Search results

Human Resources Training

Hello Kristina, and where can I find this clause implemented on the toolkit? Thank you very much!

Risk assessment and treatment

The inclusion of controls in the SoA based on a compliance need (i.e., to be compliant with the Baseline Information security for the Dutch government) is acceptable for the certification process.

However, to be able to succeed in ISO 27001 certification process, you need to perform the risk assessment as well. Based on the results of the risk assessment, and based on requirements from interested parties (including the Dutch government requirements), you can define in your Statement of Applicability which controls are applicable.

Document Recovery Plan

Please note that while less frequent, disruptions caused due to failure of system-wide assets still can happen:

• 9 Mar. 2021 — A fire at a French cloud services firm has disrupted millions of websites
• 29 Sep. 2022 — Internet access down across Florida areas hit by Hurricane Ian
• 29 Sep. 2022 — The FCC said that more than half a million Floridians had lost their landline telephone, home internet, cable, or some combination, hit by Hurricane Ian.
• 26 Apr. 2023 — Google Cloud stopped operating in Paris early on Wednesday morning local time due to "water intrusion"

So, even if your area is not directly hit, a disaster that hits your provider can affect your ability to access documents in your systems.

21CFR-820 vs ISO13485 Quality management systems

This depends on what is required by the national or market regulation. If your requirement is to use ISO 13485, then you can use your own QMS but with added elements that are specific to ISO 13485. So, adapt your QMS with particular requirements from ISO 13485.

Re-certifying

Please note that you can recertify against ISO 27001:2013 latest by the end of October this year. After this recertification, you can choose when to transition to the 2022 revision - you can do it during your surveillance audit in 2024, but latest during the surveillance audit in 2025.

Uncertainty calculation

The requirements for laboratory will depend on the type of testing or calibrations your perform. For more information, have a look at my previous answers to the same topic questions. These are at https://community.advisera.com/topic/calculating-uncertainty/ and https://community.advisera.com/topic/meas-of-uncert-budget-pipette/

Filter Placement- EMS role on it

I think that there may be different answers as a function of the specific situation.

You determined environmental aspects and impacts. Then, you evaluated their significance and concluded that the situation needs to be improved. (Clause 6.1.2)
 
So, something needs to be done to improve current situation. Someone, or a group may study different alternatives and conclude that using a filter will be the best solution. Next steps are about what needs to be done to finance, acquire, install, and text the solution. (Clause 6.1.4)
 
Answering your question this is done at the planning stage.

Antivirus and MacBook Pro

First is important to note that ISO 27001 does not prescribe technical details for the implementation of Annex A controls.

Second, in terms of controls, compliance with ISO 27001 will depend on the results of the risk assessment (i.e., depending on the results, some controls may not be applicable).

Considering that, a suggested approach to support decision-making is to consider which platform treats more relevant risks you have identified in your risk treatment.

For further information, see:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

• How to register to work in cyber security?

  If you are looking for ways to start working in cybersecurity, the best approach would be to look for cybersecurity opportunities on professional social networks like LinkedIn, ISO 27001 security group on Google Groups. You can also go for certificates like ISC2 or ISACA, or ISO 27001 courses https://advisera.com/training/iso-27001-courses/

• Attributes Table in 2022 version

   Please note that “attributes” are defined in ISO 27002, which application is not mandatory for implementation of ISO 27001.

  ISO 27002 is a supporting standard that provides guidance for the implementation of ISO 27001 Annex A controls, and the attributes’ purpose is to help organizations sort controls according to specific criteria:

  • Control types: Preventive, Detective, and Corrective
  • Information security properties: Confidentiality, Integrity, and Availability
  • Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
  • Operational capabilities: Governance, Asset Management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
  • Security domains: Governance and ecosystem, Protection, Defense, and Resilience

  For example, if an organization’s control implementation strategy is to consider a “type” approach, then the attribute can help the organization identifies which controls have a preventive approach.

  For further information, see:

  • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/