Search results

ISO 27001 scope

1. We use a third party to provide infrastructure for our product (Installation sits on an AWS Server). On the Scope document, what would we put under “Location” for these servers that are provided by a third party?

Please note that under “Location” you need to include only your premises locations, not those of your providers. Regarding the infrastructure you mentioned, you only need to specify them and explain they are provided by a third party under "Networks and IT infrastructure", so this information can be used during the other phases of the implementation (e.g., risk assessment and risk treatment).

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2. What would we count as our assets regarding these servers that are provided by a third party? These servers are accessed by our staff to do our work using any laptop that is available to us, provided that the IP is cleared by our CTO to access the servers

The proper approach will depend on the level of control you have over these servers:

• if you need to operate and maintain the servers (i.e., the provider only offers the virtual machines), you should count as assets the servers themselves
• if you only use the servers (i.e., the provider operates and maintains the servers), it is better to count them as a single service

For further information, see:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

3. Do we need to reference anything from the Third Party provider? Where will it be referenced in the ISMS?

The relation with Third-Party providers should be referenced primarily in the List of legal, regulatory, and contractual requirements, identifying the contracts or agreements signed with them (so the organization is aware of what needs to be considered). They can also be referenced in the risk assessment and risk treatment process (where you can identify relevant risks related to them and define proper treatment).

4. Can you give examples on how regulations, like GDPR, translate into a policy or procedure – like a specific rule in the Information Security Policy Document. I just want to see an example of the wording pattern in a policy where a regulation is referenced.

Please note that legal requirements (e.g., laws, regulations, or contracts) should not be directly translated into policies or procedures (this approach would quickly turn the documents into a mess).

The adopted approach in our toolkit is to list the relevant legal requirements in the List of Legal, Regulatory, Contractual and Other Requirements template, located on folder 02 Identification of Requirements, and from this list, identify which controls from Annex A must be applied (this identification is made in the Statement of Applicability, located on folder 06 Applicability of Controls).

With this approach, aligning the legal requirements with controls first, we ensure that legal requirements that will use the same controls are under the same general text we already developed, compliant with the standard, and you will only need to include specifics (e.g., references to technologies and activities) as needed (the parts of the text that requires customization are identified in the templates).

For example, GDPR article 32 requires companies to use (where appropriate) pseudonymization and encryption of personal data. In this case, controls from section A.10 A.10 Cryptography are applicable, and in the related document, Policy on the Use of Encryption, located on folder 08 Annex A Security Controls >> A.10 Cryptography you only need to specify elements like "Name of the system", "Cryptographic tool", "Encryption algorithm", and "Key size"

5. Let’s say the scope of ISMS for now applies to the Services that we provide that are hosted in a third party provided server. What would be examples to exclude?

Since you are referring only to your provided services, an example of a scope exclusion would be the organization's administrative departments. Since exclusions of the ISMS scope will depend on the organization's objectives, without more detailed information, it is not possible to provide a more detailed answer.

Gap analysis

You can access the ISO 27001 Gap Analysis Tool at this link:  https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/ - however, we do not recommend using it for companies smaller than 500 employees because it would make your implementation unnecessarily complex. The point is, during the implementation of the toolkit (especially during the risk assessment and treatment) you will analyze which controls you have in place, so this is why the Gap analysis is not needed.

This article will provide you a further explanation about Gap analysis:

• ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/

Default legal position around data transfers under German Laws

Germany applies the GDPR which is an EU Regulation with direct application in the EU Member States legislation. Therefore, data transfers are ruled by Articles 44 - 50 GDPR.

Transfers of data are free among the EU countries, while outside EU are subject to some requirements like:

Assessing the infosec requirements for new ict systems

The meaning of assessing information security requirements for new ICT systems is to cover at least these points:

• to identify what the new systems have to provide in terms of information security, so you can make a clear evaluation of the possible solutions
• to ensure the new systems are compatible with the current systems they have to connect to, so security levels are maintained
• to plan for potential compensation controls in case the new systems do not fulfill all requirements

This article will provide you a further explanation about requirements definition:

• How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/

These materials can also help you:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Is written procedure required for internal Audit if audit is outsourced to outside consultant?

Yes, it is stated in the requirement 8.2.4 Internal audit that the organization must document a procedure that describes the responsibilities and requirements for planning and conducting audits and all necessary reports. Therefore, in your procedure you will describe that you have an outsourced internal audit process, you will describe which criteria that company has to have, how will you communicate with them, how will you plan the internal audits, how consultant company will give you reports, and so on. To summerise, this procedure needs to have all the elements requested by the standard and needs to prove how will you have this process under control. Remember, that no matter that you have outsourced this process, it is your responsibility for it.

The following articles can be of help:

• Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
• How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/

Sensitive data requested for refund processing

Article 5 (c) GDPR requires processing personal data according to the principle of data minimization which means that organization shall require as few as possible personal data. However, you should check the privacy notice of the company and their refund policy. Sometimes additional data may be required by antifraud company process or required by law.

Here you can find some information:

• GDPR Article 5 – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

You may also consider enrolling in this online EU GDPR Foundations Course:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• NCR tool

  In this kind of situations, you can use a model to help you describe the situation and get ideas about what can help you in promoting change.

  

  Normally, people don’t change just because they don’t want to change. Look for what can motivate them to change and act on what can block the change.

  As an example of anxiety, they may want to be afraid of any finger pointing to individual cases due to a better traceability around nonconformities. As an example of inertia, they may have genuine difficulties in using the NCR tool. Train them on its use.

  Please find below more detailed information:

  • QMS Change Management in 7 steps - https://advisera.com/9001academy/blog/2016/11/29/qms-change-management-in-7-steps/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Implementing information security continuity

  1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that
  ’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2.

  The document choice will depend on the ISO standards implemented.

  If you are implementing only ISO 27001, the Disaster recovery document is sufficient to cover the standard requirements. In case you are implementing ISO 22301, of ISO 22301 and ISO 27001 at the same time, you need to use the business continuity plan (please note that the disaster recovery plan is an annex of the BCP).

  For further information, see:

  • Business Continuity Management vs. Information Security vs. IT Disaster Recovery https://advisera.com/27001academy/blog/2017/02/27/business-continuity-management-vs-information-security-vs-it-disaster-recovery/ 

  2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?

  The purpose of Disaster Recovery Plan is to document how your IT infrastructure is to be recovered, it does not have the purpose of recovery of business parts of the organization. By the way, from our experience, a large majority of companies find controls from section A.17 applicable.

• Cleaning environment with minimal resources

  Implementing an environmental management system is not about solving all environmental problems with a magic trick.
  ISO 14001:2015 is based on the PDCA cycle:

  

  ISO 14001:2015 invites us to invest our scarce resources where their environmental return is bigger. Organizations should not try to solve all problems at the same time, there will never be enough resources and the results will be minimal.

  In the first turning of the cycle, organizations act upon the first set of significant environmental aspects. In a second turning of the cycle, organizations should update the significance classification and update the investment priorities. That way we can ensure the best use of available resources.

  Please check this information below with more detailed answers:

  • Article - Plan-Do-Check-Act in the ISO 14001 standard - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/plan-do-check-act-in-the-iso-14001-standard/
  • Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
  • Article - Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

   

• Is IATF 16949 is sufficient to evaluate the QMSs of OEMs?

  1. Do you consider that IATF 16949 is sufficient to evaluate the QMSs of OEMs?

  Yes, IATF 16949:2016 standard is sufficient for customer-specific requirements evaluation due to the IATF 16949: 2016 standard addresses customer-specific requirements at many points.

  2. If so, why are there supplementary audits like VDA6.3 or ASES of Renault-Nissan? Thank you.

  As you know, customer-specific requirement means automotive customer expectations. This issue is addressed in Article 4.3.2 of the IATF 16949: 2016 standard. In addition, in annex B, section’’ Bibliography-supplemental automotive’’ of the same standard, customer-specific requirements of all OEM customers are shown and explained.

  For example, if the organization's customer is VW, in this case, it is stated that it should comply with special requirements such as VDA 6.3-6.4-6.5.

  For more information, please read the following articles:

  • How to define the scope of the QMS according to IATF 16949:2016 https://advisera.com/16949academy/blog/2017/06/28/how-to-define-scope-of-the-qms-according-to-iatf-16949/
  • How to define roles and responsibilities within an IATF 16949-based QMS https://advisera.com/16949academy/blog/2017/11/29/how-to-define-roles-and-responsibilities-within-an-iatf-16949-based-qms/