Search results

Change management process

Provided that your organization does not have relevant risks or legal requirements (e.g., laws, regulations, or contracts) that require the implementation of change management, it is possible to be certified against ISO 27001 without implementing this control.

These articles will provide you a further explanation about the definition of controls and change management:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

ISO 22301 certification process

Your assumption is correct. The scope of ISO 22301 can be all organization or specific services, processes, business units, or locations.

As for the scope for the first certification process, in case you are a small or mid-sized business, up to 500 employees, with only a single location, the best approach is to certify the whole organization (in such cases, the effort to keep the scope separated is not worthy).

In other cases, you should consider your business objectives and the most relevant services.

These articles will provide you a further explanation about the scope definition (they are about ISO 27001, but the same concept applies to ISO 22301):

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will also help you regarding ISO 22301:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 27001 and SOC1

SOC 1 deals with controls at a service organization’s Internal controls over financial reporting systems, and ISO 27001 is an international standard for information security, with requirements for the implementation of an Information Security Management System (ISMS), and information security controls and information security controls objectives to help protect information.

Considering that, ISO 27001 can be used to implement some of the controls defined by SOC 1, but they do not have a direct relation, neither one is required to implement the other.

This article will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Scoping for ISO 27001

The internal network itself cannot be defined as the ISMS scope. Since the ISMS scope can be defined in terms of locations, business units, or processes, the recommended approach for your case is to define the ISMS scope in terms of the business units, or processes that manage the services and systems on this internal network.

For example: "The ISMS scope are the processes/business units related to the management and operation of the following services/systems: <describe the services/systems in this internal network>"

Policy structure and documentation

ISO 27001 does not prescribe a way to document a policy, so organizations can do it as best it fits them, provided the documents to fulfill the standard's requirements (cause 7.5 - Documented information).

If you want to see how documents compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our Mobile Device and Teleworking Policy at this link: https://advisera.com/27001academy/documentation/mobile-device-and-teleworking-policy/

These articles will provide you a further explanation about developing documents:

• How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

This material will also help you regarding developing documents:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Creating a new manual when implementing ISO 17025

No, you do not need to create a totally new quality manual. The ISO 17025 Quality Manual serves to document the overall Lab Quality Management System, providing a way to reference and link all the requirements together in one place. Your laboratory can implement ISO 17025 according to Option B. You can use your already established ISO 9001:2015 quality management system (and manual) to demonstrate compliance with the requirements for ISO 17025 clauses 8.2 to 8.9. What is important is that processes must be implemented and maintained in a manner that supports and demonstrates the fulfilment of ISO 17025:2017 Clauses 4 to 7 for all your laboratory activities. This means that the way that the processes (8.2 to 8.9) were established, how they are performed, documented and controlled, must include the activities in Clauses 4 to 7. For example, your audit programme must be revised. You will start with a gap evaluation to determine what new processes you need to include, what mandatory documentation and records you need to “add-on” and include in your Quality Manual.

You can download a free Project Plan for ISO/IEC 17025 implementation from the ISO17025 Academy at  https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation to assist you; as well as preview the ISO 17025 Quality Manual at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

For more information on Option B, see the article Maintaining and improving quality management in laboratories according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/iso-17025-maintenance-and-improvement-in-laboratories/For more information on the relationship between ISO 9001 and ISO 17025, see the article ISO 17025 vs. ISO 9001 – Main differences and similarities at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities/

Security levels to have in the company

First, it is important to note that ISO 27001 does not prescribe levels of security, only that the information is adequately protected.

In this context, what generally occurs is the definition of information classification levels (eg public, restricted, and confidential), which require an increasing order of resources as the classification of information increases. The specific resources to be used will depend on the outcome of the risk assessment and applicable legal requirements.

For more information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

As you mentioned initial, medium and advanced levels, I understand that it is also worth mentioning process maturity, which is also not required by the standard, but which can help in the implementation of the information security management system.

For more information, see:

• Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/

Defining Scope

The definition of scope depends primarily on the information you want to protect (e.g., customer information, R&D information, financial information, all information, etc.). Based on the information you want to protect you can identify locations, processes, or business units where this information is stored, processed, or flows through to include in your scope.

For example, if you want to protect customer information only, the processes related to cloud management services should be in the ISMS scope.

These articles will provide you a further explanation about scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Information security in project management

Thanks very much Rhand!

ISO 27001 Lead Auditor course

Both certifications are good and complement each other for a person looking for a career in information security because they offer different perspectives about how information interacts with the business.

ISO 27001 lead auditor focus on auditing information security management. CISA goes beyond auditing the scope of information security, and also consider the audit of strategic relationships between information security and the information systems and business objectives. 

This article will provide you a further explanation about CISA and ISO 27001:

• CISA vs. ISO 27001 Lead Auditor certification https://advisera.com/27001academy/blog/2015/05/11/cisa-vs-iso-27001-lead-auditor-certification/

This material will also help you regarding ISO 27001 Lead Auditor:

• ISO 27001 Lead Auditor Course preparation training [free webinar on demand] https://advisera.com/training/iso-27001-lead-auditor-course/
• Free online training ISO 27001 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/