Search results

CISO role vs ISO 27001 implementer

In general, a CISO is a seasoned professional that has already been involved in information security management systems implementation (as a team member or project manager). For small companies (up to 50 employees) you can expect a CISO to manage the ISMS implementation. For bigger companies, you should consider designating additional personnel (e.g., other employees or an external consultant) due to the volume of work to be performed.  

About questions for the candidate, you can ask about his previous experience with implementation projects and his suggestion about how to implement it in your organization.  

For further information, see:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/

Implement ISO 27001 & ISO 22301- ISMS and BCMS Manual

Please note that neither ISO 27001 nor ISO 22301 require the development of a Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make their reading very difficult and maintenance more complex.  

Since this is a requirement for a specific market need, we suggest:

• For ISO 27001 you can use the Information Security Policy and the Statement of Applicability as a single document to describe briefly how your company will implement its information security.
• For ISO 22301 you can use the Business Continuity Policy and the Business Continuity Strategy as a single document to describe briefly how your company will implement its business continuity.

This article will provide you with further explanation about ISMS Manual (the same concept applies to BCMS):

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

This material will also help you regarding ISMS documentation:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Can the same person prepare and review document?

Yes, the person that prepares a document can be the one who reviews it. Please check ISO 9001:2015 clause 7.5.2 c). Can you see any limitation imposing the separation between who prepares and who reviews? There is no such limitation.

Filling Procedure for Document and Record Control

Since you are also implementing ISO 22301, then you need to go with your second option, and put an “and” in between ISMS and BCMS.

How to update policy in Conformio?

1. How can this modification be tracked in Conformio?

Please note that each document itself contains a “Change history” section which provides information about previous and current versions (e.g., approval date, approver, description of the change, etc.)

In Conformio, in the section “Documents”, accessed through the left side panel in the main screen, you can access the “Policies and procedures” folder where you can find all policies and procedures generated by Conformio.

2. What evidence can be presented and where?

As evidence of control of policies and procedures changes you can also show the Change history record.

Are CRM certificates considered external documents?

Yes, CRM certificates are external records. Any information that is required by the laboratory, but not created by the laboratory, is an external document.
Note that they require correct control as the requirements of clause 6.4, Equipment, apply to CRM certificates too. This means that the reference data needs to be verified as fit for use, providing sufficient information to maintain confidence in reference material. The storage and handling of the Reference data, including results, acceptance criteria, relevant dates, and the period of validity must also be controlled.

Implementation, Compliance software, Training

No, you do not need to have ISO 13485 certification since you are not the producer of the kit. Only the producer needs to be ISO 13485 certified. 

Corrective action logs

The corrective action log in general contains a unique identification (e.g., number or code), the description of the non-conformity, identification of similarly identified nonconformities, actions to be implemented, and identification of approver and implementer.

If you need evidence of the actions that follow, at least the following information needs to be recorded:

• the nature of the nonconformities and actions taken
• the results of corrective actions performed

For example, if the nature of the nonconformity is about lack of competence, the proposed action could be training, and the results to be recorded would be certifications, attendance lists, or interviews with employees about the training topic.

This article will provide you with a further explanation about corrective actions:

• Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

• Toolkits ISO 27001 & ISO 22301

  1) Where is the documentation concerning A.18 (Compliance)?

  Answer: First of all, sorry for this confusion.

  Documents that cover controls from section A.18 can be found here:
  - documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
  - control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

  In the root folder of the Documentation Toolkit, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

  2) What about the Annexes A.1 until A.5?

  Answer: The documents from section A.5 are not missing from the toolkit – you can find them here:
  - A.5 – all the documents from folder “08 Annex A” cover the requirements for information security policies (A.5.1.1 and A.5.1.2)

  It is important to note that every control does not need to be documented and to avoid unnecessary administrative work the toolkit includes only all the mandatory + all most common documents.

  ISO 27001 does not contain annexes A.1 to A.4. 

  3 - In addition I would like to ask if you deliver training materials about the ordered documentation? I already entered ISO 22301 & ISO 27001.

  Answer: Please note that included in your toolkit you have access to video tutorials that can guide you on how filling in the most critical documents of the toolkit (e.g., ISMS scope, Information Security Policy, Risk Assessment Table, Risk Treatment table, etc.). In the email you received when you bought the toolkit you will find information on how to access the video tutorials. 

  Included in each template there are also comments to guide you on how to fill in the documents.