Search results

Information security in project management

The application of information security in project management will depend on the results of risk assessment and on applicable legal requirements (e.g., laws, regulations, and contracts). For example, the results of risk assessment can show that you have relevant risks for information security in all your projects, or only to specific types

Regarding legal requirements, you may not have any law or regulation you must comply with requiring information security for projects, but at the same time, you have a contract with a client requiring information security applied to all projects you have with him.

This article will provide you a further explanation about security in projects: 

• How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

ISO 27001 and ISO 27031

ISO 27001 and ISO 27031

We received this question:

How do you see the practical interlock between 27001 and 27031?

Answer: ISO 27031 is a supporting standard which provides specific guidance and recommendations for the implementation of controls from section A.17.1 of ISO 27001 Annex A (Information security continuity).
 
Considering that, you can use ISO 27031 to make it easier to implement controls from this section, and achieve a more robust solution.   

This article will provide you a further explanation about ISO 27031:
- Understanding IT disaster recovery according to ISO 27031 https://advisera.com/27001academy/blog/2015/09/21/understanding-it-disaster-recovery-according-to-iso-27031/

Explanation of Annexure 18 of ISO 2017:2013

Very detailed explanation. Thank you

Enterprise Data Centre

Understanding the physical and logical requirements is always important, regardless of the asset size or complexity, because this will allow you to identify the solutions that will properly support your need, without letting any gaps (if requirements are underestimated), or consuming unnecessary resources (if requirements are overestimated).

Considering that, without knowing your context and risks it is not possible to define practical solutions. What can be done is mention common practices (which should be evaluated considering your context and risks):

• physical segregation from other environments
• logical segregation of servers, networks and services
• redundancy of single points of failure (e.g., power cable, communication links, etc.)

For further information see:

• The most common physical and network controls when implementing ISO 27001 in a data center https://advisera.com/27001academy/blog/2019/02/26/the-most-common-physical-and-network-controls-when-implementing-iso-27001-in-a-data-center/
• ISO 27001 Case study for data centers: An interview with Goran Djoreski https://advisera.com/27001academy/blog/2013/10/29/iso-27001-case-study-for-data-centers-an-interview-with-goran-djoreski/
• Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

SOC Reports

1 - I would like to ask you if you have some resources for learning about SOC reports.

I am sorry but our content is developed for ISO 27001. Anyway, this information (from the official site of the American Institute of CPAs) about SOC and ISO 27001 can be interesting for you (see the Excel “Trust Services Map to ISO 27001"): https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2additionalsubjectmatter.html

In Excel, there are some points in common between ISO 27001 and SOC, so for these points, you can use our toolkit “ISO 27001 Documentation Toolkit”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

2 - Is it worth if a company works on ISO27001 controls and the SOC reports at the same time? Does ISO27001 cover the SOCs?

SOC 1 deals with controls at a service organization’s Internal controls over financial reporting systems, while SOC II has several common points with ISO 27001:2013: risk management, internal audit, business continuity, access control, etc.

Considering that, ISO 27001, which is an international standard for information security, can be used to implement some of the controls defined by SOC, but they do not have a direct relation, neither one is required to implement the other.

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Corrective and preventative actions

All non-conformities require treatment, which means that all non-conformities require a correction.

Please check ISO 9001 clause 8.7 – you can read something like - “The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services”. There is no mention of corrective or preventative actions.

Please check ISO 9001 clause 10.2.1 a) – when a non-conformity occurs organizations have to react to control, correct, and deal with the consequences.

Please check ISO 9001 clause 10.2.1 b) – you can read something like – “evaluate the need for action to eliminate the cause(s) of the nonconformity”. Evaluate the need means that organizations may decide to develop a corrective or preventative action after correcting a non-conformity or may decide otherwise.

So, preventative actions are not mandatory to be taken on a non-conformity per ISO 9001 Standards. Organizations should evaluate each case and even trends.

Determinaciòn de contexto interno y externo

Puede simplemente organizar una reunión con las personas relevantes de la organización, como los gerentes de cada departamento y la alta dirección y realizar una tormenta de ideas para determinar las cuestiones internas y las cuestiones externas de la organziación.

Otra forma de identificar el contexto de la organziación es mediante un análisis FODA, donde se consideren las fortalezas, oportunidades, debilidades y amenazas. Este análisis no sólo va a proporcionar información sobre el contexto de la organización sino que va a ayudarnos durante la posterior identificación de riesgos y oportunidadeds. 

Por otro lado, el análisis PEST, que versa sobre el contexto político, económico, social y tecnológico, puede también ayudar a la organización a identificar las cuestiones externas del contexto de la organización. 

Para más inofrmación sobre cómo determinar el contexto interno y externo de la organización puede ver los siguientes materiales:

- Cómo identificar el contexto de la organización en ISO 9001:2015: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/como-identificar-el-contexto-de-la-organizacion-en-iso-90012015/

- ISO 9001:2015 case study: context of the organization as a success factor in a manufacturing company: https://advisera.com/9001academy/blog/2016/10/11/iso-90012015-case-study-context-of-the-organization-as-a-success-factor-in-manufacturing-company/

- Libro - Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

- Curso gratuito en línea - Curso de fundamentos de la norma ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

ISO 9001 Lead auditor - keeping up with latest developments in the field

A responsible auditor should invest in keeping up to date with the latest developments:

• Keeping an eye on relevant standards evolution
• Keeping effort for continual learning about the standards, reading books, article or participating in relevant fora
• Keeping an eye on relevant compliance obligations status

The following material can provide more information:

• ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Free webinar on-demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Necessity of implementing ISO 14971 to obtain ISO 13485

Yes, it is necessary to implement ISO 14971:2012 Medical devices — Application of risk management to medical devices. This standard is the only standard on the list of harmonized standards that talk about risk. Since all manufacturers of medical devices need to be in compliance with a list of harmonized standards published by the European Commission, it is obligatory to have implemented this standard.

For more information, see:

• EU MDR Article 8 – Use of harmonized standards - https://advisera.com/13485academy/mdr/use-of-harmonised-standards/
• List of harmonized standards https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices_en

• MDR QMS requirements

  Thank you for pointing this out to us. You are right, we will correct it. Control of suppliers and subcontractors is definitively covered by 7.4  Purchasing, and strategy for complying with regulation is in 4.1General requirements and 5.1 Management commitment.