Search results

Security levels to have in the company

First, it is important to note that ISO 27001 does not prescribe levels of security, only that the information is adequately protected.

In this context, what generally occurs is the definition of information classification levels (eg public, restricted, and confidential), which require an increasing order of resources as the classification of information increases. The specific resources to be used will depend on the outcome of the risk assessment and applicable legal requirements.

For more information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

As you mentioned initial, medium and advanced levels, I understand that it is also worth mentioning process maturity, which is also not required by the standard, but which can help in the implementation of the information security management system.

For more information, see:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Defining Scope

The definition of scope depends primarily on the information you want to protect (e.g., customer information, R&D information, financial information, all information, etc.). Based on the information you want to protect you can identify locations, processes, or business units where this information is stored, processed, or flows through to include in your scope.

For example, if you want to protect customer information only, the processes related to cloud management services should be in the ISMS scope.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Information security in project management

Thanks very much Rhand!

ISO 27001 Lead Auditor course

Both certifications are good and complement each other for a person looking for a career in information security because they offer different perspectives about how information interacts with the business.

ISO 27001 lead auditor focus on auditing information security management. CISA goes beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives. 

This article will provide you a further explanation about CISA and ISO 27001:

• CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

This material will also help you regarding ISO 27001 Lead Auditor:

• ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

Integrated implementation of ISO/IEC 27001:2018, ISO 9001:2015 and ISO 22301:2012

 ISO 22301, ISO 27001, and ISO 9001 shares many common requirements:

• document control
• internal audit
• management review
• non-conformities and corrective actions

These shared requirements allow an organization to save time and effort when integrating ISO management standards, because you will only have to make minimal adjustments to ensure compliance with common requirements, and you have more time to focus on the specifics of each standard.

Additionally, ISO 27001controls which requires the implementation of business continuity capabilities also can make use of ISO 22301 practices to fulfill these requirements. Of course, to implement ISO 9001 you may also require business continuity capabilities, and it also can benefit from ISO 22301 practices.

This article will provide you a further explanation about integrated systems:

• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

This material will also help you regarding an example of integrating systems:

• ISO 27001 & ISO 22301: Why is it better to implement them together? [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Security levels to have in the company

Primeiro é importante notar que a ISO 27001 não prescreve níveis de segurança, apenas que a informação seja adequadamente protegida.

Neste contexto, o que geralmente ocorre é a definição de níveis de classificação da informação (Ex.: pública, restrita e confidencial), os quais requerem uma ordem crescente de recursos a medida em que a classificação da informação cresce. Os recursos específicos a serem usados dependerão do resultado do levantamento de riscos e dos requisitos legais aplicáveis.

Para mais informações, veja:

• Classificação da Informação de acordo com a ISO 27001 https://advisera.com/27001academy/pt-br/blog/2014/05/14/classificacao-da-informacao-de-acordo-com-a-iso-27001/

Como você mencionou níveis inicial, médio e avançado, entendo que também vale mencionar maturidade de processos, que também não é requerido pela norma, mas que pode ajudar na implementação do sistema de gestão da segurança da informação.

Para mais informações, veja:

• Atingindo a melhoria continua através do uso de modelos de maturidade https://advisera.com/27001academy/pt-br/blog/2015/04/14/atingindo-a-melhoria-continua-atraves-do-uso-de-modelos-de-maturidade/

BCP Framework following ISO 22301

According to ISO 22301, a Business Continuity Plan must contain:

• Purpose, scope, and users
• Reference documents
• Assumptions
• Roles and responsibilities
• Key contacts
• Plan activation and deactivation
• Communication plan
• Incident response
• Physical sites and transportation
• Order of recovery for activities
• Recovery plans for activities
• Disaster recovery plan
• Required resources
• Restoring and resuming activities from temporary measures

To see how a BCP compliant with ISO 22301 looks like, please access the free demo in this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

This article will provide you a further explanation about BCP content:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/

This material will also help you regarding BCP content:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

Inlininig procedure for CAPA

This means that, when you detect a nonconformity, first you need to eliminate it, then you need to plan how you will eliminate the cause of this nonconformity. So you need to find out what is the cause of that nonconformity and find out with what actions this cause will be eliminated. When you know your actions, then you need to plan them and document them. If the action requires a change in your documentation, then you should also need to make a change in the proper documentation. Usually, there is a form that covers all elements for properly solving the nonconformity.

Here is the link to the preview of the request form from our ISO 13485:2016 Documentation toolkit:

• Corrective/Preventive Action Request https://advisera.com/13485academy/documentation/correctivepreventive-action-request-iso-13485-2016/

For more information on how to solve corrective action, please see the following articles:

• ISO 13485 continual improvement: Seven-step process for corrective and preventive actions - https://advisera.com/13485academy/knowledgebase/iso-13485-continual-improvement-seven-step-process-for-corrective-and-preventive-actions/
• Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
• How to proceed once a QMS corrective action is defined? https://advisera.com/9001academy/blog/2016/09/20/how-to-proceed-once-qms-corrective-action-is-defined/

In our ISO 13485:2016 Documentation toolkit, you can also see Procedure for corrective action:

• Procedure for Corrective and Preventive Action https://advisera.com/13485academy/documentation/procedure-for-corrective-and-preventive-action-iso-13485-2016/

• Documenting processes

  Put a sheet of scenery paper affixed to a wall. Then, bring together a diverse team of people who as a whole know the company from different perspectives. On one end of the paper put a sticky note saying, "Customer in need" and on the other end put another sticky note saying "Customer served". Then, in a collaborative brainstorming session use sticky notes to describe what happens from "Customer in need" until "Customer served". Follow a rule: each sticky note has a verb + a noun. For example: Receive order; Check order; Confirm order; ...

  When you feel you have already listed the essential activities, try to group them into what will be the organization's processes.

  This technique is described in this free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

  In my example we get this global process map:

  

  Then, for each process, based on the individual sticky notes you can draw a flowchart:

  

  Then, for each process, you can apply the risk-based approach and determine steps that need to be improved, either by changing practices, either by introducing SOPs, or either by introducing new controls.

  Please find an example from the above webinar here:

  

  The following material will provide you more information about the process approach:

  • In this free webinar on demand you can find the basis for determining process control plans - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • I base this book on the process approach - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Lab requirements for counting plates

  From your question, I assume you are asking specifically what facility and environmental conditions are required for a microbiological laboratory, in terms of ISO 17025 accreditation. As you asked about the room, I will respond with a few requirements related to facilities and environmental conditions, clause 6.3 of ISO 17025:2017. The requirement is that facilities and environmental conditions must be suitable, documented, controlled, monitored, recorded and periodically reviewed. To determine what is suitable for your laboratory, you will need to look at the activities that will take place in the “room” and what regulatory requirements are required, i.e. the context.  

  Remember ISO 17025 is a guideline to assist you achieve competency, impartiality and consistent operations.  The facilities and controls necessary will depend on the type of testing being performed. You will need to do a risk assessment to identify the controls necessary, by considering anything that could lead to a deviation from meeting regulatory and quality requirements. For example high risk micro-organisms may require a negative pressurised room.  Address issues such as hygiene and cleaning protocols, access control, structural layout to provide for separation of activities, as well as equipment needed to minimise cross-contamination  - type of surfaces, ventilation, and suitable class of biosafety cabinets. Facilities should include suitable disposal of waste and sterilisation of materials.

  For further information see the following:
  The article What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
  ISO 17025 toolkit Facilities and Environmental Condition Procedure at https://advisera.com/17025academy/documentation/facilities-and-environmental-condition-procedure/

  The article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/
  The webinar How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/