Search results

Can a single legal entity have multiple ISO 27001 certifications?

It is possible for a single legal entity to have 2 ISO 27001 certifications, provided you can establish a clear separation between them (i.e., they shouldn’t have overlapping elements).

Team in charge of implementation and maintenance of the ISMS

From your question it is not clear whether you are asking about responsibilities for approving policies and procedures, or for responsibilities that are specified in information security documents.

1) Responsibilities for approving policies and procedures:

In smaller companies, one person usually approves documents, while there are usually 2 or 3 persons that are reviewing the documents before they are sent for approval.

2) Responsibilities specified in information security documents:

In the top-level Information Security Policy you should define:

• one person in charge of coordinating the ISMS
• one sponsor from the top management team

For detailed policies like Backup Policy or Access Control Policy, different people will have different responsibilities - e.g., the person in charge of doing the backup might be a different person from the one in charge of approving access.

The standard allows collective decision-making, however having a 3-person committee that decides about everything is impractical.

For further information, see:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

• Certification

  First is important to note that the software is not certifiable against ISO 27001. What can be certified are departments or whole companies.

  You can certify either company A, or B, or both of them. Since this certification is driven by customer demand, it would be best to ask the customer which company would they prefer to be certified. If the customer does not have a preference, it would be more logical to go for company B.

  Regarding Conformio, it can be used to implement and maintain your Information Security Management System, no matter if you choose to go with company A or B. It is designed to be used by smaller companies.

  For further information, see:

  • Conformio (online tool for ISO 27001) https://advisera.com/conformio/

  • Mandatory documents

    Please note that organizations can still certify against ISO 27002:2013 until October 31, 2023, and companies already ISO 27001:2013 certified still have until October 31, 2025, to make the transition to ISO 27001:2022.

    For further information, see:

    • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • ISO 22301 IT

    For ISO 22301 certification you need to include all the activities in your company (i.e., also business activities, not only IT or cybersecurity activities).

    For further information, see:

    • How to implement ISO 22301 in 17 steps https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/

    • Chapter 10.3 from IATF

      First of all, the issue of high scrap should be included in your company's risk analysis. As a result, risks are fed by unfulfilled goals, trends that go higher than expectations, internal and external changes, and chronic problems.

       

      Meanwhile, the high amount of scrap affects not only internal costs and profitability but also timely shipment to the customer.

       

      If I were you, I would mention these issues in my production or quality process risk analysis.

       

      In addition, the 6.1.2.1 Risk analysis article of the IATF 16949 standard  mentioned that, 

      "The organization shall include in its risk analysis, at a minimum, lessons learned from product recalls, product audits, field returns and repairs, complaints, scrap, and rework. The organization shall retain documented information as evidence of the results of risk analysis.’’

       

      Therefore, such lessons learned shall be noted sometimes in the D-FMEA and sometimes in the P-FMEA. If your company is not responsible for the design, of course, it does not need to use D-FMEA, but there may be areas in P-FMEA that need to be updated.

      Whether it is AIAG FMEA rev 4 or AIAG&VDA FMEA; Error type, error reasons, and actions can be updated due to these scraps, which is expected.

       

      But I cannot say that every CI project should be subject to risk analysis or P-FMEA, it is necessary to look at it on a case-by-case basis.

       

    • Risk Register & BYOD

      1 - My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in Site B.

      Answer: You should consider the co-working spaces as an outsourced service in your asset register (you can add a new asset like “co-working space provider”). Air conditioning, power supply, and other assets related to the co-working space should not be included (all these are provided by the co-working space provider).

      2 - By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? 

      Answer: If private assets (e.g., private laptops, private smartphones, etc.) are used for business purpose, then these should be included in the Risk Register.

      3 - We are using a virtual server from a third-parties provider (2 in Site C, and 1 in Site A). Should we include these virtual servers in the assets? 

      Answer: Yes, you should include this virtual server as a third-party service.

      For further information, see:
      - Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

      4 - We have a website: ***. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us

      Answer: Yes, a website is an asset - if you are using a cloud service for hosting your website then you could list something like 'XYZ service for hosting the website'. 

    • The scope of ISO 27001 training

      All the examples given during the course are more suitable for small and mid-size companies (i.e., they consider a less complex environment).

      If you will need to implement the standard in a corporation or you work for a corporation, you will just need to consider additional examples adapted to your company's needs.

    • Changing SOA in praparation of audit

      You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

      You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.

    • Changing SOA in preparation of audit

      You can make changes to the SoA prior to certification audits, but this will not have an effect on ISMS or certification scope. 

      You can mark certain controls as not applicable in the SoA - however, be aware that controls can be marked as not applicable only if there are no related risks and if there are no requirements of interested parties for those controls.