Search results

Statement of Applicability

If there are changes in the SOA after certifying the company you have to:

• review the risk assessment and treatment and the list of legal requirements, and update those so you can provide the basis you need to justify the changes in the SoA
• update the SoA to reflect the new status (i.e., update the status of controls and their justifications), and have it approved by top management
• update the risk treatment plan considering these new SoA
• implement the new controls, and gather evidence that the new applicable controls are working and achieving defined objectives.

Basically, you have to perform the risk assessment and treatment again.

For further information, see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Regarding the external audit, when the SoA is changed you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.

Has my employer and union broken GDPR?

I am sorry but your case does not involve the GDPR aspect, but it involves how the Union fulfilled the obligation of providing legal assistance. You should verify with a lawyer if the Union abused somehow of powers of representation you provided to handle the case. From your question I understand that you asked for legal aid, not for legal representation, you provided your personal data, so the Union has the right to process your data. If they misrepresented you, in front of your employer it is an aspect that does not involve data processing. You should contact a lawyer to verify if the Union acted correctly.

Here you can find more information on the legal basis to process personal data according to the GDPR:

• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations: https://advisera.com/training/eu-gdpr-foundations-course//

Does acceptance by exception by the customer must always be formalised by the supplier?

Let us use ISO 9001:2015 as our guide. After a non-conformity being detected, a supplier may decide to ask for a derogation by the customer. According to ISO 9001:2015, clause 8.7 the supplier must keep records evidencing that the customer authorized the derogation. There is no requirement about what kind of record is to be used. The supplier may use its own internal NC and ask the customer to use it for evidence approval, or the supplier may annex an e-mail from the customer to evidence that approval.

You can find more information about improvement in the following links:

• How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

IT Managed Service Providers

1. Is there an ISO certification we should look at?

Please note that ISO certifications are not mandatory by themselves, although some countries have established laws and regulations that are easier to be fulfilled by adopting them, and an increased number of customers are preferring ISO-certified organizations as suppliers because they consider such organizations are more capable to help them.

Considering that, you need to evaluate your legal environment and customers’ profile to see if an ISO certification is interesting to you.

Broadly speaking, IT Managed Service Providers, should consider the following certifications:

• ISO 20000: related to the management of IT services
• ISO 27001: related to the management of information security
• ISO 9001: related to quality management

These standards share many common requirements, so you can implement them in an integrated way.

These articles will provide you a further explanation about ISO standards:

• What is ISO 27000? https://advisera.com/20000academy/what-is-iso-20000/
• What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
• What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

This article can provide you a customer point of view (the same general concept applies to all ISO management standards):

• Why is it important for your hosting partner to be certified against ISO 27001? https://advisera.com/27001academy/blog/2019/07/02/iso-27001-for-hosting-companies-what-are-the-main-benefits/

2. What would be involved to get certified and what sort of costs would we expect?

After the implementation of documents and controls required by the specific standard, you need to make sure that everyone in the company is complying with documents, i.e., performing all the activities prescribed there. After that, you can work on selecting your certification body.

Our toolkit can help you with the implementation: 

• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These articles will provide you a further explanation about the ISO 27001 implementation process:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/2011/how-to-prepare-for-an-iso-27001-internal-audit/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Regarding costs, without detailed information about the certification scope it is not possible to give you a precise answer, but broadly speaking, what I can tell you is that these are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

These materials can provide you more information:

• How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
• 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/2019/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
• How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

For the duration of the implementation:

• How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - Please note that this is the timing that is needed for companies that use our toolkits.

These materials will also help you regarding ISO 27001 project:

• ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 implementation

Besides our webinars, to support your ISO 27001 implementation in Advisera you can find:

• blog posts: https://advisera.com/27001academy/blog/
• free to download templates and whitepapers: https://advisera.com/27001academy/free-downloads/
• ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
• free to enroll online training courses: https://advisera.com/training/

Regarding specialists, you may consider a specialist in the ISO 27001 standard (with our toolkit this need is reduced to a minimum) and specialists in your core processes and technologies.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A controls

Besides information about specific controls in our blog (https://advisera.com/iso-27001/), and how to apply them, these materials may also help you:

• Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Annex A controls

Além de informações sobre controles específicos em nosso blog (https://advisera.com/iso-27001/) e como aplicá-los, esses materiais também podem ajudá-lo:

• Visão geral do Anexo A da ISO 27001:2013 https://advisera.com/27001academy/pt-br/knowledgebase/visao-geral-do-anexo-a-da-iso-270012013/

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Statement of conformity

Simply stated, measurement uncertainty cannot be ignored when it comes to conformity statements reported under accreditation. During contract review a laboratory must confirm with the customer that it can meet the requirements for accuracy and are able to perform the measurements. The issue of Measurement uncertainty must be discussed and evaluated to avoid the risk of false pass (acceptance), as the uncertainty could result in the measurement reported being larger than the specification, due to the uncertainty component,

If the expanded measurement uncertainty is smaller than the accuracy requirements of the regulators or client, then the agreed decision rule could, for example, be: “PASS” indicates that the test method conforms with the accuracy requirements of the testing standard. The expanded measurement uncertainty (k = 2 ,95 %  probability) is not greater than the accuracy requirements defined as <value>. You could also refer to a table.

For more information, refer to the ILAC guideline G8:09/2019 Guidelines on Decision Rules and Statements of Conformity available for download from https://ilac.org/publications-and-resources/ilac-guidance-series/ and refer to your accreditation body requirements. A good example of a guideline from an accreditation body is the UKAS Lab 48 Decision Rules and Statements of Conformity, available from hhttps://www.ukas.com/resources/publications/laboratory-accreditation/

ISO 27017

1 - They've asked if there's any way they can be certified, considering they're already ISO 27001 certified. I've been researching the topic for a while and i've only seen this type of compliance statement being given to Cloud service providers.

Answer: First it is important to note that ISO 27017 is not a certifiable standard (some certification bodies "certify" against ISO 27017, but only during an ISO 27001 or ISO 27701 certification processes, because ISO 27001 and ISO 27701 are the only certifiable standards in the ISO 27000 series).

Considering that, to be "certified" against ISO 27017 all an organization needs to do is to include the applicable controls related to ISO 27017 in its Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process) and implement the risk treatment plan also considering the ISO 27017 controls.

These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

2 - I wanted to ask if you have seen this attestation being requested and given to any company that is only a cloud consumer.

Thank you in advance for your attention!

Answer: Please note that ISO 27017 also has controls applicable considering the point of view of the customer, so cloud consumers also can request to be “certified” as explained in the previous question.

Monitoring and Measurement / Environmental Controls

Yes, you can reduce the number of sampling sites. It is recommended that you perform validation of that process, where you will analyze all data that you have collected so far and explain why is it justified to reduce the number of sampling sites.

For more information, please see the following link:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/