Search results

Questions

1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.

Please note that, besides top management, ISO 27001 does not prescribe any specific role to perform information security-related activities, so you can use the job titles that you actually have in your company.

For further information, see:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.

ISO 27001 does not prescribe risk assessment and risk treatment to be documented as separate documents, but we do not recommend merging the Risk assessment table and Risk treatment table. 

This is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several controls (i.e., several lines for the same risk, each one associated with a different control). Keeping a single table would result in an unnecessarily big and complex table to manage.

Therefore, it is much easier to have two separate sheets for this purpose.

Non-Conformity in RR

ISO 27001 does not require the impact on confidentiality, integrity, and availability to be assessed as separate values. 

The Risk Assessment Methodology document generated through Conformio specifies that the risks related to confidentiality, integrity, and availability will be identified by listing the assets, threats, and vulnerabilities, while the same document specifies that the consequences of endangered confidentiality, integrity, and availability will be assessed by assessing the level of impact. The Risk Register implements risk assessment according to those rules. 

Here is what ISO 27001 says: 

• ISO 27001 clause 6.1.2 c) 1) requires “apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system”
• ISO 27001 clause 6.1.2 d) 1) requires “assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;”

In other words, the standard does require that risks related to confidentiality, integrity, and availability to be identified, and their consequences to be assessed but this doesn’t mean separate values for these. As a consequence, the majority of companies that go for ISO 27001 certification (I’m referring here not only to Advisera, but also to non-Advisera customers) do not use separate values for confidentiality, integrity, and availability. 

Support re. internal audit section of ISO 27001 2022

There is no need to change the templates’ reference to ISO 27002.

Please note that ISO 27001 is the main standard for Information Security Management Systems, while ISO 27002 is a supporting standard that can be used to help implement controls from ISO 27001 Annex A. 

Additionally, in certification audits, the auditor reference is ISO 27001, not ISO 27002.

For further information, see:

• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

ISO 27001:2022 implementation issue

The definition of the risk acceptance criteria will depend on how you calculate risk value.

For example, if your method of risk calculation produces values from 2 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9, and 10 need treatment.

Alternatively, you can examine each individual risk and decide which should be treated or not based on your insight and experience, using no pre-defined values.

For further information, see:

• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3

Use of non accredited calibration service providers

This will depend on your sector and the use of the equipment. Check first if there are regulations relevant to your clients, or perhaps requirements from your accreditation body for the type of testing and program specific accreditation.

The ISO 17025 standard does not state as a general requirement you must use an ISO 17025 accredited calibration laboratory and an in each case obtain an accredited calibration certificate. The main requirement is metrological traceability of measurement results, which includes the use of competent laboratories for your calibrations. These can be either ISO 17015 accredited or non-accredited laboratories that provide, for example, traceability to international SI units.  A reason to obtain an ISSO 17025 accredited calibration is to get the measurement uncertainty on the calibration certificate, which may be necessary for your application.  If however, the equipment has a minor impact (low risk) on the validity and uncertainty of the measurement,  then a non-accredited calibration should be suitable. For example, there are large tolerance/specifications on a pass/fail outcome. 
On the other hand, you should obtain an accredited calibration where equipment is used for critical applications, or used to calibrate or test other equipment.

For further information have a look at The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/ and The ISO 17025 document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/

Privacy Policy Template

Since your customer did not accept your proposed versions based on 2013 ISO 27001 and the GDPR, and ISO 27001:2022 does not have significant updates on this topic, I suggest you take a look at this template:

• Policy for Data Privacy in the Cloud https://advisera.com/27001academy/documentation/policy-for-data-privacy-in-the-cloud/

This document is based on guidelines from ISO 27018, a supporting standard to ISO 27001 which covers the protection of privacy in cloud environments.

For further information, see:

• ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Register of Requirements

By checking that you are compliant with the Computer Misuse Act, you state that you have implemented all the controls defined as necessary to fulfill the Act’s requirements (secure computer material against unauthorized access or modification, and for connected purposes).

Considering that, you need to identify in the Statement of Applicability which controls are related to the Computer Misuse Act, and ensure they are implemented (these controls may refer to documents, facilities, and/or technologies).

For example, if controls related to this Act are controls A.5.15 - Access control, and A.7.1 – Physical security perimeters, then you need to ensure that they are implemented (e.g., by implementing an Access Control Policy, and by defining areas with different security levels, related to the sensitivity of the information kept on them).

Help in ISO 17025 implementation

You asked

Will a reference standard be accepted that will expire in June 2023, knowing that the laboratory seeks effective application of ISO 17025?

As long as the certified reference material (CRM)  has been stored according to requirements, and it is used before expiry, you can show acceptability to use it and traceability of your results through the material's certified value.

It is however always best practice to test one lot number of a reference material against an existing material for which you have quality control data. This will provide reassurance in the certified value, particularly if you are close to the expiry date.

You also asked

if it is mentioned in the certificate of the reference material that the re-test of the material in 2024, what is the method used to re-test and verify the effectiveness and stability of the material? The test result"

The specific test depends on the material and method technique. You need to show that the certified property value/s are not significantly changed. The depth of the assessment depends on the expected influence of the CRM on the validity of the measurement and the criticality of the measurement. Use statically tools to determine if there is any significant difference in the measured property of the CRM compared to the quality control data or validation data of the same CRM when first introduced I,e before expiry.

As stability is being evaluated, and there is a possibility of breakdown components, the test must be specific and selective. Typically you will run a number of replicates of the CRM as a test sample using your normal process and quality control checks.

How do I gain 4 days of AS 9100 2nd party audits experience to be certified by Probitas for AEA?

Mark, thank you, that was helpful! I am located in CA

Internal Audit

This free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ can be useful to answer your question with examples.

In this webinar you will see this flowchart with the main steps regarding an internal audit process: https://i.imgur.com/KWkCg1H.png

Consider also this book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/