Search results

Information classification and labeling

For this answer, I’m assuming that control A.8.2.2 - Labelling of information, is considered applicable in the Auditee’s Statement of Applicability.

Considering that, please note that this situation needs to be considered in the context of the auditee’s procedures for labeling of information (ISO 27001 Annex A control A.8.2.2 - Labelling of information – requires procedures for information labeling to be developed and implemented).

In case there is a documented procedure for information labeling (the control does not require related procedures to be documented), you need to check what this document defines regarding labeling of information requested for audit. If there is no documented procedure, you need to check additional evidence to understand the common practice (e.g., by interviewing other people to see if they share the same understanding regarding the labeling of information requested for audit).

From this evaluation, you can decide if this situation is a common practice or if there is a failure to fulfill an expected behavior (i.e., a nonconformity).

This article will provide you a further explanation about information labeling:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

These materials will also help you regarding information labeling:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Benefits of asset-based approach

To understand the benefits you need to see the risk assessment from the users’ point of view.

For people that are not used to perform risk assessment, it is easier to remember an event that may affect them than a specific set of elements (i.e., asset-threat-vulnerability), so you can perform risk assessment faster, without worrying about longer training sessions, and get the most relevant events in the users’ point of view.

This material will help you regarding risk assessment:

• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Finding an auditor

From your question is not clear if you are referring to an internal auditor or a certification auditor, so the answer will cover both situations.

The “DIY with expert support” approach does not change the main points you need to consider.

When looking for an auditor to perform an internal audit you should consider:

• the knowledge about your industry
• reputation
• pricing

We are not aware of specific jobs, boards, or professional associations of ISO 27001 internal auditors, so your best approach would be looking for them on professional social networks like LinkedIn, ISO 27001 security group on Google Groups, or organizations which issue certificates for information security professionals like ISC2 or ISACA.

For further information, see:

• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• 5 criteria for choosing an ISO 22301 / ISO 27001 consultant https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/

When looking for an auditor to perform a certification audit you need in fact to look for a certification body, and for this, there are several factors you should take into account when selecting a certification body, please read this article:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

The main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.dnvgl.com/
• DNV: https://www.dnvgl.com/services?ServiceTypes=136423
• SGS: www.sgs.com/
• TUV: www.tuv.com

You can also find a proper certification body at this link: https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

You can use this link to enter your profile, and we will find the certification body that best fits your needs.

ISO 9001 Secondary review

No, records should be reviewed by the function with the authority to do it. If we are speaking of records from the purchasing area perhaps your quality system determines that review for content and approval is made by a function in the purchasing department.

During internal audits, auditors can audit records for content and approval.

You can find more information about documentation below:

• New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO 9001 QMS

ISO 9001 in its latest version of 2015 does not require a quality manual. So, a quality manual is no longer mandatory. However, as a consultant working with organizations, I recommend developing a quality manual. 

Since it is no longer mandatory, we are free to design its content. I recommend designing a document that presents the quality management system. Presenting:

• your organization and its history
• the scope of the quality management system
• its quality policy
• its model of working based on the process approach 

 In plain English would be something like:

• Who are we?
• To whom do we work?
• What are our priorities?
• How do we work? 

The following material will provide you information about the quality manual:

• The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
• Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Recommendations for the registrar

I´m assuming that by registrar you are referring to a certification body.

Considering that, the main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.bureauveritas.com
• DNV: https://www.dnvgl.com/
• SGS: https://www.sgs.com/
• TUV: https://www.tuv.com

From their main site, you can verify if they have offices in your country.

To help you select a certification body, I recommend these materials:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• List of Questions to ask an ISO 27001 or ISO 22301 certification body https://info.advisera.com/27001academy/free-download/list-of-questions-to-ask-an-iso-27001-certification-body

This material will also help you regarding preparation for certification:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Calculating ROI for ISO 27001 ISMS implementation program

The best way to calculate the Return on Security Investment (ROSI) is to relate the investment in information security with the economic benefits that this will bring to the business. The calculation of the ROSI can be based on:

• Costs of incidents by taking into account all the relevant costs if an incident occurs and the probability of an incident. These are some types of incidents: Malicious activity (virus, trojan horses, etc.), unintentional human error (delete critical information by error, etc.), system errors/malfunctions (hardware failure, etc.), natural disaster & force majeure (earthquake, flood, etc.)
• Costs of security measures/controls and the level to which the risk of this incident would decrease because of such mitigation

This free tool can be very useful to give you an idea of how to calculate ROSI:

• Free Return on Security Investment Calculator: https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/ 

This article can be also interesting for you:

• Is it possible to calculate the Return on Security Investment (ROSI)? https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/

Clause 7.5.1

Please note that the “shall” word in this clause refers to all documents defined as mandatory by the standard and to those considered necessary by the organization. It does not specifically define a procedure for documentation control as mandatory.

So a documentation control procedure is not mandatory.

This article will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

These materials will also help you regarding ISO 27001 documents:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Accreditation of GMO lab

The applicable standard for all non-medical testing laboratories is ISO 17025:2017. Depending on the country and accreditation body, a specific program may be on offer. For example, under Life Sciences where the accreditation body will have mandatory additional criteria and recommendations for testing genetically modified (GM) material. An accreditation body could offer a flexible scope of accreditation for laboratories quantifying GMOs. In the European Union for example, there is a published guideline for such flexible scopes. You can go to https://ec.europa.eu/jrc/en/publications-list and search for the keywords “flexible scope GMO”.

In some cases the program would be under General Testing, where accreditation would be per test; for example Material type: Foods and Food Products – Rice: Detection of genetically modified organism; or under the Biological program, for example Screening for Genetically Modified Organisms (GMO) by Immunoassay. I suggest you contact your accreditation body to find out the specific program and additional criteria.

For general information regarding ISO 17025, have a look at the article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/