Search results

Questions about toolkit templates

1. In document 04-Information Security Policy, the item "4.4 Business Continuity" of the document index does not appear in the body of the document, please indicate if we remove this point from the index or you send the text of the missing part?

Please note that section 4.4 is required only in case you are implementing also business continuity.

In case you are not implementing business continuity you can delete this section.

2. For the appointment of the security officer and security committee, do you have a standard document that allows us to carry out the board of directors minutes for the appointment, and the appointment of the role or position to the corresponding person or if this is going to be a external entity that provides the consulting service?

Please note that ISO 27001 does not prescribe a document for security officer/security committee appointment, so organizations can adopt their usual documents for the appointment of roles.

As models you may evaluate the following documents compliant with EU GDPR, and adjust them to your needs:

• Data Protection Officer Appointment Letter https://advisera.com/toolkit-documents/eu-gdpr/data-protection-officer-appointment-letter/
• Data Protection Officer Terms of Appointment https://advisera.com/toolkit-documents/eu-gdpr/data-protection-officer-terms-of-appointment/

Change management

Any change in the processes and products influence the quality of the product and possibly safety. Therefore, any change directly influences the quality management system. You can elaborate on how will you manage changes in the Management review procedure, but, as I mentioned in the previous answer you can make a separate documented procedure

Internal audit section of ISO 27001:2022

In “Operating the ISMS” the users identified in the various security policies and procedures need to perform defined activities, generate required records, and perform corrective actions as needed as a consequence of improvements needed in the operation of the ISMS.

In “Monitoring and measuring the ISMS” the users identified in the various security policies and procedures need to collect information about processes and objectives performance and evaluate if expected results are being achieved.

The template Measurement Report, included in your toolkit, in folder 12 Managemenr review can help you.

In terms of the project team, in both steps project team members need to be ready to support users, by answering their doubts, and evaluating, based on users’ feedback, if documents need adjustments.

ISO 27001 Internal Auditor Course Question

Please note that during document review the internal auditor must evaluate if documentation is compliant not only with the standard’s requirements but also with identified risks and opportunities, as well as relevant aspects of organizational context.

For example, in case there is a relevant risk related to documentation being tampered with, the auditor needs to evaluate how the organization considers this in developing and managing the documents.

Regarding the context of the organization, if the business involves regular remote interaction with customers and suppliers, this also needs to be evaluated regarding documents.

Advanced notification of change

This depends on the significance of the change. If the change is life-threatening, this must be done immediately, or within 24 hours.  If the change is not significant, then the timeframe is up to two weeks.

Clauses related to Statistical Process Control

8.3.3.3 ..........development of control 
and monitoring strategies for special characteristics of products...............

Risk Assessment Question

1 - Following the steps, we first identified the assets and asset owners.

It was quite difficult given the fact that for the same asset, we may have different asset owners.

Should we keep them in separate lines? It's highly possible that there will be a different Risk Owner.

To keep your asset as simple as possible, and in the interest of saving time, you should group the assets whenever possible (as for the asset owner you should consider the role with the highest hierarchical position between the roles you identified) and keep different lines only when extremely necessary.

2 - Our company develops software and has many different applications. Therefore, the Category of Applications & Databases is quite long (42 lines!). We are trying to merge them as much as possible but struggle because we don't know if and how risky it will be to group them (since there are different asset owners).

For a company of 50 people, we have gone too deep and need to get out before we proceed.

Should we merge per name of asset?

It is better to merge assets by considering the risks related to them. For example, if assets like Microsoft applications and Linux applications have similar risks, then it is better to adopt an asset called “applications” merging all risks.

3 - Should we take into consideration the asset owner?

You should consider the asset owner only as a secondary criterion because the primary reason for merging assets is that they share similar risks.

4 - Can we have more than once the same 'name of asset'?

You should avoid having two or more assets with the same name, to prevent mistakes in defining responsibilities for the assets. You should provide some additional information in the name of the asset to differentiate them (such as “laptop” and “sales laptop”).

5 - Given that the company is relatively small, our CEO can also be an asset owner besides the risk owner. As 'asset owners' we recognised all those who have access to a document, application, infrastructure, is that correct?

Please note that the “asset owner” is the person responsible for ensuring the asset is properly protected (e.g., by defining proper controls to be implemented). Considering that, not all people that have access to an asset are their owners (they need to follow security controls applied to the asset, but do not define such controls).

6 - In addition, our company is located in 2 different countries with only one of them being in the scope for certification. The other (recognised as a subsidy) will fully adopt the policies and actions of the mother company. That's why we implement the Risk Assessment and in general the ISO implementation simultaneously. All decisions derive from the mother company and the subsidy has an Office Manager who will probably be the Risk Owner for most of the assets in his country-responsibility.

Some of our assets are doubled for this reason, for example: Office rooms in country A (one asset) & Office rooms in country B (second asset).

Would you consider it 'too much'?

Please note that you do not need to include in the site to be certified assets from the site that will not be certified. This will only add unnecessary complexity to your implementation. It would be better to develop a separate risk assessment considering only assets that are exclusive of the noncertifiable site.  

7 - Would you do a screening of our risk assessment table once it's done (Assets, Threats, Vulnerabilities, Risk Owners, Risk Identification)?

As part of your toolkit is included a review of a determined quantity of documents, so you can send your risk assessment and we will provide recommendations for implementation if needed.

ISO 27001 Risk Register

You should include in your ISMS scope only the assets that you control - e.g., physical servers, software, and data; you should keep out of the scope assets you cannot control - data center building, telecom links, UPS, air conditioning, etc. 

You will assess the risks in the following way: 

• For the assets within the scope - by listing the assets, and their related vulnerabilities and threats. 
• Since assets of your suppliers (data center) are outside of your scope, you will perform a risk assessment on the level of a particular supplier - by listing vulnerabilities and threats to their service. 

You should perform all those assessments using the Risk Register in Conformio.

Training Register

So we use the training module in Conformio as a repository for records of all training done for employees of the company. There is no other feature in it other than for record keeping.