From there, it is implementation by developing action plans to improve the interaction with the environment.

Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

You can audit the entire organization or site by site. This should be discussed with potential certification bodies before starting the implementation project, sometimes they have different opinions.

Perhaps the following links can be useful:

• Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
• List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
• ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
• Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Establishing context

First is important to note that the context of the organization is any internal or external factor that can affect the ISMS.

Considering that, concrete examples of elements of organizational context are:

• for external issues: geographical location, public infrastructure available, political, economic, social, and technological trends, etc.
• for internal issues: organizational culture, processes, and procedures, equipment, financial resources, etc.

Based on these you can identify elements that can help you understand how information security must be considered.

This article will provide you a further explanation about the Context of the organization for 27001:

• Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

These materials will also help you regarding the Context of the organization for 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 2700 1 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Rework procedure and Clinical evaluation for media mfg

1. Is there a rework procedure in the tool kit? I did not see it in there and I believe it is an ISO requirement for clause 8.3.4. Thank you.

Rework is covered in the 15_Procedure_for_Control_of_Non_Conforming_Products_Premium_EN in section 3.4 Handling non-conforming product. 

For more information on how to handle non-conforming products, please see the following article:

• How to comply with ISO 13485:2016 requirements for handling complaints https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/

2. I have a question about the clinical evaluation requirement. What exactly is needed for media manufacturer class 1 medical device? In looking at the documents in the toolkit it I am not sure if it applies.

All requirements and topics that are covered in the folder Clinical evaluation is necessary for manufacturers of class I medical devices. So you need to make literature research about your product, make an equivalence with an existing product on the market, and make a report as described in annexes 1, 2, 3, and 4. 

More information on the clinical evaluation you can find in the following articles in the MDR:

• EU MDR Article 61 – Clinical evaluation https://advisera.com/13485academy/mdr/clinical-evaluation/
• EU MDR Annex 14 – Clinical evaluation and post-market clinical follow-up https://advisera.com/13485academy/mdr/clinical-evaluation-and-post-market-clinical-follow-up/

If your medical device is Class I, then it does not require the involvement of the notify body. In that case, you need to prepare the Self-declaration of conformity and technical file according to the Annex II Technical documentation and Annex III Technical documentation on Post-market surveillance. However, you need to contact the notify body in regards to the certification of ISO 13485:2016.

Which elements must be in the Declaration of conformity, you can find in Annex 4 – EU Declaration of conformity.

For more information, see:

• EU MDR Annex II – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex III – Technical documentation on Post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
• EU MDR Annex 4 – EU declaration of conformity https://advisera.com/13485academy/mdr/eu-declaration-of-conformity-2/

• Configuration Management Policy & Procedure

  The content of the Training & Awareness Plan needs to include needed training and awareness activities for all personnel included in the ISMS scope, not only the Internal Audit Team.

  For example, it can include basic training for regular final users and at the same time advanced security techniques for IT and SW development personnel.

  This article will provide you a further explanation about awareness and training:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  This material will also help you regarding awareness and training:

  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

• Question regarding NDA

  By your question, I’m assuming that control A.13.2.4 Confidentiality or nondisclosure agreements are applicable to your scenario.

  Considering that, the answer to this question will depend on the laws and regulations applicable to your jurisdiction, so you should consider hiring local legal expert advice.

  For example, some laws and regulations may require an NDA only from the outsourcer organization, or that this NDA must be extended to individual NDAs to their employees.

  This article may provide you a start on applicable laws and regulations, but note that these references depend on the contributions of our reader, and some of them can be outdated:

  • Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  For further information, see:

  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

• ISO 14001 fundamental aspects for the implementation

  If you want to implement an environmental management system (EMS) perhaps the following steps could be useful for an organization:

  • Setup a project sponsor, a project manager and a project team. Determine the scope of the EMS. Ensure top management support, get training. Designing and implementing an environmental management system (EMS) implies being knowledgeable about ISO 14001:2015.
  • As a first step determine environmental risks and opportunities, environmental aspects and impacts, and compliance obligations and the state of compliance.

  

  • Then, determine significant risks and opportunities and significant aspects and impacts.
  • Define an environmental policy and objectives. From there, it is implementation by developing action plans to improve the interaction with the environment.
  • Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

  Perhaps the following links can be useful:

  • Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 14001 - https://advisera.com/14001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-14001-free-webinar-on-demand/
  • List of ISO 14001 implementation steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-iso-14001-implementation-steps/
  • ISO 14001:2015 Implementation diagram - https://info.advisera.com/14001academy/free-download/iso-14001-2015-implementation-diagram
  • Project checklist for ISO 14001 implementation - https://info.advisera.com/14001academy/free-download/project-checklist-for-iso-14001-implementation
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/ 

• ISO 27000 and ISO 20000 - which to go first for?

   I’m assuming you are referring to personal certifications

  Considering that, the order on which to pursue these certifications will depend on your needs:

  • if your priority is to ensure the quality of IT services, then you should go first for ISO 20000 certifications.
  • if your priority is information protection, then you should go first for ISO 27001 certifications.

  Since you mentioned IT risk and compliance, the specific field of certification for you would be audit:

  • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISMS against ISO 27001 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).
  • ISO 20000 Lead Auditor – this certification recognizes people who have competency in auditing an ITSM against ISO 20000 requirements and want to become certification auditor (and with this provides more confidence to an organization for being certified).

  These articles will provide you a further explanation about ISO 27001 and ISO 20000 personal audit certifications:

  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Process to obtain ISO/IEC 20000 certification: Companies and individuals https://advisera.com/20000academy/knowledgebase/iso-20000-certification-the-process-of-obtaining-a-certifica/

  For the ISO 27001 Lead Auditor Course, please see:

  • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

• Technology to enforce and attest ISO 27001 controls

  Please note that it is our policy not to make recommendations about technologies, but broadly speaking most solutions used in cloud environments (e.g., virtual machines and lead balancers, etc.) now have policy enforcement and activities monitoring capabilities, so you need to check with your provider which capabilities it can provide to you and if these capabilities are enough to fulfill your needs (based on the results of risk assessment and applicable legal requirements).

  For further information, see:

  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/