Search results

Difference between strategies and solutions in ISO 22301

Strategies refer to high-level actions to be developed to achieve defined objectives, while solutions are related to how these actions will be implemented.

For example, to ensure the objective of recovering operations in a defined timeframe, the strategy adopted may be the use of an alternative site, and the solution would be the definition of the alternative site (e.g., by hiring a third party to provide the alternate site, or the organization can build its own main site.

Another example is a backup strategy (which could be incremental, differential, etc.), and the solution would refer to the specific hardware and software bought.

This article will provide you a further explanation 22301:2019:

• Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/

This material will also help you regarding 22301:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Questions related to Controls

1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.

For more prescriptive examples you can use to customize your Access Control Policy, I suggest you consult the NIST SP 800-53 document.  

For further information, see:

• How to use NIST SP 800-53 for the implementation of ISO 27001 controls https://advisera.com/27001academy/blog/2016/05/10/how-to-use-nist-sp-800-53-for-the-implementation-of-iso-27001-controls/
• How to use the NIST SP800 series of standards for ISO 27001 implementation https://advisera.com/27001academy/blog/2016/05/02/how-to-use-the-nist-sp800-series-of-standards-for-iso-27001-implementation/

2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.

If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?

ISO 27001 does not limit applicable controls to those listed on Annex A, so organizations can develop their own controls, or use controls from other sources, so you incorporate controls from CSA CCM into your documents.

As a recommendation for using this approach, you must remember to include a reference to controls external to Annex A into your Statement of Applicability. This can be done either by including a new control in the SoA list (if the new controls cannot be mapped to controls from Annex A), or by including a comment in the implementation method column referring to the mapped control.

These articles will provide you a further explanation about developing documents:

• How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

This material will also help you regarding security controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

System Acquisition Development and Maintenance

Your assumption is correct. Since you do not do any software development, you do not need to complete the Secure Development Policy.

Since this document will not be used by your organization, you must update the Statement of Applicability to reflect this situation.

These articles will provide you a further explanation:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

This material will also help you:

• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Disaster recovery ISO 27031

First is important to note that ISO 27031 has a focus on the recovery of Information and Communication Technology, which is only one part of a business disaster recovery (e.g., it does not cover the recovery of operational and administrative processes).

Considering that, you should evaluate if the content provided by ISO 27031 is enough to cover your needs (i.e., at this point you only need technical guidance), or you need a more comprehensive view of the business, to prioritize business process (in this case you should start with ISO 22301).

These articles will provide you a further explanation about ISO 27031 and ISO 22301:

• Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/
• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

This material will also help you:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

List of most common business-critical information assets

Besides hardware and software, other commonly used categories for information asset are people (e.g., experts, top management, line managers, users, etc.), documentation (e.g., contracts, blueprints, manuals, etc.), infrastructure (e.g., offices, warehouses, etc.), and outsourced services (e.g., communication providers, electrical power supply, etc.).

To see a list of assets commonly used for ISO 27001 ISMS, please take a look at the free demo of our Risk Assessment Table at this link: https://advisera.com/27001academy/documentation/risk-assessment-table/

This article will provide you a further explanation about assets management:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

These materials will also help you regarding asset management:

• Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Clinical Evaluation

Yes, you're right, Clinical evaluation is covered in requirement 7.3.7 Desing and development validation.

In our ISO 13485:2016 & MDR Documentation toolkit we have prepared the necessary documentation for clinical evaluation according to the MDR. You can see its preview on the following link:

• Procedure for Clinical Evaluation https://advisera.com/13485academy/documentation/procedure-for-clinical-evaluation/

• ISO 9001 management system

  I would like to know if you are planning to have a session on how to audit ISO 9001:2015 management system, please?

  Answer:

  Yes, you can subscribe the next webinar on auditing ISO 9001:2015, next February 11th  in the following link - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/

  Part of the Standard which covers management, please? Clause 4, 5, 6, 7.1? Also when auditing management only should clause 10.1 and 10.3 be audited during management audit?

  Answer:

  When auditing top management, I include all the clauses that you mentioned and also 9.3. Management review is very important.

  You can find more information below:

  • To what extent should top management be involved in your QMS? - https://advisera.com/9001academy/blog/2016/11/22/to-what-extent-should-top-management-be-involved-in-your-qms/
  • How to comply with new leadership requirements in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-comply-with-new-leadership-requirements-in-iso-90012015/
  • Free webinar – How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

   

• Documentation numbering

  About the 'ISO document numbering system,' there is no particular prescription from ISO 9001:2015. The only requirement is that your organization has a method that allows for the unique identification of each document. Different organizations use different methods. Use a method to identify the document and the version, by a number or a date.

  Normally, I number processes and all documents related to a particular process start with that number. For example, in process “3.Win order”, we have P3.1 (for a procedure) and WI3.1 and WI3.2 (for a work instruction). For forms, I just use a counting system 1, 2, 3, 4 …

  You can find more information about records below:

  • How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
  • New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
  • Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• ISO 9001 Manufacturing devices delivery guidelines

  Unfortunately, I cannot provide you with an example, but I can try to guide you in writing one. Gather a group of people that work on deliveries and that are internal suppliers and internal customers of deliveries.

  First, think about the flow of activities
  

  Then, ask: what can go wrong?
  For each step in the flow add one or more control activities to minimize or eliminate what can go wrong. For example, before “Charge cargo” check if the container is clean. You can add a checklist, a visual control operation.

  For each step in the flow identify who participates, who has responsibilities, who has authority.
  Then you can write the procedure for each step: what needs to be done by whom, what documents are used, and what records are generated.

  You can find some help in this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ I show how to relate processes, risks, training, documentation, and control.

• GDPR Data Retention

  The GDPR does not require to maintain data for 10 years, the data minimization principle and the storage limitation principle (Article 5 GDPR) are some of the general principles regarding data processing, require that data are processed for the period necessary to reach the purpose of processing.

  When subscribing and creating an account to a website, the purpose of processing is to provide you the service (access to your account) and the data retention period can be as long as the service is provided. The owner of the website can also keep personal data longer if you purchased some services or items on the website because tax laws require you to store invoices (which contains your personal data) for 10 years.

  However, the data controller in the terms of service and the privacy notice should distinguish the data of users from the data of clients and allow the deletion of users' data if required by them.You can write to the website asking what is the legal basis under which they assume to keep your personal data, and highlight that since you did not purchase anything and you just created an account, you want that your personal data are canceled according to the right to be forgotten of GDPR, otherwise you will lodge a complaint to the Data Protection Authority of their country (you can send an email and attach your previous request and reply of the website). Ignoring the principle of data processing (art 5 GDPR) and the lawfulness of processing (art 6 GDPR ) and data subjects rights is one of the most serious GDPR infringements with fines up to 20 000 000 EUR (Art. 83 par. 5 GDPR). Maybe you can add this reference in your email to the website.

  If you want to know more about data subjects rights, consent, and compliance to GDR here you can find more information:

  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

  If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//