Search results

Company Acquisition and Integration ISO27001

Company Y can be included in the scope of company X. You can think that as an addition in the company X ISMS scope, and for that company X needs performing all sequential steps after a scope update with some adjustments:

1. reviewing ISMS basic framework (e.g., scope, objectives, organizational structure), considering the organizational context of both companies and requirements of interested parties;
2. review of risk assessment and treatment methodologies, to see which elements can be handled together and which ones need to be kept separate;
3. review the risk assessment and define the updated risk treatment plan;
4. adjustment of implemented controls when necessary (e.g., policies and procedures documentation, acquisitions, etc.), as well as the implementation of new controls required due to the new context;
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform an internal audit.
9. perform management critical review; and
10.  address nonconformities, corrective actions, and opportunities for improvement.

These articles will provide you with additional information:

• Three strategies for ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#options 
• ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding how to audit this new scope, you may have these options:

• perform a single audit covering both companies
• perform separate audits for each company
• perform separate audits covering similar areas in both companies (e.g., one audit covering HR of both companies X and Y) and audits related to specificities of each company (e.g., one audit for R&D of company X and one audit for R&D of company Y)

Examples of criteria you can use to decide how to define the audits are the complexity of execution, availability of auditors, size of organizations, and number of employees.

For further information, see:

• ISO 27001 internal audit: The complete guide https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Question related to Antivirus

1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.

For the change record name you can use the name of the current documentation you use to handle changes. In case you are implementing this record for the first time, you can use any name you want.

The information about change record name is not included because ISO 27001 does prescribe it, and organizations normally already have their own named records (e.g., change plan, change order, change ticket, etc.)

2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?

In the Risk Treatment Plan, you can specify that you will start implementing a control gradually - as you suggested only for 3 employees initially, and afterward for the rest of the company.

Queries ISO 27001

Hello, I did a translation of a documentation that I found from English to Spanish and there are things that I do not understand what they refer to, for example:

Information security risk assessment does not require...

What would not be required in this case, define risk acceptance criteria, define sanctions for non-compliance in information security, identification of security risks or identification of risk owners?

Taking into account ISO 27001, the following is required for risk assessment:

• Define a risk assessment process (risk identification, risk analysis, and risk evaluation)
• Define risk acceptance criteria
• Define criteria for performing risk assessment
• Identify risk owners
• Retain documented information about the risk assessment process

Considering that, from your examples, defining sanctions for non-compliance in information security is not required.

For further information, see:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Query on ISO 27001:2022 SOA

ISO 27001 does not prescribe that information about how a control is implemented needs to be included in the SoA (the four items you listed are the only ones mandatory to be included in the SoA).

However, we highly recommend including in SoA this information, because since SoA is a document that summarizes security practices adopted by an organization, this additional information makes the SoA a more useful document.

Improvement Log

Please note that ISO 27001 does not prescribe any specific document for logging improvements, but typically the improvements will be documented through Corrective actions.

To see what fields to consider, please take a look at this template of a corrective form: https://advisera.com/27001academy/documentation/corrective-action-form/

This article will provide you with further explanation about continual improvement:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Change Management and QMS

Regarding your question about where change management procedures are captured in a QMS, if you are talking about changes for production or service provision please check clause 8.5.6. However, if you are talking about changes to the quality management system please check clause 6.3.

Should we have risk management procedure including FMEA for all product lifecycle?

You can make a Risk analysis for your part of the life cycle (sales and storage??) but then claimed that other parts of the risk analysis are within a particular outsourced company. To allow your awareness of this, you need to have an exact number of documents and revisions of the risk analysis from your outsourced companies, and during your audits of the outsourced companies you need to audit their risk analysis as well. 

All of this is of course part of the Quality agreement. Just have in mind that no meter that you outsource everything, you are responsible for the product because it is under your name. So, you need to have control over all processes. 

Second party audits for an ISO Certified company

The ISO 9001:2015  standard does not have a clear expectation in this regard, you need to look at the customer-specific requirement. However, the IATF 16949 standard clearly stated its wishes for 2nd party auditors in article 7.2.4.
In my opinion, first refer to the customer-specific requirements, then you can refer to article 7.2.4 of the IATF 16949:2016 standard if you want.
Also, VDA 6.3 requirement is available for VW and Mercedes customer-specific requirements. 

Adapting GDPR material to South African context

A lot of the documentation that is present in our EU GDPR Documentation Toolkits can be reused or adapted for POPIA compliance. Namely, all the documents related to Preparations for the Project, Personal Data Policy Framework, Privacy Notices, Mapping of Processing Activities, Managing Data Subject Rights, Security of Personal Data, and Personal Data Breaches can be used for POPIA compliance with minor adjustments. Regarding the other documents present in our Documentation Toolkit, they need some more customization related to specific POPIA articles. 

Please consult these resources as well:

• How similar is the South African POPIA to the EU GDPR? https://advisera.com/articles/how-similar-is-the-south-african-popia-to-the-eu-gdpr/
• 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
• First steps to take to reach GDPR compliance: https://advisera.com/articles/first-steps-to-take-to-reach-gdpr-compliance/
• List of mandatory documents required by EU GDPR: https://advisera.com/articles/a-summary-of-10-key-gdpr-requirements/
• EU GDPR Documentation Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/