Search results

Differences between ISO 27001 and SOC 2

The main differences between ISO 27001 and SOC 2 can be summarized as follows:

• SOC 2 is a set of audit reports to evidence conformance to the Trusted Service Criteria (TSC), while ISO 27001 is a standard for the management of information security
• SOC 2 is usually required in the U.S., while ISO 27001 is an international standard
• SOC 2 is not certifiable (it can be only attested by a licensed Certified Public Accountant (CPA), while ISO 27001 is certifiable by accredited certification bodies  

This article will provide you a further explanation about ISO 27001 and SOC 2:

• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Conducting implementation/audit using ISO 27001 and ISO 27701 simultaneously

Please note that ISO 27701 was developed as an extension of ISO 27001 and ISO 27002. Considering that, the material already developed for ISO 27001 implementation/audit would need to undergo some adjustments to incorporate ISO 27701 aspects.

Our ISO 27001 toolkit is approximately 80% compliant with ISO 27701. The remaining 20% refers to small adjustments to include the protection of privacy in the context of the documents (e.g., where a document states “information security”, it now should state “information security and privacy”, and applicable controls should consider complementary privacy protection measures), and the inclusion of applicable controls specifically developed for ISO 27701 (in a total of 49 controls). To see how the documents in the toolkit look like, please access this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

For further information, read:

• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Backup and archiving

You asked

I would like to know your opinion on which documents should be backed up. Backup rules. 

It is the decision of the laboratory, based on customer requirements and or regulations, and based on risk; which documents you need to back up. Typically a laboratory will back up all current work, whilst archive backups are also available.

You also asked

it is imperative, in addition to backup copying, to archive the same documents and put an EDS on them"

Again, do what is necessary for data security and integrity. Exactly how you do it is up to your needs.

For more information see 

The Whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ 

and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

How to use the ISO 13485:2016 Internal Audit Toolkit

You can always customize any document and use it for just one department. In the audit plan, you will then state that the audit criterion is only one requirement that applies specifically to that department. For example, if you only want to audit the sterilization department, then you will specify requirement 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of the process for sterilization and sterile barrier systems as the audit criteria. If you want to audit only Installation Processes, then your auditing criteria will be requirement 7.5.3 Installation activities. 

If you look at the audit checklist, you can apply the same principle here, so that you fulfill the audit results only in those requirements in which you performed the audit.

How these documents look like in our ISO 13485:2016 Documentation toolkit you can see on the following link:

• Internal audit checklist https://advisera.com/13485academy/documentation/internal-audit-checklist-iso-13485-2016/
• Internal audit plan https://advisera.com/13485academy/documentation/internal-audit-plan-iso-13485-2016/

• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

• Holding Personal Information

  GDPR lets the controller determine the period for data retention. In some cases, like for financial declarations, domestic laws impose a fixed term like 10 years while for health declaration periods can be even longer up to 20 years because of the potential implication in legal actions.

  Our Toolkit contains a data retention policy template that may help controllers to determine the period of data retention for each processing activity.

  • Data Retention Policy https://advisera.com/eugdpracademy/documentation/data-retention-policy/

  If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Digital consent registration

  Our GDPR Documentation Toolkit provides text of the consent and for the Cookie policy that must be implemented in the technical systems. GDPR requires that consent can be expressed also by an action which must be recorded in order to ensure accountability.

  The register of processing activity (folder Mapping of Processing activities), for example, require to list for each processing activity (like website, or newsletter) the data processed, the purposes of processing and the record, so if the consent is given in electronic form, and registered technically in the newsletter service provider it should be registered, adding also if a transfer of data to third countries happens.

  Then, the IT Security Policy, at paragraph 3.13 list all rules for email and other messaging system, requiring “Users may only send messages containing true information. It is forbidden to send materials with disturbing, unpleasant, sexually explicit, rude, slanderous or any other unacceptable or illegal content.  Users must not send spam messages to persons with whom no business relationship has been established or to persons who did not require such information”. In the Access Control Policy there is the list of persons/roles who can access to a system/network or physical area and specific rules for mailing list management can be implemented.

  If you want to know more about data subjects’ rights, consent and compliance to GDR here you can find more information:

  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

  If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• ISO 9001 in civil engineering

  Thankyou So much for the reply Sir, it's really helpful 👌

• ISO templates - HR Policy

  Please note that ISO 27001 does not require an HR Policy, neither this is a commonly adopted document for ISO 27001 ISMS implementations. Commonly adopted controls related to Human Resources (controls from section A.7 of ISO 27001 Annex A) are covered by these templates:

  • Confidentiality Statement, located in folder 08 Annex A Security Controls >> A.7 Human Resource Security
  • Statement of Acceptance of ISMS Documents, located in folder 08 Annex A Security Controls >> A.7 Human Resource Security
  • Supplier Security Policy, located in folder 08 Annex A Security Controls >> A.15 Supplier Relationships
  • Security Clauses for Suppliers and Partners, located in folder 08 Annex A Security Controls >> A.15 Supplier Relationships
  • Incident Management Procedure, located in folder 08 Annex A Security Controls >> A.16 Information Security Incident Management

  Regarding awareness, the template you need is the Training and Awareness Plan, located in folder 08 Annex A Security Controls >> 09 Training and Awareness

  For further information, see:

  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
  • 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

  This material will also help you regarding awareness and training:

  • Free Security Awareness Training: https://advisera.com/training-account/security-awareness-training/ - this is a series of 35 videos that cover various topics related to security.

• ISO 27001 Risk Assessment

  First is important to note that you need to include in the risk assessment every risk you understand as relevant, even if there are controls already implemented to treat them.

  If you already have controls implemented, you should consider their effects on the risk value, so that your risk assessment table reflects the current situation of your environment. The existing controls should be included in the "Existing Controls" column.

  By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.

  These articles will provide you a further explanation about risk assessment:

  • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
  • How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  These materials will also help you regarding risk assessment:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  • Free webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

• Reconciling Incident SLA vs RTO

  First is important to note that higher disruption levels do not necessarily lead to higher Recovery Time Objectives (RTOs), or to lower incident response times/SLAs. These times are mostly defined by business continuity strategies, processes interdependencies, and available resources. For example, an organization may decide:

  • to have the same RTO and incident response time/SLA, regardless of the disruption level (this basically means to have an alternative site mirroring the main site in real time at a distance that cannot be affected by the same disruption).
  • to increase RTO to keep the incident response time/SLA, provided the RTO does not become greater than the Maximum Acceptable Outage (MAO). The difference between RTO and MAO is that, once MAO is defined, when MAO threshold is breached, recovering the business is not worthy anymore, while the RTO can be changed for any value from 0 to any value smaller than MAO.
  • to decrease the incident response time/SLA to keep RTO, but you need to note that how much you can decrease the incident response time/SLA will depend on the complexity of processes interdependencies (i.e., some recovery activities can only be performed in sequence, not in parallel, so the sequence with the shortest time will define the minimum incident response time/SLA).

  Considering that, you need to find a balance between needed activities, available resources, and business objectives and strategies to define proper values for RTO and incident response time/SLA.

  These articles will provide you a further explanation about business continuity concepts:

  • What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
  • Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/21/01/18/explanation-of-most-common-business-continuity-terms/

  This material will also help you regarding business continuity concepts:

  • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/